WannaCry Jr. : The Little Ransom That Couldn't

Screen Shot 2017-07-06 at 06.03.53.png

Earlier today, we caught a new in-the-wild version of what seemed to be WannaCry. A check with VirusTotal showed that this sample hasn't been seen before. After a brief investigation, we can conclude that this is WannaCry with slight variations. Notably, malware writers removed the kill switch from the original version. The fact that EternalBlue is effective almost two months after WannaCry outbreak and four months after a patch was released shows how hard it is for organizations to have an effective patching policy. Once again, we see the unholy trinity of vulnerabilities, patch times and malware plaguing systems globally.

Analysis

When comparing the new executable to the notorious WannaCry from this spring we can see that it is the same exact binary with two key changes.

This first change disables the kill switch (discovered by MalwareTech) that saved a plethora of computers from being infected.

The screenshot below shows how the ransomware still checks the aforementioned kill switch, however it has been patched to continue regardless of the result.

KillSwitchNeutralized_2.png

It will then go on to propagate just like the old WannaCry.

The second difference is that the resource section has been changed. The original WannaCry extracts an executable from its resource section, which in turn extracts a ZIP file from its own resource section. This ZIP file contains an encrypted DLL which encrypts the victim's computer.

In this new version of WannaCry the ZIP file is corrupt because the resource section has been partially overwritten with zeros and other random garbage.

Screen Shot 2017-07-06 at 06.12.16.png

What does this mean?

This version of WannaCry simply duplicates itself to any possible victim using EternalBlue just like the original. The only difference is that because the ZIP file is corrupt, the DLL that is in charge of encrypting the victim's PC cannot be extracted, which means no encryption takes place. The exact purpose of this attack is unclear, however it is clear that EternalBlue exploit is still very effective and that ransomware like Not-Petya and WannaCry are still a significant threat.

Learn more about enSilo’s complete endpoint security solution.

Sign Up for a Demo Today

Related Blog Posts