Il virus WannaCry è sopravvissuto e ha aumentato l’attività, ma ha avuto paura della “vaccinazione”

Sophos ha scoperto decine di migliaia di varianti del ransomware WannaCry, which caused a massive epidemic in 2017. WannaCry è sopravvissuto e ha aumentato l'attività: two years later, the ransomware attacks continue and the number of vulnerable computers remains stably high.

The infamous WannaCry cryptographer that caused the global epidemic in May 2017, has not gone anywhere and is still attacking a huge number of machines around the world.

Moreover, according to Sophos experts, it is active more than ever.

In fact, it is about the number of successful infections, but about millions of attempts. The problem is that WannaCry has a huge number of variations, and there are more and more of them. To date, there are already 12.5 thousand variants of the original code. About 98% of recent detections occur in 2.7 thousand samples, which lack the very deactivation function, which made it possible to stop the epidemic in the spring of 2017.

WannaCry è sopravvissuto e ha aumentato l'attività
Meanwhile, only in August 2019, Sophos defensive telemetry revealed 4.3 million WannaCry samples In 6963 variants. 5555 of them, that consists 80%, were not previously detected. In other words, the active development of new variants of the ransomware continues.

“A few people actually paid the ransom even though there’s no point in doing so. The crooks behind the relevant Bitcoin addresses aren’t monitoring payments or providing decryption tools”, — reports Sophos experts Peter Mackenzie.

Sophos experts, Tuttavia, found that WannaCry has a feature that allows it to defend against it: some variants of the virus check the attacked system to see if it has been infected by WannaCry before and ignore it if they find signs of infection.

Così, the computer can literally be “vaccinated” with the help of a neutralized version of WannaCry: active malware will ignore it. Tuttavia, it is not known how much such protection will last.

“If patches are not installed on time, it is not always a private problem of the owner of vulnerable systems. When it comes to vulnerabilities that can be exploited by worms such as WannaCry, each device that is not updated in time becomes a source of threat to others, " – warn Sophos experts.

The key problem remains the abundance of computers in which the vulnerability used by WannaCry has not been fixed. It is worth recalling that the 2017 epidemic became possible because the ransomware used two exploits that leaked shortly before the events. These exploits were developed, according to the most common version, by the US National Security Agency: Eternal Blue E DoublePulsar. EternalBlueto gain access to the system, DoublePulsarto install and run a copy.

Leggi anche: I ricercatori hanno scoperto 125 vulnerabilità dentro 13 modelli di router e NAS

The EternalBlue exploit uses a weak spot in the implementation of the SMB protocol in versions of Windows OS (finestre 7, WindowsServer 2008 and earlier) – vulnerability CVE-2017-0145, fixed by Microsoft two months before the WannaCry epidemic.

Circa l'autore

Valdis Kok

Ingegnere della sicurezza, reverse engineering e memory forensics

Lascia un commento