No, It's not over yet, WannaCry 2.0 is on hunt!
In this articles, they put together more information about this massive ransomware campaign, also explaining how the researcher, known as MalwareTech, accidentally halted the global spread of WannaCry by registering a domain name hidden in the malware, but it does not repair computers that are already infected.
That domain was responsible for keeping WannaCry propagating and spreading like a worm, but MalwareTech registered the domain in question, and created a sinkhole – tactic researchers use to redirect traffic from the infected machines to a self-controlled system.
If you are thinking that activating the kill switch has completely stopped the infection, then you are mistaken, because as soon as the attackers realize, they came back.
The kill-switch feature was in the SMB worm, not in the ransomware module itself. "WannaCrypt ransomware was spread normally long before this and will be long after, what we stopped was the SMB worm variant." MalwareTech told The Hacker News.Costin Raiu, the director of global research and analysis team at Kaspersky Labs has confirmed that they have seen samples on Friday that did not have the kill switch.
"I can confirm we've had versions without the kill switch domain connect since yesterday," told The Hacker News via messages.MalwareTech also confirmed us that some "Mirai botnet skids tried to DDoS the [sinkhole] server for lulz," to make it unavailable for WannaCry, when attempts to connect it, which triggers infection if the connection fails. But far now, DDoS attack "failed hardcore."
So, expect a new wave of ransomware attack, with an updated WannaCry variant, which would be difficult to stop, until and unless all vulnerable systems get patched.
"The next attacks are inevitable, you can simply patch the existing samples with a hex editor and it'll continue to spread. We will see a number of variants of this attack over the coming weeks and months so it's important to patch hosts." Matthew Hickey, a security expert and co-founder of Hacker House says The Hacker News.Instead of depending upon mass email spamming, like an ordinary malware campaign, WannaCry cyber attack leverages SMB exploit to remotely hijack vulnerable computers just by scanning every IP address on the Internet.
Even after WannaCry made headlines all over the Internet and media, there are still hundreds of thousands of unpatched systems easily available open to the Internet.
"The worm can be modified to spread other payloads not just WCry and we may see other malware campaigns piggybacking off this samples success." Hickey says.
"The worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This activity results in large SMB traffic from the infected host" Microsoft says.So, the new strain of WannaCry 2.0 malware would not take enough time to take over these systems as well as others connected to the same local network.