WanaCrypt0r worm with kill switch patched out

Update: After performing some analysis, we’ve noted that the ransomware package (resource) in the worm is corrupted.  This means that even though the worm will infect, it won’t encrypt your files.  This is a GOOD THING.   But machines are still being exploited with this worm variant.  Patching is still the order of the day.

At Rendition we’ve been watching the evolution of the WanaCrypt0r malware.  We have become aware of a sample that does not implement the infamous “kill switch” domain check that neutered the original.  If you were counting on the kill switch being activated to save your network, we have unfortunate news for you: that approach isn’t going to work anymore.

Now is the time to patch for MS17-010.  If you can’t patch for whatever reason, you can deploy Rendition’s free tearSt0pper utility to prevent the current variant of the ransomware from executing successfully.  As the attackers update payloads, Rendition is committed to updating the tool to help keep the community as safe as possible.  However, we recognize that this is a losing battle.  We will always be one step behind attackers, so your best move is to patch immediately.  If you can’t patch, you should begin implementing steps to segment your network using router ACL’s, private VLANs and host based firewalls.  All of these controls should be configured to limit SMB traffic between workstations (at a minimum).

Technical Details

For those that prefer to see the technical details for themselves, we’ve prepared this screenshot.

Someone disabled the kill switch domain!

In the debugger screenshot above, we can see that the domain that was previously used for a kill switch has been replaced with null bytes (0x00).  At the top of the screenshot, we see the ESI register being loaded with the address 0x4313D0.  This register is next used when it is passed to InternetOpenURL.  However, when examining the memory at 0x4313D0, it is empty (look at the “Hex Dump” pane at the bottom of the screenshot).  Because of this modification, the “kill switch” check cannot possibly succeed since InternetOpenURL will throw an error while trying to contact a null domain.  For those interested in performing their own analysis, the MD5 of the sample is d724d8cc6420f06e8a48752f0da11c66.

As always, if you need world class information security support, don’t hesitate to contact Rendition Infosec.