More WannaCry ransomware variants to come. Back up your data, warn security experts

Sriram Sharma May 16, 2017 5 min

It took a hidden kill switch to slow down the outbreak of WannaCry, the ransomware which spread its tentacles around the globe on Friday infecting over 200,000 computers in 150 countries. But security experts who spoke to FactorDaily warn that newer, more devastating variants of the malware are highly likely to be unleashed soon, with some already in the wild.

“Variants are coming up with code changes and the kill switch removed but with less impact to be seen,” said Abhishek Anand, cofounder of Fallible, a Bangalore-based cybersecurity startup. These variants rely on preconditions, such as publicly accessible specific network ports or user action required by anyone in a large closed network, he added.

“Variants are coming up with code changes and the kill switch removed but with less impact to be seen” — Abhishek Anand, cofounder Fallible, cybersecurity startup  

By Sunday, new WannaCry variants were already being reported by cybersecurity experts. Copenhagen-based Heimdal Security reported on a new malware variant called Uiwix, which has no kill switch, that has already started to spread by exploiting the same Windows vulnerability.

“Given the slow pace at which Windows updates get adopted, there is still plenty of opportunity for systems to get compromised,” said Anand Prahlad, CEO, Parablu, a CASB (cloud access security broker) and data management solution provider. “As long as attackers find that this is a successful way to hold an organisation hostage and get paid a ransom, new variants will continue to mushroom.”

By Sunday, new WannaCry variants were already being reported by cybersecurity experts

Security experts were anticipating a cyberattack of this scale since April, when an anonymous hacking group called Shadow Brokers leaked hacking tools belonging to the NSA, including an exploit called Eternal Blue, which is used by WannaCry.

Apart from the NSA leak, there was also a CIA leak that happened in March this year, reminded Saket Modi, founder of Delhi-based cybersecurity firm Lucideus. In a phone conversation with FactorDaily, he said that these leaks are sure to increase the number of cyber weapons at the disposal of unscrupulous hackers. His firm gets three to four malware attack related requests from companies every week, he said.

“Ransomware is also evolving into Doxxware, where you are threatened with the release of your personal data to the public — personal emails, chat conversations. This is a cat-and-mouse game that will keep going for a long time. IT security infrastructure in a company is only going more and more complex going forward,” he said.

A Digital Geneva Convention?

On Sunday, Brad Smith, president and chief legal officer, Microsoft, posted a blog calling out the “stockpiling of vulnerabilities by governments” for the widespread damage caused by WannaCry, and called for a Digital Geneva Convention.

“An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen. This most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today — nation-state action and organised criminal action,” he wrote. Microsoft also released updates for older operating systems that are no longer officially supported, such as XP, Windows 8, and Server 2003 on Friday.

On Sunday, Brad Smith, president and chief legal officer, Microsoft, posted a blog calling out the “stockpiling of vulnerabilities by governments” for the widespread damage caused by WannaCry, and called for a Digital Geneva Convention  

Commenting on the post, Prahlad said that though he agreed on some aspects of Brad’s points, governments are not the only perpetrators. “There is an active malware underground where one can purchase the tools needed to create malware attacks. Using Brad’s analogy, this would be akin to having Tomahawk missiles you could simply order online and have delivered to your home. So, while rapping governments on their knuckles can be justified to a degree, there is a bigger issue here with a set of tools being made easily available to ‘bad guys’ who can manufacture and let loose malware at will,” he said.

Backup, and backup again

Prahlad says that updating computers with the latest OS is not a silver bullet against malware, as ransomware variants that take advantage of zero-day vulnerabilities are always possible. “The rapid and quick-moving malware underground ensures that anti-malware vendors are always playing catchup. Experience tells us that the best defence against ransomware is data backup. A clean backup of an organisation’s data can prevent it from being held hostage by an attacker, even if its other ransomware defences fail.”

All security experts agree thatpatching and having a robust backup strategy are important

“A clean backup of an organisation’s data can prevent it from being held hostage by an attacker, even if its other ransomware defences fail” — Anand Prahlad, CEO, Parablu, a CASB and data management solution provider  

According to research cited by Barkly, an endpoint protection software provider, emails are the most common point of ransomware infiltration. All the security experts we spoke to agreed with Troy Hunt’s tips, which include patching and having a robust backup strategy.

Educating users should come at the top of the list, said Prahlad. “Most attacks are successful because users don’t always know the right thing to do. When to not click on an attachment, when to not click on something on a website. How to not become a victim of social engineering. How to always have a strong password. In my opinion, that is super-important and is most often ignored,” he said.


Disclosure: FactorDaily is owned by SourceCode Media, which counts Accel Partners, Blume Ventures and Vijay Shekhar Sharma among its investors. Accel Partners is an early investor in Flipkart. Vijay Shekhar Sharma is the founder of Paytm. None of FactorDaily’s investors have any influence on its reporting about India’s technology and startup ecosystem.