New WannaCrypt variants emerge

The WannaCrypt ransomware worm has been modified with new "kill switch" domain names, researchers have found.

Matt Suiche's new domain.

Comae Technologies researcher Matt Suiche said he had discovered new variants of WannaCrypt on infected machines.

As with the original WannaCrypt malware, one of the new variants had a domain name hard coded in.

WannaCrypt tries to connect to a server at the domain name in question. It is potentially a test to see if WannaCrypt is being executed in a sandboxed environment - as used by researchers analysing malware - and if it succeeds in contacting the domain, it will not attempt to spread further.

A British researcher who goes by the name of MalwareTech took advantage of this, and registered the original domain name hard coded into WannaCrypt in order to slow down the spread of the worm.

Suiche similarly registered the new domain name in the modified WannaCrypt variant he found, so it could act as a "kill switch" and stop the execution of the malware.

He said over 10,000 machines were connected to the domain, mainly from Russia, and did not continue to spread WannaCrypt as a result of his registration.

Security vendor Check Point Software also discovered a new variant of WannaCrypt and registered its “kill switch” domain name.

The company said that apart from the domain name, the rest of the code in the new WannaCrypt variant was similar to older versions of the malware.

Another sample of WannaCrypt that appears to have been patched to remove the "kill switch" domain name was shared by Kaspersky researcher Constantin Raiu, sparking fears that the simple trick preventing the malware from spreading would no longer work.

However, the sample shared by Raiu turned to be corrupt, and only works partially; it is not able to infect systems.

Suiche believes this is a temporary mistake and a WannaCrypt version without the domain name "kill switch" will appear soon.

Five variants of WannaCrypt have been found in the wild so far.