Today (14 May 2017), 2 new variants appeared. One working which I blocked by registering the new domain name, and the second which is only partially working because it only spreads and does *not* encrypt files due to a corrupted archive.

Legit. A new variant had been caught by @benkow_ in the wild and sent to me for analysis. I reversed it and found a new kill-switch ( ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com ) which I immediately registered to stop the new wave of global attacks. Then, I synchronized with @MalwareTechBlog and @2sec4u to map the new domain to sinkhole name servers to feed the live interactive infection map. This is 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf .

A new variant had been caught by @benkow_ in the and sent to me for analysis. I reversed it and found a new kill-switch ( ) which I registered to stop the new wave of global attacks. Then, I synchronized with @MalwareTechBlog and @2sec4u to map the new domain to sinkhole name servers to feed the live interactive infection map. This is . False positive. A new variant with no kill-switch recovered by Kaspersky as a virustotal.com upload — not detected in the Wild. Although, this build does only work *partially* as the ransomware archive is corrupted — the spreading still works though. This is 07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd .

New variants

All the variants in the wild are the following:

Name : 07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd

LastWriteTime : 5/14/2017 5:56:00 PM

MD5 : D724D8CC6420F06E8A48752F0DA11C66

SHA2 : 07C44729E2C570B37DB695323249474831F5861D45318BF49CCF5D2F5C8EA1CD

Length : 3723264 Name : 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c

LastWriteTime : 5/13/2017 7:26:44 AM

MD5 : DB349B97C37D22F5EA1D1841E3C89EB4

SHA2 : 24D004A104D4D54034DBCFFC2A4B19A11F39008A575AA614EA04703480B1022C

Length : 3723264 Name : 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf

LastWriteTime : 5/14/2017 4:11:45 PM

MD5 : D5DCD28612F4D6FFCA0CFEAEFD606BCF

SHA2 : 32F24601153BE0885F11D62E0A8A2F0280A2034FC981D8184180C5D3B1B9E8CF

Length : 3723264

New variant with kill switch

32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf

As seen below, this is the new kill switch address ( ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com ) found in the 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf sample, shared by @benkow_ with me via his honeypot VM. It took me less than a minute once I had the new sample to reverse it and extract the new address to register it.

The variants 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c & 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cfboth drop the same files and archives.

Kaspersky told me they also detected the above variant, MD5:d5dcd28612f4d6ffca0cfeaefd606bcf was first seen by one of their users in Russia 01:53:26 GMT (2017–05–14 01:53:26.0)

Name : stage2-1-24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c

LastWriteTime : 5/12/2017 10:06:10 PM

MD5 : 84C82835A5D21BBCF75A61706D8AB549

SHA2 : ED01EBFBC9EB5BBEA545AF4D01BF5F1071661840480439C6E5BABE8E080E41AA

Length : 3514368 Name : stage2-2-32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf

LastWriteTime : 5/14/2017 4:42:09 PM

MD5 : 84C82835A5D21BBCF75A61706D8AB549

SHA2 : ED01EBFBC9EB5BBEA545AF4D01BF5F1071661840480439C6E5BABE8E080E41AA

Length : 3514368

New variant with no kill-switch (shared by Kasperky)

Costin Raiu, Director of Global Research and Analysis Team at Kaspersky Lab, shared the 07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd sample with me for a second opinion.

As said in the introduction, Although, this build does only work *partially* as the ransomware archive is corrupted but the spreading part using ETERNALBLUE and DOUBLEPULSAR still works. Archive only is partially uncompressed. Although the password in the code is the same.

The above variant, MD5:d724d8cc6420f06e8a48752f0da11c66 , has not been seen by any of Kaspersky’s users. (nobody got hit with it yet). It was first scanned on VT at: 2017–05–14 13:05:36.

This sample had been discovered after the initial variant I received today. See below my analysis.