Getty Images / AFP / Stringer

WannaCry is back! Virus hits Australian traffic cameras and shuts down a Honda plant in Japan NHS WannaCry is back! Virus hits Australian traffic cameras and shuts down a Honda plant in Japan

NHS Digital recently confirmed that the recent NHS computer hack used the Wanna Decryptor ransomware to infect the systems of as many as 40 UK hospitals. This software is believed to have used tools stolen by the National Security Agency to exploit a flaw in Microsoft Windows.


The original Wanna Decryptor ransomware was halted when a security researcher accidentally discovered a kill switch, but reports suggest the malware is spawning new, more aggressive versions.

Ransomware Trojans are a type of malware designed to extort money from victims by holding files or entire computers to ransom. The ransomware typically demands payment to undo changes that the Trojan virus has made to the victim’s computer, which ranges from encrypting data stored on the victim’s disk to blocking normal access.

Read next WIRED Awake December 19: USA blames North Korea for WannaCry ransomware attack WIRED Awake December 19: USA blames North Korea for WannaCry ransomware attack

Subscribe to WIRED

Wanna Decryptor encrypts users files using encryption ciphers meaning the hackers can directly decrypt system files using a unique decryption key. Once inside a system, Wanna Decryptor creates encrypted copies of specific file types before deleting the originals, leaving the victims with only the encrypted copies.


- Want to know more? Read our in-depth piece: "What is WannaCry?"

It is unclear how the Wanna Decryptor ransomware infected the NHS systems. Researchers at Avast have tied Wanna Decryptor, or WanaCrypt0r 2.0, to a Microsoft exploit used by the Equation Group, which, in turn, is suspected of being tied to the NSA.

The vulnerability (MS17-010) affects Microsoft Windows Vista, 7, 8, 10, XP and versions of the Windows Server software. Over the weekend, Marcus Hitchins, who posts on Twitter under @malwaretechblog, discovered a "kill switch" for the ransomware, which slowed its spread.

There has been speculation, however, a second version could be created with a different (or worryingly, no) URL. Security company Rendition Infosec has claimed it has seen a variation of Wanna Decryptor that doesn't have a kill switch.

"If you were counting on the kill switch being activated to save your network, we have unfortunate news for you: that approach isn’t going to work anymore," the firm says in a blog post.


Bitdefender has also seen the same version of the malware that does not contain a kill switch. Its own blog post says "it was only a matter of time until a newer version would emerge bypassing" the kill switch.

Separately, security researcher Matthieu Suiche‏ has registered a second kill switch found in one version of the malware and says that stopped around 10,000 machines from being infected.

Want to know more about the cyber threats of the future? WIRED Security 2017 returns to London in on September 28 to discuss the latest innovations, trends and threats in enterprise cyber defence, security intelligence and cybersecurity. Join us at King’s Place by booking your tickets today.

