Only a few days into this thing and of course we’re already seeing spin-off variants of the original binary making their way into the wild.
Over the weekend we’ve had a few ups and downs; we’ve identified 2 kill-switch domains that were hard coded into the binaries which were subsequently discovered and sink holed. Heading into Monday however we’re starting to see the natural processes run their course as new variants enter the wild.
Variant 3 (MD5: d724d8cc6420f06e8a48752f0da11c66) is already starting to display some new behavior. The above variant does not have a hard coded kill-switch within the code, but hasty changes appear to have broken this variant’s ransomware capability.
The spreader capability made possible by ETERNALBLUE and DOUBLEPULSAR still works as advertised. However, the actual ransomware functionality appears to be broken, most likely due to a corrupted archive. The domain check code still appears in is variant’s code, however it’s jmp’d and zeroed out.
Keeping this one short but I wanted to throw a little something out there with some recent updates.