Wcry ransomware is reborn without its killswitch, starts spreading anew


Yesterday, the world got a temporary respite from the virulent Wcry ransomware worm, which used a leaked NSA cyberweapon to spread itself to computers all over the world, shutting down hospitals, financial institutions, power companies, business, and private individuals' computers, demanding $300 to reactivate them.

The respite was thanks to a sloppy bit of programming from the worm's creator, who'd left a killswitch in the code: newly infected systems checked to see if a certain domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com) existed before attempting to spread the infection; by registering this domain, security researchers were able to freeze the worm.

But a day later, it's back, and this time, without the killswitch. Security researchers running honeypots have seen new infections by versions of the worm that can spread even when the iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com domain is live.

"I can confirm we've had versions without the kill switch domain connect since yesterday," Costin Raiu, director of global research and analysis team at Kaspersky Lab told Motherboard on Saturday.