Yesterday's report of a Wcry ransomware version that didn't have the killswitch that halted the worm's spread was retracted by Motherboard and Kaspersky Lab — but today, France's Benkow computing document a new Wcry strain that has a different killswitch — one that has already been registered, stopping the new strain.
This isn't the only new strain, though: at least four copycats have been identified.
After confirming Benkow's findings, security researcher Matt Suiche intervened and registered this second domain — located at ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com — and pointed it at the same sinkhole server used for the first, discovered and registered by British security researcher MalwareTech on Friday.
This meant that despite computers getting infected with the second version of the WannaCry ransomware, the encryption process would not start, as long as the sinkhole server was in place, or security firms or sysadmins wouldn't block traffic to those two domains. As with the first version, the bulk of these computers — nearly half — were located in Russia.
WannaCry Ransomware Version With Second Kill Switch Detected and Shut Down
[Catalin Cimpanu/Bleeping Computer]