As companies around the world have patched their Microsoft (MSFT) Windows operating systems, the next round of WannaCry ransomware could strike organizations that have not uploaded security fixes.
While WannaCry rampaged through more than 100 countries over the weekend, security researchers identified a "kill switch" within the ransomware that slowed the expansion. New versions of the malware are already emerging that could revitalize the cybercrime wave, however.
Wedbush analyst Steve Koenig noted in a Monday report that hackers are already reworking ransomware without the kill switch. "Until hundreds of thousands of unpatched Windows systems have been updated, a WannaCry 2.0 campaign could effectively pick up where Friday's attack left off," he wrote.
The WannaCry ransomware has its roots in an April posting by a group called the Shadow Brokers, which released information about a weakness in Windows that the NSA allegedly discovered.
Microsoft had already released fixes to the vulnerability in March, but has provided further updates and reminders to users.
Organizations around the world had not updated their machines by the time hackers unleashed WannaCry on Friday, however. U.K.'s National Health Service, FedEx (FDX) , Nissan and more than 30,000 organizations in China have been hit by the ransomeware. Heimdel Security reports that there are more than 200,000 victims in 150 countries.
A U.K. researcher who blogs for Malwaretech.com, and Proofpoint staffers discovered a "kill switch" that limited the attacks.
"While the identification occurred after the initial wave hit Europe and Asia, it significantly slowed the spread of this worm and aggressive ransomware worldwide," Kalember wrote.
Microsoft Chief Legal Officer Brad Smith acknowledged in a blog post that the Windows developer has the primary responsibility to fix the problems.
However, Smith shared some blame with customers who have not updated their operating systems two months after Microsoft published fixes. "As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems," Smith wrote.
Microsoft also questioned the government policy of keeping stockpiles of software weaknesses that hackers can target. "We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world," he noted.
A version of WannaCry without the kill switch is already making the rounds, according to TheHackerNews.com.
A strain of ransomware called Uiwix makes use of the Windows vulnerabilities that WannaCry targeted, without the kill switch, Heimdel Security noted.
"We reckon that this is the first of many variants to follow, which will aim to exploit this vulnerability and infect as many devices as possible until the necessary patch is applied," Heimdel security evangelist Andra Zaharia wrote.
Uiwix won't likely be the last. Proofpoint notes that new variants of ransomware appear every two or three days.