With the successful launch of the WannaCry Ransomware last Friday, ransomware developers are being quick to release their own imitations.  As of today, I found 4 different WannaCry knockoffs in various forms of development. Of particular interesting is what appears to be a WannaCry Ransomware generator that allows you to customize the appearance and text of the lock screen.

Let’s take a look at what each of these imitations have to offer. You can click on any of the images below to see a full size image.

DarkoderCrypt0r

Of the four WannaCry imitators, DarkoderCrypt0r is the farthest along in development as it actually encrypts files on a computer. As you can see below, the developers copied the WannaCry lock screen and adapted it a bit with their own title, bitcoin addresses, etc. Currently this in-development ransomware as it is only encrypting files on the victim’s Desktop. When encrypting files it will append the .DARKCRY extension to the encrypted file’s name. The executable will also be named @DaKryEncryptor@.exe.

DarkoderCrypt0r
DarkoderCrypt0r

Sample: 2ffd9ba7b5dbccf734da02498fa2a6af8caaf8b9f98d4b32bc226516eee5c832

Aron WanaCrypt0r 2.0 Generator v1.0

Aran wanaCrypt0r 2.0 Generator v1.0 is an interesting sample as it is being developed to be a customizable WannaCry Ransomware generator. This program allows you to create a customized WannaCry lock screen where a developer can customize the text, images, and colors of the lock screen.

The generator will most likely then use these customizations to create a customized WanaCrypt0r ransomware executable that can then be distributed by a wannabe ransomware developer in order to generate ransoms. At this time, the generator only allows you to customize the lock screen and then display the customized screen. It does not generate a customized ransomware executable.

Aron WanaCrypt0r 2.0 Generator v1.0
Aron WanaCrypt0r 2.0 Generator v1.0

Sample: b46c6addef8894d5079f592152481d259338175806eb9a983ddb8edb9ec5aa44

Wanna Crypt v2.5

Wanna Crypt v2.5 is in the very beginning stages of development as it only displays the lock screen shown below when launched.

Wanna Crypt v2.5
Wanna Crypt v2.5

Sample: 925b3acaa3252bf4d660eab22856fff155f3106c2fee7567711cb34374b499f3

WannaCrypt 4.0

Like Wanna Crypt v2.5, WannaCrypt 4.0 is in the beginning stages of development and does not encrypt anything at this time. An interesting aspect of this sample is that the default language for the lock screen is Thai. As the original WannaCry does not support Thai, my guess is that the developer of this imitation is from Thailand.

WannaCrypt 4.0
WannaCrypt 4.0