Home / News & Analysis / Researcher Accidentally Thwarts ‘WannaCry’ Ransomware

Researcher Accidentally Thwarts ‘WannaCry’ Ransomware

Ransomware that ripped through hundreds of thousands of Windows PCs worldwide on Friday was hobbled over the weekend, but could see a resurgence this week if patches are not deployed.

SecurityWatchA UK-based researcher known as MalwareTech managed to stop the spread of ransomware, dubbed WannaCry or WannaCrypt, quite by accident. As he explained in a blog post, MalwareTech acquired a sample of the malware on Friday and ran it a virtual environment.

"I instantly noticed it queried an unregistered domain, which I promptly registered," MalwareTech writes.

This was not uncommon for him. "My job is to look for ways we can track and potentially stop botnets (and other kinds of malware), so I'm always on the lookout to pick up unregistered malware control server (C2) domains. In fact I registered several thousand of such domains in the past year."

This time, however, the move—known as sinkholing—thwarted WannaCry.

WannaCry looks to connect to the domain mentioned in the code. If it can't connect, "it ransoms the system," MalwareTech explains. If it connects to the domain, though, "the malware exits" and the system is not compromised.

"This technique isn't unprecedented and is actually used by the Necurs trojan," according to MalwareTech. "However, because WannaCrypt used a single hardcoded domain, my registartion [sic] of it caused all infections globally to believe they were inside a sandbox and exit.

"Thus we initially unintentionally prevented the spread and and further ransoming of computers infected with this malware," he writes.

That's good news for those unfortunate enough to encounter WannaCry, but MalwareTech warns that his sinkhole "only stops this sample and there is nothing stopping them removing the domain check and trying again, so it's incredibly importiant [sic] that any unpatched systems are patched as quickly as possible."

Microsoft released a patch for the vulnerability being targeted by WannaCry in March. On Friday, it extended that support to aging versions of Windows that Microsoft no longer supports but many businesses still use.

"Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download," Redmond said in a blog post.

As the Wall Street Journal reports, any lag time on organizations installing these updates could result in more infections come Monday morning.


"It is important to understand that the way these attacks work means that compromises of machines and networks that have already occurred may not yet have been detected, and that existing infections from the malware can spread within networks," the UK's National Cyber Security Centre said in a statement. "This means that as a new working week begins it is likely, in the UK and elsewhere, that further cases of ransomware may come to light, possibly at a significant scale."

While WannaCry infected targets in at least 150 countries, the UK was particularly hard hit. The country's health system, the NHS, was crippled, preventing staff from looking up patient records, dispensing medicine, and even performing surgeries.

"The NHS is working hard to ensure that as few patients as possible are affected," the agency said in a Sunday statement that outlined how patients should proceed.

Read more

Check Also

Facebook didn’t mean to send spam texts to two-factor authentication users

Facebook Chief Security Officer Alex Stamos apologized for spam texts that were incorrectly sent to users who had activated two-factor authentication. The company is working on a fix, and you won’t receive non-security-related text messages if you never signed up for those notifications. Facebook says it was a bug. But calling it a bug is a bit too easy — it’s a feature that… Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

Disclaimer: Trading in bitcoins or other digital currencies carries a high level of risk and can result in the total loss of the invested capital. theonlinetech.org does not provide investment advice, but only reflects its own opinion. Please ensure that if you trade or invest in bitcoins or other digital currencies (for example, investing in cloud mining services) you fully understand the risks involved! Please also note that some external links are affiliate links.