Home / News & Analysis / Researcher Accidentally Thwarts ‘WannaCry’ Ransomware

Researcher Accidentally Thwarts ‘WannaCry’ Ransomware

Ransomware that ripped through hundreds of thousands of Windows PCs worldwide on Friday was hobbled over the weekend, but could see a resurgence this week if patches are not deployed.

SecurityWatchA UK-based researcher known as MalwareTech managed to stop the spread of ransomware, dubbed WannaCry or WannaCrypt, quite by accident. As he explained in a blog post, MalwareTech acquired a sample of the malware on Friday and ran it a virtual environment.

"I instantly noticed it queried an unregistered domain, which I promptly registered," MalwareTech writes.

This was not uncommon for him. "My job is to look for ways we can track and potentially stop botnets (and other kinds of malware), so I'm always on the lookout to pick up unregistered malware control server (C2) domains. In fact I registered several thousand of such domains in the past year."

This time, however, the move—known as sinkholing—thwarted WannaCry.

WannaCry looks to connect to the domain mentioned in the code. If it can't connect, "it ransoms the system," MalwareTech explains. If it connects to the domain, though, "the malware exits" and the system is not compromised.

"This technique isn't unprecedented and is actually used by the Necurs trojan," according to MalwareTech. "However, because WannaCrypt used a single hardcoded domain, my registartion [sic] of it caused all infections globally to believe they were inside a sandbox and exit.

"Thus we initially unintentionally prevented the spread and and further ransoming of computers infected with this malware," he writes.

That's good news for those unfortunate enough to encounter WannaCry, but MalwareTech warns that his sinkhole "only stops this sample and there is nothing stopping them removing the domain check and trying again, so it's incredibly importiant [sic] that any unpatched systems are patched as quickly as possible."

Microsoft released a patch for the vulnerability being targeted by WannaCry in March. On Friday, it extended that support to aging versions of Windows that Microsoft no longer supports but many businesses still use.

"Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download," Redmond said in a blog post.

As the Wall Street Journal reports, any lag time on organizations installing these updates could result in more infections come Monday morning.


"It is important to understand that the way these attacks work means that compromises of machines and networks that have already occurred may not yet have been detected, and that existing infections from the malware can spread within networks," the UK's National Cyber Security Centre said in a statement. "This means that as a new working week begins it is likely, in the UK and elsewhere, that further cases of ransomware may come to light, possibly at a significant scale."

While WannaCry infected targets in at least 150 countries, the UK was particularly hard hit. The country's health system, the NHS, was crippled, preventing staff from looking up patient records, dispensing medicine, and even performing surgeries.

"The NHS is working hard to ensure that as few patients as possible are affected," the agency said in a Sunday statement that outlined how patients should proceed.

Read more

Check Also

Turkish President Erdogan calls for boycott of US tech

Yesterday, Turkish President Recep Tayyip Erdogan called for a boycott of all US technology during a speech in the country’s capital city of Ankara. “Every product that we buy in foreign currency from outside, we will produce them here and sell abroad,” said Erdogan during the speech. “We will boycott the electronics products of the U.S.” Erodagan continued to suggest that for every Apple iPhone Turkish citizens could use a Korean Samsung phone instead. An ironic statement given the importance the iPhone had in helping him quell a military coup in the country in 2016 that sought to remove him from power. In what became a swiftly ended (though still deadly with over 200 casualties) coup, Erodagan used Facetime to call his supporters to the streets. This announcement follows a tense week in Turkey where the country’s currency, the lira, fell more than 25 percent according the New York Times. As the country struggles with increasing economic turmoil on its own soil, it continues to butt heads with the Trump administration as well. Despite their history as allies, diplomatic tensions between the two countries have been rising this past year. Last fall, a visa ban between the two was enacted following the arrests of two US mission staff in Turkey for suspected connections to the 2016 coup. While the visa ban was lifted in late December, this summer diplomatic tensions have continued to rise over the detention of a US pastor in the country for alleged connections to the same coup. Last week, Trump announced an increase in tariffs on Turkish steel and aluminium in a tweet saying: I have just authorized a doubling of Tariffs on Steel and Aluminum with respect to Turkey as their currency, the Turkish Lira, slides rapidly downward against our very strong Dollar! Aluminum will now be 20% and Steel 50%. Our relations with Turkey are not good at this time! In addition to its tech boycott, Turkey also retaliated yesterday with its own increased tariffs on US goods, including cars and alcohol.

Leave a Reply

Your email address will not be published. Required fields are marked *

Disclaimer: Trading in bitcoins or other digital currencies carries a high level of risk and can result in the total loss of the invested capital. theonlinetech.org does not provide investment advice, but only reflects its own opinion. Please ensure that if you trade or invest in bitcoins or other digital currencies (for example, investing in cloud mining services) you fully understand the risks involved! Please also note that some external links are affiliate links.