The Wannacry virus isn’t something new. If you don’t know about it, you must read Wannacry special post by clicking here. Researchers from the popular security firm Kaspersky last month presented new evidence tying those attacks together, pointing to North Korea as the culprit. Well, the young cyber security researcher, known only by his Twitter handle @MalwareTechBlog, says he found a weakness by chance that allowed slowing the spread of WannaCry, a type of malware called ransomware that encrypts files on an infected computer and demands money to unlock them.
Targeting Windows machines — and based off of a leaked NSA exploit — impacted users found that all of their computer files had been encrypted and could only be recovered by making payments of US$300 to US$600 to restore access. Security researchers said they observed some victims paying via the digital currency bitcoin, though they did not know what percentage had given in to the extortionists.
After taking a close look at the WannaCry code, Hutchins spotted a strange domain name and out of mere curiosity, he registered it, not knowing that brilliantly, that was enabling the ransomware’s kill-switch.
The researcher of the ‘cure’ to the virus, tweeting as @MalwareTechBlog, said the discovery was accidental, but that registering a domain name used by the malware stops it from spreading.
“Essentially they relied on a domain not being registered and by registering it, we stopped their malware spreading,” @MalwareTechBlog said in a private message on Twitter
Without question, Hutchins’ action here helped stopped the malware from spreading even wider, but not before it managed to infect more than 300,000 computers across the globe.
The researcher warned however that people “need to update their systems ASAP” to avoid attack.
“The crisis isn’t over, they can always change the code and try again,” @MalwareTechBlog said.
“I will confess that I was unaware registering the domain would stop the malware until after I registered it, so initially it was accidental,” @MalwareTechBlog tweeted.
Unfortunately however, computers already affected will not be helped by the solution.
“So long as the domain isn’t revoked, this particular strain will no longer cause harm, but patch your systems ASAP as they will try again.”
The malware’s name is actually WCry, but analysts were also using variants such as WannaCry. Interestingly enough, security researchers now claim that there’s a clever and concerted campaign to bring the malware back from the dead and continue the spreading spree. The strategy? Taking the kill-switch domain off-line by any means necessary.
According to a report I read recently from Wired, botnets are now being mobilized to launch a DDoS attack against the kill-switch domain.
Now a few devious hackers appear to be trying to combine those two internet plagues: They’re using their own copycats of the Mirai botnet to attack WannaCry’s kill-switch. So far, researchers have managed to fight off the attacks. But in the unlikely event that the hackers succeed, the ransomware could once again start spreading unabated.
If the DDoS assault did succeed, not all WannaCry infections would immediately reignite. The ransomware stops scanning for new victims 24 hours after installing itself on a computer, says Matt Olney, a security researcher with Cisco’s Talos team. But anytime one of those infected machines reboots, it starts scanning again. “The ones that were successfully encrypted are in this zombie state, where they’re waiting to be reactivated if that domain goes away,” says Olney.
At this point, there’s no way of knowing for sure if the people behind the WannaCry virua are the same ones trying to resurrect the malware. Some security researchers, though, believe that the new botnet campaign is actually being carried out by folks looking to have a bit of ill-advised fun at the expense of innocent users.
Dull Mistakes Were Made By Wannacry creators
At last count, the group behind WannaCry has earned just over $55,000 from its internet-shaking attack, a small fraction of the multimillion-dollar profits of more professional stealthy ransomware schemes. That is far too low! For me, I say the makers are too dull. “From a ransom perspective, it’s a catastrophic failure,” says Craig Williams, a cyber security researcher with Cisco’s Talos team. “High damage, very high publicity, very high law-enforcement visibility, and it has probably the lowest profit margin we’ve seen from any moderate or even small ransomware campaign.”
The news about the virus got almost everywhere and gained global and government attention. So, with all the name it got, the makers only gained a relatively meagre wmount of money. I trust myself! (I’m just joking- I’m white hat).
“It looks impressive as hell, because you think they must be genius coders in order to integrate the NSA exploit into a virus. But in fact, that’s all they know how to do, and they’re basket cases otherwise,” says Rob Graham, a security consultant for Errata Security. “That they have hardcoded bitcoin addresses, rather than one bitcoin address per victim, shows their limited thinking.” Over the weekend, a new version of WannaCry appeared with a different “kill switch” address. Dubai-based security researcher Matt Suiche registered that second domain almost immediately, cutting short the spread of that adapted version of the malware, too. Suiche can’t imagine why the hackers haven’t yet coded their malware to reach out to a randomly generated URL, rather than a static one built into the ransomware’s code. “I don’t see any obvious explanation for why there’s still a kill switch,” Suiche says. Making the same mistake twice, especially one that effectivly shuts WannaCry down, makes little sense. “It seems like a logic bug,” he said.
A tip to my readers: Read my post on 7 things about AdSense you need to know by clicking here