Registering a Domain Accidentally Triggered Ransomware’s Kill Switch

By  |  0 Comments

A new and aggressive form of ransomware started infecting computers late last week. The UK’s national Health Service (NHS) and Spanish telco Telefónica were among the most high-profile victims of the WannaCry malware, also known as WanaCrypt0r 2.0.  As bad as the infection was, it could have been much worse if not for a security writer and researcher stumbling upon its kill switch. All he had to do  in order to neuter WannaCry was register a domain.

Like most ransomware, WannaCry is designed to encrypt a user’s important files when it gets a foothold on a new system. This attack was more severe than many others as it made use of a Windows exploit called Eternalblue designed by the NSA. That vulnerability was dumped on the internet several weeks ago by unknown hackers. Microsoft acknowledged that bug and released a patch for older versions of Windows.

Security researchers started dissecting WannaCry as soon as it popped up, among them a man who goes by MalwareTech. It was MalwareTech that noticed an unusual URL that was a string of random characters ending in “gwea.com.” MalwareTech saw this domain was unregistered, so he bought it for about $ 10 hoping he’d be able to gather more data about WannaCry. He redirected all traffic from that site into a server designed to capture malicious data, known colloquially as a sinkhole. Instead, the ransomware started standing down after contacting the now live URL.

It turns out that every instance of WannaCry would reach out to this URL before it started encrypting files. When it is able to resolve the above website, it just shuts down instead. This effectively halted new instances of the malware, but it does nothing for those systems already compromised. Hundreds of pings flooded in as soon as the URL went live. 

We can only guess at the motivation for including this kill switch in WannaCry, but the most likely explanation is a method for hindering forensic analysis. When malware is examined by researchers, it is often run in a sandboxed environment that connects to dummy IP addresses whenever it reaches out. Since the random URL is not supposed to exist, a response from that address could mean WannaCry is running in a sandbox. Thus, it shuts down to make it harder to analyze, and halting the outbreak was just an unintended consequence.

This is by no means the end for this new breed of malware. WannaCry and other malicious software will continue to take advantage of the recent spate of NSA leaks. Someone could even tweak WannaCry to remove the kill switch and send it out into the world again. MalwareTech also reports many who paid the ransom aren’t even getting their decryption keys. The system appears to be manual, which doesn’t scale to the incredible number of computers infected.

Now read: The 5  best VPNs

Let’s block ads! (Why?)

ExtremeTechInternet – ExtremeTech

You must be logged in to post a comment Login

Recent Posts