Researcher finds 'kill switch', slows down global ransomware attack
A United Kingdom-based researcher is being called a hero after he discovered a way to slow down the spread of a ransomware strain that affected nearly 100 countries Friday and caused massive disruption to the U.K. healthcare system.
The researcher, tweeting as @MalwareTechBlog, discovered a domain name frequently referenced in the code of the WannaCry ransomware that was spreading across the globe.
“Upon running the sample in my analysis environment I instantly noticed it queried an unregistered domain, which I promptly registered,” he said in a blog post about the incident.
[Also: UPDATED: Hospitals in UK National Health Service knocked offline by massive ransomware attack]
That ended up making all the difference.
“A few seconds after the domain had gone live I received a DM from a Talos analyst asking for the sample I had which was scanning SMB host, which I provided. Humorously at this point we had unknowingly killed the malware.”
It didn’t take long, however, for him to figure out what he’d done.
“All this code is doing is attempting to connect to the domain we registered and if the connection is not successful it ransoms the system, if it is successful the malware exits,” he wrote.
[Also: The biggest healthcare breaches of 2017 (so far)]
Friday’s attack was one of the world’s largest coordinated cyberattacks, and reports have tied it to hackers using leaked NSA tools.
By latest count, the attack affected 99 countries through more than 75,000 individual incidents. The attack also severely crippled the UK’s National Health Service, causing doctors to cancel surgeries and other medical procedures. Global shipper FedEx also reported being hit by the ransomware.
While the kill switch managed to stop the spread, it does not help for those whose systems were already locked by hackers. Once the ransomware works its way into systems, it displays a message demanding payments of either $300 or $600 in Bitcoin to unlock them.
“So long as the domain isn't revoked, this particular strain will no longer cause harm, but patch your systems ASAP as they will try again,” @MalwareTechBlog tweeted Friday night.
Twitter: @HenryPowderly
Contact the author: henry.powderly@himssmedia.com