May 16, 2017 by

Security Researcher Triggers WannaCry Ransomware Kill Switch; More Attacks Expected

The quick actions of cybersecurity professionals have placed a roadblock in the path of the sweeping WannaCry ransomware menace that’s plaguing the world.

Spread via an NSA-discovered exploit revealed by hacking group Shadow Brokers last month, the WannaCry ransomware across and beyond a hundred countries around the world.

Knowing it would attract the attention of security researchers, the ransomware payload contained code that queried a certain unregistered domain known to the authors of the ransomware. This code was embedded as a workaround to activating in environments like virtual machines, used by researchers.

Virtual machines are an environment installed on software that imitates dedicated hardware. It is routinely used by researchers to study malicious programs and code, typically to oversee all outgoing traffic from the program.

In order to avoid discovery in such an environment, the ransomware was designed to ping a certain unregistered domain. If the domain returns anything other than a DNS error (from the unregistered domain), the ransomware deduces that traffic is being manipulated and hence kills itself from being triggered to avoid any analysis by researchers.

On wily researcher who goes by MalwareTech, explains how he or she thwarted a global ransomware campaign.

Upon spotting the unregistered domain that the ransomware is pinging out to, the researcher immediately registered it to monitor the traffic. From there on in, the ransomware code that pinged the domain discovered it was registered and stopped itself from activating on the victim’s computer.

The kill switch has effectively put a dent on the ransomware’s spread and researchers have since discovered new samples of WannaCry with a different kill-switch that they also managed to register.

“In the last few hours we witnessed a stunning hit rate of 1 connection per second,” wrote researchers at CheckPoint.

However, other security researchers have since reported new samples of the ransomware that operate without kill switches.

“I can confirm we’ve had versions without the kill switch domain connect since yesterday,” Kaspersky Labs’ Costin Raiu told The Hacker News.

As things stand, the overwhelming consensus among researchers is that new waves of ransomware attacks are to be expected.

“The next attacks are inevitable, you can simply patch the existing samples with a hex editor and it’ll continue to spread,” security researcher and co-founder of Hacker House Matthew Hickey told TheHackerNews.

He added:

We will see a number of variants of this attack over the coming weeks and months so it’s important to patch hosts. The worm can be modified to spread other payloads not just WCry and we may see other malware campaigns piggybacking off this samples success.

Microsoft has released patches for multiple versions of its Windows operating system (including unsupported versions like Windows XP), which users can download here.

Image credit: Pexels.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

US Directly Blames North Korea for WannaCry Cyberattack

The White House under President Trump’s administration has blamed North Korea behind WannaCry -...

Read more arrow_forward

The UK’s NHS Toughens Cybersecurity Defenses after WannaCry Ransomware

The United Kingdom’s National Health Service (NHS) is set to spend £20 million on a new security...

Read more arrow_forward

UK Govt Blames North Korea for WannaCry Ransomware CyberAttack

  The UK government has blamed North Korea for WannaCry - the comprehensive ransomware...

Read more arrow_forward