May 16, 2017 by

Security Researcher Triggers WannaCry Ransomware Kill Switch; More Attacks Expected

The quick actions of cybersecurity professionals have placed a roadblock in the path of the sweeping WannaCry ransomware menace that’s plaguing the world.

Spread via an NSA-discovered exploit revealed by hacking group Shadow Brokers last month, the WannaCry ransomware across and beyond a hundred countries around the world.

Knowing it would attract the attention of security researchers, the ransomware payload contained code that queried a certain unregistered domain known to the authors of the ransomware. This code was embedded as a workaround to activating in environments like virtual machines, used by researchers.

Virtual machines are an environment installed on software that imitates dedicated hardware. It is routinely used by researchers to study malicious programs and code, typically to oversee all outgoing traffic from the program.

In order to avoid discovery in such an environment, the ransomware was designed to ping a certain unregistered domain. If the domain returns anything other than a DNS error (from the unregistered domain), the ransomware deduces that traffic is being manipulated and hence kills itself from being triggered to avoid any analysis by researchers.

On wily researcher who goes by MalwareTech, explains how he or she thwarted a global ransomware campaign.

Upon spotting the unregistered domain that the ransomware is pinging out to, the researcher immediately registered it to monitor the traffic. From there on in, the ransomware code that pinged the domain discovered it was registered and stopped itself from activating on the victim’s computer.

The kill switch has effectively put a dent on the ransomware’s spread and researchers have since discovered new samples of WannaCry with a different kill-switch that they also managed to register.

“In the last few hours we witnessed a stunning hit rate of 1 connection per second,” wrote researchers at CheckPoint.

However, other security researchers have since reported new samples of the ransomware that operate without kill switches.

“I can confirm we’ve had versions without the kill switch domain connect since yesterday,” Kaspersky Labs’ Costin Raiu told The Hacker News.

As things stand, the overwhelming consensus among researchers is that new waves of ransomware attacks are to be expected.

“The next attacks are inevitable, you can simply patch the existing samples with a hex editor and it’ll continue to spread,” security researcher and co-founder of Hacker House Matthew Hickey told TheHackerNews.

He added:

We will see a number of variants of this attack over the coming weeks and months so it’s important to patch hosts. The worm can be modified to spread other payloads not just WCry and we may see other malware campaigns piggybacking off this samples success.

Microsoft has released patches for multiple versions of its Windows operating system (including unsupported versions like Windows XP), which users can download here.

Image credit: Pexels.

About the author

Image of Author

LIFARS is a digital forensics and cybersecurity intelligence firm based in New York City. LIFARS is ranked as one of the top Digital Forensics and Cyber Investigations companies in 2016 and as one of the top cybersecurity companies in the New York metropolitan area for 2015 on the Cybersecurity 500 – a directory of the hottest and most innovative companies to watch in the cybersecurity industry.

Related articles

UK Govt Blames North Korea for WannaCry Ransomware CyberAttack

  The UK government has blamed North Korea for WannaCry - the comprehensive ransomware...

Read more arrow_forward

Researcher who found the Wannacry ‘Kill-Switch’ was arrested by FBI

Researcher who found the ‘Kill-Switch’ for Wannacry Ransomware was arrested by FBI. Marcus...

Read more arrow_forward

TrickBot influenced by WannaCry and Petya, adds a self-spreading Worm Module

Security researchers have discovered that the latest version of Trickbot has been using the Windows...

Read more arrow_forward