A security researcher that goes online by the nickname of MalwareTech is the hero of the day, albeit an accidental one, after having saved countless of computers worldwide from a virulent form of ransomware called Wana Decrypt0r (also referenced as WCry, WannaCry, WannaCrypt, and WanaCrypt0r).
What MalwareTech did was spend around £10 to register a domain he found in the ransomware's source code.
Security researcher finds ransomware kill switch
The researcher discovered that the virulent and self-spreading Wana Decrypt0r ransomware was making a pre-infection check to a domain located at iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com.
If the domain was unregistered, the ransomware would start encrypting files. But if the domain was registered, the ransomware would stop its infection process.
By registering this domain, MalwareTech had accidentally triggered a worldwide kill-switch for the ransomware's self-spreading feature.
Some analysts are suggesting by sinkholing the domain we stopped the infection? Can anyone confirm?
— MalwareTech (@MalwareTechBlog) May 12, 2017
I will confess that I was unaware registering the domain would stop the malware until after i registered it, so initially it was accidental.
— MalwareTech (@MalwareTechBlog) May 13, 2017
Infections for WannaCry/WanaDecrpt0r are down due to @MalwareTechBlog registering initial C2 domain leading to kill-switch #AccidentalHero
— Warren Mercer (@SecurityBeard) May 12, 2017
#WannaCry propagation payload contains previously unregistered domain, execution fails now that domain has been sinkholed pic.twitter.com/z2ClEnZAD2
— Darien Huss (@darienhuss) May 12, 2017
This doesn't mean the Wana Decrypt0r ransomware outbreak is over, but this particular version of the Wana Decrypt0r ransomware won't work anymore.
In the near future, the actors behind Wana Decrypt0r can very well deploy a new version with a different domain, or a different kill switch mechanism.
Everyone needs to update their computers!
"It's very important everyone understands that all they [Wana Decrypt0r gang] need to do is change some code and start again," MalwareTech explained last night. "Patch your systems now!"
The Wana Decrypt0r ransomware used a self-spreading mechanism derived from an NSA exploit leaked by the Shadow Brokers. That exploit can be mitigated by installing the patches included with Microsoft security bulletin MS17-010.
Additionally, Microsoft has released an update for older operating systems that are no longer officially supported, such as Windows XP, Windows 8, and Windows Server 2003. The update can be downloaded from here.
People already infected with this ransomware will not get their files back just because that domain was registered. It means that no new infections will occur with yesterday's strain. Currently, there's no known method of breaking the ransomware's encryption.
The only viable method of getting files back at the moment is from previous operating system backups, and by paying the ransom note, as a last resort.
During yesterday's ransomware outbreak, MalwareTech also created a tracker for Wana Decrypt0r victims, and a live map, showing infections in real time, which is now terribly silent. For those affected, you can discuss this ransomware and receive support in the dedicated WanaCrypt0r & Wana Decrypt0r Help & Support Topic. Bleeping Computer also published a technical analysis of the Wana Decrypt0r ransomware.
Comments
JohnC_21 - 6 years ago
Was reading an article where XP runs on 90% of Britain's NHS Trust Systems. :-(
bigqwayne - 6 years ago
Curious why that was put in the code or maybe the author just forgot it was in there.
GT500 - 6 years ago
He probably didn't expect someone to find the domain in the source and register it that quickly.
Silverhammer - 6 years ago
Sounds like this guy deserves a medal. Maybe some big "thank you" donations as well. Crowdfunding could be established for him. How much money and frustration has this guy saved the world? Just imagine if he had not found this code. The attack may have continued for hours/days.
The big corporations and governments should all be sending him praise and nice deposits into his bank account.
His fortunate discovery may have been "accidental" but that doesn't mean he's any less deserving.