A UK cybersecurity researcher founds how to halt the spreading of one of the most dangerous malwares of the last years. The method? Just spending 10.60 dollars in registering a very long domain which is consulted by the Wannacry ransomware

During the last hours, a ransomware called WannaCry affected lots of world wide organizations like Telefonica, FedEx or the UK’s National Health Service (NHS), where hospital computers started showing a ransom message demanding $300 worth of bitcoin.

Now, an “accidental hero” has interrupted the global spread of the ransomware, just by spending a few dollars registering a domain name that the malware makes a request to.

This man, apparently a UK cybersecurity researcher who tweets as @malwaretechblog, found that the switch was hardcoded within the ransomware “in case the creator wanted to stop it spreading”. This was made through a very long domain name that the malware had to connect to (very similar to looking up any website). If the connection is ok, and it shows a live domain, the ‘kill switch’ works, it shuts itself down immediately, and the spreading of the ransomware is halted.

In the following tweet, Warren Mercer (technical security Leader at Cisco), confirmed that infections for WannaCry/WanaDecrpt0r are down due to the discovery of @ MalwareTechBlog

The domain is a dot-com address, formed by a long string of gobbledygook letters and numbers, ‘iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com’. According to TheDailyBeast, @MalwareTechBlog saw that the domain wasn’t registered and decided to purchase it at NameCheap.com for just 10.69 dollars. Then, he pointed it at a ‘sinkhole’ server in California, just with the intention of collecting information on the malware. Suddenly, he saw thousands of connections per second.

Cisco detected that the connections to ‘iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com’ started at 07:24 UTC on Friday 12 May, with a peak nearly 10 hours later. You can see the evolution on the following chart:
WannaCry Ransomware Cisco

However, @MalwareTechBlog warns about a new coming thread. “There’s a very likely chance that they’re going to unveil a new version of the ransomware to start it again. If people don’t patch their computers it will happen again”, he claimed.

According to Cisco, users must ensure that all their systems based on Microsoft Windows are fully patched. At least , they encourage to apply Microsoft bulletin MS17-010. And any organization with the SMB service publicly accessible via internet (ports 139, 445) should immediately block inbound traffic. Apart to this two recommendations, companies should block all the connections to TOR on network.

The guy is reporting all the finds:

More information at this story of The Guardian and Cisco security blog.

WannaCry Ransomware

The image used has some rights reserved.

A guy discovers accidentally a ‘kill switch’ that can prevent the spread of the WannaCry ransomware
Tagged on: