Menu
Kill switch slowly stops the spread of deadly ransomware

Kill switch slowly stops the spread of deadly ransomware

A security researcher may have helped stop the spread of the ransomware, which hit tens of thousands of PCs worldwide

Ransom demand screen displayed by WannaCry Trojan (Image - Symantec Security Response)

Ransom demand screen displayed by WannaCry Trojan (Image - Symantec Security Response)

The relentless ransomware attack ravaging organisations across the world may have stopped spreading to new machines -- at least briefly -- thanks to a "kill switch" that a security researcher has activated.

The ransomware, called Wana Decryptor or WannaCry, has been found infecting machines across the globe, with governments in both Australia and New Zealand on high alert.

Specifically, it works by exploiting a Windows vulnerability that the U.S. National Security Agency may have used for spying.

The malware encrypts data on a PC and shows users a note demanding US$300 in bitcoin to have their data decrypted with images of the ransom note circulating on Twitter.

Security experts have detected tens of thousands of attacks, apparently spreading over LANs and the internet like a computer worm.

However, the ransomware also contains a kill switch that may have backfired on its developers, according to security researchers.

Wana Decryptor infects systems through a malicious program that first tries to connect to an unregistered web domain.

The kill switch appears to work like this - if the malicious program can’t connect to the domain, it’ll proceed with the infection. If the connection succeeds, the program will stop the attack.

A security researcher who goes by the name MalwareTech found that he could activate the kill switch by registering the web domain and posting a page on it.

MalwareTech's original intention was to track the ransomware's spread through the domain it was contacting. “It came to light that a side effect of us registering the domain stopped the spread of the infection,” he said in an email.

Security firm Malwarebytes and Cisco’s Talos security group reported the same findings and said new ransomware infections appear to have slowed since the kill switch was activated.

However, Malwarebytes researcher Jerome Segura said it’s too early to tell whether the kill switch will stop the Wana Decryptor attack for good.

This is what the victim’s wallpaper is changed to following the breach (Image - Avast Software)
This is what the victim’s wallpaper is changed to following the breach (Image - Avast Software)

Segura warned that other versions of the same ransomware strain may be out there that have fixed the kill-switch problem or are configured to contact another web domain.

Unfortunately, computers already infected with Wana Decryptor will remain infected, he said.

Friday’s ransomware attack first spread through a massive email phishing campaign. At least some of those emails appeared to be messages from a bank about a money transfer, according to Cisco’s Talos group.

Victims who opened the attachment in the email were served with the ransomware, which takes over the computer, security researchers said.

The Wana Decryptor itself is no different from other typical ransomware strains. Once it infects the PC, it’ll encrypt all the files on the machine, and then demand the victim pay a ransom to free them.

But unlike other ransomware, Wana Decryptor has been built to spread quickly. It does so by incorporating a hacking tool that security researchers suspect came from the NSA and was leaked online last month.

The hacking tool, dubbed EternalBlue, can make it easy to hijack unpatched older Windows machines. Once Wana Decryptor has infected the first machine, it’ll attempt to spread to other machines on the same local network. Then it will scan the internet for vulnerable machines.

“It creates a snowball-like effect,” Segura said. “A few machines will be infected, then it’ll try to contact more.”

Security firm Avast said it had detected more than 75,000 attacks in 99 countries, with Russia, Ukraine and Taiwan among the hardest-hit countries. The U.K.’s National Health Service was one of the biggest organizations hit by the ransomware.

The ransomware was designed to work in numerous languages, including English, Chinese and Spanish, with ransom notes in each.

Segura advised victims not to pay the ransom because it encourages the hackers. Instead, he says they should wait for next few days as security researchers study the ransomware’s coding and try to come up with free ways to solve the infection.

On Friday, Microsoft said users will be protected from the ransomware if they’re running the company’s free antivirus software or have installed the latest patches.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags securitymalwareransomwarecyber security

Featured

Slideshows

Meet the leading female front runners of the Kiwi channel

Meet the leading female front runners of the Kiwi channel

Reseller News honoured the leading female front runners of the New Zealand channel at the 2018 Women in ICT Awards (WIICTA) in Auckland. The awards honoured standout individuals across seven categories, spanning Entrepreneur; Innovation; Rising Star; Shining Star; Community; Technical and Achievement.

Meet the leading female front runners of the Kiwi channel
Meet the top performing customer-centric Microsoft channel partners

Meet the top performing customer-centric Microsoft channel partners

Microsoft honoured leading partners across the channel following a year of customer innovation and market growth in New Zealand. The 2018 Microsoft Partner Awards recognised excellence within the context of the end-user, spanning a host of emerging and established providers.

Meet the top performing customer-centric Microsoft channel partners
Reseller News launches new-look Awards at 2018 Judges’ Lunch

Reseller News launches new-look Awards at 2018 Judges’ Lunch

Introducing the Reseller News Innovation Awards, launched to the channel at the 2018 Judges’ Lunch in Auckland. With more than 70 judges now part of the voting panel, the new-look awards will reflect the changing dynamics of the channel, recognising excellence across customer value and innovation - spanning start-ups, partners, distributors and vendors.

Reseller News launches new-look Awards at 2018 Judges’ Lunch
Show Comments