WannaCry Ransomware Halted by Accident

Zarathustra[H]

Extremely [H]
Joined
Oct 29, 2000
Messages
38,090
As we reported on yesterday, there was a little bit of a ransomware making its way around the world. It turns out, one of the reasons this outbreak was not as bad as it could have been was because of a lucky accident.

A security blogger who goes by the name of MalwareTech started digging into the WannaCry Ransomware while on vacation. He noticed that the ransomware was attempting to contact a specific address every time it infected a new computer. That address it was contacting, a long mess of numbers and letters, had apparently not been registered, so he paid $10.68 to register it. Turns out that the ransomware was programmed with a "kill-switch" stopping its spread if it got a response from that site, and as soon as the site responded, the ransomware stopped spreading.

While this particular strain of the ransomware has thus been stopped, this does not mean that future strains will have this same kill-switch. This discovery also does nothing for those who have already been impacted.

More detailed information can be found in MalwareTech's blog.


"The attention has been slightly overwhelming. The boss gave me another week off to make up for this train-wreck of a vacation."

For discussion regarding the original outbreak of the ransomware, please see this thread.
 
Last edited:
That is great news! Hopefully a decryption tool gets release to help those already affected.
 
HAHAHAHA that's fucking awesome! Mad props to this guy. I'm glad his boss gave him another week of vacation too.
 
Yeah, it sounds weird that they would build in a kill switch like that. I'm not sure what the logic would be on the part of the malware writer. Maybe its their way of deprecating old versions as they release new ones?
 
If true, that isn't the definition of an "accident". Halted on purpose would be accurate because he stopped it on purpose. He wasn't the author but he still stopped it intentionally not unintentionally.
 
  • Like
Reactions: dgz
like this
So the only reason this was stopped so fast was because the original malware writer hardcoded in a very poorly designed test to check if it was running in a sandbox which when tripped stoped the spread of the malware. So give it few days and a new version will be released that ignores the test or does something different. Then we will be pretty much back to square one since half of the computers will still not be updated.
 
So the only reason this was stopped so fast was because the original malware writer hardcoded in a very poorly designed test to check if it was running in a sandbox which when tripped stoped the spread of the malware. So give it few days and a new version will be released that ignores the test or does something different. Then we will be pretty much back to square one since half of the computers will still not be updated.

More or less.

Rumor has it a version without the kill switch has already been spotted in the wild.

If anything it gives IT departments across the planets another few hours of time to install Microsoft's patch that fixes this problem, and if they decide not to, they deserve whatever comes their way.
 
If true, that isn't the definition of an "accident". Halted on purpose would be accurate because he stopped it on purpose. He wasn't the author but he still stopped it intentionally not unintentionally.

Well, I don't think he had any idea what would happen once he registered the site with that name.

Granted, That's what I would do after making that discovery too, but...
 
Would not be surprised if this whole release was a false flag attack staged by our own government
 
If anything it gives IT departments across the planets another few hours of time to install Microsoft's patch that fixes this problem, and if they decide not to, they deserve whatever comes their way.

Hopefully we can use this as the catalyst for a "for fuck's sake, either sandbox these things from the network or get rid of these servers" directive. We've had 5 2003R2 servers that we can't get rid of because the outside groups that actually support the applications are dragging their feet.

I came in on Sunday just to ensure that everything has it (maintenance window when I can safely reboot the computers). I'm down to two XP machines that aren't responding to pings, so they're turned off, and a server that is so broken that it can't have any Windows Updates applied. 2008R2, no service packs. And, that's our primary engineering server. Over 5TB of drawings. At least we'll have it gone by August, but it pisses me off every time I look at it. I can't patch it. You have to have at least Windows 2008 R2 SP1 to download the fix, and updates are FUCKING DISABLED! RTM. No Patches. If you try, the updates fail. Luckily, we've changed support vendors, and I've put my foot down; I'm not going to get chastised because I have to run basic maintenance and their stuff falls apart if say mean things to it.
 
In a perfect world, this 22 year old guy (in the anti-malware industry) would get a friggin' huge bonus check. (After making sure HE didn't start it! ;) )
 
If true, that isn't the definition of an "accident". Halted on purpose would be accurate because he stopped it on purpose. He wasn't the author but he still stopped it intentionally not unintentionally.

I posted this story yesterday in the other big thread, with a link to theguardian: https://www.theguardian.com/technol...tch-to-stop-spread-of-ransomware-cyber-attack

Here are his own words about it being an accident:

MalwareTech @MalwareTechBlog

I will confess that I was unaware registering the domain would stop the malware until after i registered it, so initially it was accidental.
 
If true, that isn't the definition of an "accident". Halted on purpose would be accurate because he stopped it on purpose. He wasn't the author but he still stopped it intentionally not unintentionally.
I assume he didn't know being able to access the address would result in stopping. So registered the address to see what would happen, the result was an unknown quantity. For all he knew it could've switched the ransomware into gear 2.
 
Yeah, it sounds weird that they would build in a kill switch like that. I'm not sure what the logic would be on the part of the malware writer. Maybe its their way of deprecating old versions as they release new ones?
The purpose of the kill switch is clear. They could've used that as an additiional layer of extortion. They had hoped the spread wouldn't stop so early and a global epidemic would happen, and then they would ask governments to pay them millions and in return they'd kill the plague. At least that's what I'd have done.
 
I assume he didn't know being able to access the address would result in stopping. So registered the address to see what would happen, the result was an unknown quantity. For all he knew it could've switched the ransomware into gear 2.

There's already another variant that doesn't respond to this "kill command" unfortunately.
 
https://mxtoolbox.com/PortScan.aspx

Check to see if you have port 445 open. If you do not, then you most likely wont get infected.

That does protect from the remote execution flaw but this malware can also be spread via email but any decent anti-virus should quarantine this, Windows Defender/Microsoft Security Essentials does. In reading about this apparently when it scans for machines it only tries to target machines that it think it will work on, even if they are unpatched. For instance, I doesn't seem to try to attack Windows 10 machines because out of the box even without the SMBv2 patch Windows Defender will quarantine this and I'm guessing that was an effort to allow it to go undetected.
 
In a perfect world, this 22 year old guy (in the anti-malware industry) would get a friggin' huge bonus check. (After making sure HE didn't start it! ;) )
In a perfect world Microsoft wouldn't release swiss cheese operating systems that didn't undergo enough security testing so they aren't getting hacked every week.
 
In a perfect world Microsoft wouldn't release swiss cheese operating systems that didn't undergo enough security testing so they aren't getting hacked every week.

Except all software has bugs and this is a perfect example of attacks due to having such a huge install base. Apple is starting to feel it too now with various spyware apps.
 
In a perfect world Microsoft wouldn't release swiss cheese operating systems that didn't undergo enough security testing so they aren't getting hacked every week.
Sadly a lot of this is just code to support API's to make specific calls and functions within the OS. Yes some of it clearly was done in a sloppy fashion but it isn't like the code was left open unintentionally. It was intentionally left open and documented in specific API documentation. Only upon realizing it could be used for malicious purposes was the code updated to close that function.
 
When talking to journalists, always set the expectations and ground rules for exposure before the interview.
 
Back
Top