Belfast Telegraph

NHS cyber attack: Analyst discovers WannaCry ransomware's hidden kill switch 'by accident', halts thousands of attacks for $10

Registering a domain name listed within the program helps stop thousands of attack

A 22-year-old cybersecurity analyst accidentally shut down vast numbers of attacks by the devastating WannaCry ransomware by buying a domain name hidden in the program for about £8.29.

The domain name is believed to have been written into the software by the hackers to act as a kill switch.

Each time the program tried to infect a computer, it would try to contact the webpage. If it failed, WannaCry would carry on with the attack, but if it succeeded it would stop.

The analyst, who tweets as MalwareTech and works for Kryptos Logic, a security firm, admitted he had not realised that buying the domain name, for just $10.69, would have this fortunate effect.

WannaCry has infected tens of thousands of computers across the world, shutting down vital systems used by the NHS in Britain.

Speaking to the Daily Beast, MalwareTech said he noticed the domain name, a string of nonsensical letters ending in gwea.com, in the code.

“I saw it wasn’t registered and thought, ‘I think I’ll have that,’” he told the website.

After buying the domain name, he pointed it to a ‘sinkhole’ server in the US, hoping simply to get more information about WannaCry.

“Immediately we saw five or six thousand connections a second,” MalwareTech said.

He said this appeared to have stopped large numbers of attacks, but confessed he had done this “completely by accident”.

And he warned people should still take precautions because the hackers could simply slightly alter the program to carry on making attacks.

“If we did stop it, there’s like a 100 per cent chance they’re going to fire up a new sample and start that one again,” he said.

“As long as people don’t patch, it’s just going to keep going.”

His realisation that he had helped stop some of the attacks, particularly in the US, was played out on his Twitter account.

“Some analysts are suggesting by sinkholing the domain we stopped the infection? Can anyone confirm?” he wrote.

“I will confess that I was unaware registering the domain would stop the malware until after I registered it, so initially it was accidental.”

Dan Goodin, security editor at the ArsTechnica blog, wrote: “The virally spreading worm was ultimately stopped when … MalwareTech … took control of a domain name that was hard-coded into the self-replicating exploit.

“The domain registration, which occurred around 6am California time, was a major stroke of good luck, because it was possible only because the attackers had failed to obtain the address first.

“The address appeared to serve as a sort of kill switch the attackers could use to terminate the campaign.

“MalwareTech's registration had the effect of ending the attacks that had started earlier Friday morning in other parts of the world.

“As a result, the number of infection detections plateaued dramatically in the hours following the registration. It had no effect on WCry infections that were initiated through earlier campaigns.”

Ryan Kalember, of security firm Proofpoint, told the Guardian that MalwareTech should get “the accidental hero award of the day”.

Hacking tool developed by NSA

Mysterious hacking ground Shadow Brokers - claimed in April to have released a 'cyber weapon' hacking tool that was developed by the National Security Agency.

The NSA had developed the ‘Eternal Blue’ weapon to gain access to computers around the world but the tool was stolen and leaked by Shadow Brokers. It is thought a criminal gang may then have used the 'cyber weapon' to gain access to computers including NHS systems.

NSA whistleblower Edward Snowden lambasted the agency on Twitter following the attacks on Friday.

"Despite warnings, @NSAGov built dangerous attack tools that could target Western software. Today we see the cost," Mr Snowden tweeted.




Global attack: At least 74 countries affected

The malicious software behind the onslaught appeared to exploit a vulnerability in Microsoft Windows that was supposedly identified by the US National Security Agency for its own intelligence-gathering purposes and was later leaked to the internet.

Russia appeared to be the hardest hit, according to security experts, with the country's Interior Ministry confirming it was struck.

All told, several cybersecurity firms said they had identified the malicious software, which so far has been responsible for tens of thousands of attacks, in more than 60 countries.

That includes the United States, although its effects there did not appear to be widespread, at least initially.

In the US, FedEx reported its Windows computers were "experiencing interference" from malware, but would not say if it had been hit by ransomware.

Chris Wysopal of the software security firm Veracode said criminal organisations were probably behind the attack, given how quickly the malware spread.

"For so many organisations in the same day to be hit, this is unprecedented," he said.

The security holes it exploits were disclosed several weeks ago by TheShadowBrokers, a group that has published what it says are hacking tools used by the NSA as part of its intelligence-gathering.

Shortly after that disclosure, Microsoft announced it had already issued software "patches" for those holes.

But many companies and individuals have not installed the fixes yet or are using older versions of Windows that Microsoft no longer supports and did not fix.

By Kaspersky Lab's count, the malware struck at least 74 countries.

In addition to Russia, the biggest targets appeared to be Ukraine and India, nations where it is common to find older, unpatched versions of Windows in use, according to the security firm.

Spain, meanwhile, took steps to protect critical infrastructure in response to the attack.

Authorities said they were communicating with more than 100 energy, transportation, telecommunications and financial services providers about the attack.

Spain's Telefonica, a global broadband and telecommunications company, was among the companies hit.

What is ransomware?

Ransomware does not traditionally aim to steal personal or sensitive data held on a computer or system, instead focusing on blocking access to and threatening to delete files.

Aatish Pattni from cyber security firm Check Point, said the version of Wanna Decryptor used in the attack was a new piece of malware.

"The ransomware used in this attack is relatively new - it was first seen in February 2017, and the latest variant emerged earlier today, Friday 11 May," he said.

"Even so, it's spreading fast, with organisations across Europe and Asia being hit.

"It shows just how damaging ransomware can be - and how quickly it can cause disruption to vital services.

"Organisations need to be able to prevent infections taking hold in the first place, by scanning for, blocking and filtering out suspicious files content before it reaches their networks.

"It's also essential that staff are educated about the potential risks of incoming emails from unknown parties, or suspicious-looking emails that appear to come from known contacts."

A map showing the spread of 'Wanna Decryptor' infections around the world is available here.

How can ransomware infection be prevented?

Security experts say users should ensure their computer software is always up to date. Often important security updates are contained within these downloads and can prevent known viruses from infecting a device.

Users should also be vigilante in relation to email and not open any links or downloading attachments in emails from unfamiliar or possibly suspicious sources.

Experts also warn that software, apps and other programs should never be downloaded from unofficial sources as this is another common method for hackers to secretly install malware onto computers.

Pete Turner, from cyber security firm Avast, said: "It's critical that organisations and employees, particularly those in our most critical sectors like healthcare, start to think pro-actively about how to protect themselves from ransomware."

Further information on how to protect systems from ransomware is available from the National Cyber Security Centre.

Independent News Service

Popular