TECH

This Is How A 22-Year-Old Managed To Stop The WannaCry Ransomware From Spreading

It sounds so simple, and yet.

15/05/2017 3:46 PM IST | Updated 15/05/2017 9:23 PM IST

Having attacked hundreds of computer systems including numerous NHS hospitals, the WannaCry ransomware was finally brought to a standstill.

Rather than being defeated by some vast cybersecurity organisation, the ransomware was stopped in its tracks by a 22-year-old security researcher from Devon called @MalwareTechBlog.

In the process of trying to learn more about the ransomware the security researcher inadvertently activated the malware’s kill switch preventing it from activating.

So how did he do it?

Hidden inside the code of the ransomware was a strange request.

Before it could lock down a computer and demand the ransom, the malware did something odd, it looked to see if a particular web address was registered. (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com if you’re curious).

If it found that the website was unregistered the malware was given the green light and proceeded to infect the targeted computer, encrypting its contents and demanding a ransom.

However, if the website was registered the malware would see this as a red flag, cease installing on the targeted computer and is effectively stopped in its tracks.

Curious to see what would happen, the researcher bought the domain for the princely sum of around $10 and decided to execute the malware again.

Sure enough, upon finding that the domain had been registered WannaCry stopped installing and shut down. It really was that simple.

Twitter

So why would a hacker create such a crippling kill switch inside their piece of software?

Writing on the National Cyber Security Centre website, @MalwareTech believe that it was in fact designed to make the malware harder to detect from cyber security researchers.

You see in some situations cyber security companies create “sandbox environments” where they can trap a piece of malware and then safely let it run without it being a risk to the outside world.

In these environments it is possible that the web address mentioned earlier would be seen as registered.

In effect the kill switch was actually a way for the malware to find out if it’s in a real environment or a fake one, thus preventing analysis or discovery by cyber security researchers.

What the hackers may not have considered was that someone would then actually go and register the domain in the real world.

While the security researcher admits that he was unaware registering the domain would stop WannaCry, the act of registering it itself is just part of his day job.

Using a kill switch like this is not uncommon, as part of his job the researcher confesses to registering thousands of domains every single year as part of an ongoing crackdown on this safety measure.

So is WannaCry stopped for good? Sadly not.

“One thing that is very important to note,” explains @MalwareTech, “Is our sinkholing only stops this sample and there is nothing stopping them removing the domain check and trying again, so it’s incredibly important that any unpatched systems are patched as quickly as possible. You can now even get a patch for XP.”

More On This Topic