By Michael Kan
May 15, 2017
Friday’s unprecedented ransomware attack may have stopped spreading to new machines -- at least briefly -- thanks to a "kill switch" that a security researcher has activated.
The ransomware, called Wana Decryptor or WannaCry, has been found infecting machines across the globe. It works by exploiting a Windows vulnerability that the U.S. National Security Agency may have used for spying.
The malware encrypts data on a PC and shows users a note demanding $300 in bitcoin to have their data decrypted. Images of the ransom note have been circulating on Twitter. Security experts have detected tens of thousands of attacks, apparently spreading over LANs and the internet like a computer worm.
However, the ransomware also contains a kill switch that may have backfired on its developers, according to security researchers.
Wana Decryptor infects systems through a malicious program that first tries to connect to an unregistered web domain. The kill switch appears to work like this: If the malicious program can’t connect to the domain, it’ll proceed with the infection. If the connection succeeds, the program will stop the attack.
A security researcher who goes by the name MalwareTech found that he could activate the kill switch by registering the web domain and posting a page on it.
MalwareTech's original intention was to track the ransomware's spread through the domain it was contacting. “It came to light that a side effect of us registering the domain stopped the spread of the infection,” he said in an email.
Michael Kan. The Wanna Decryptor ransomware's ransom note.
However, Malwarebytes researcher Jerome Segura said it’s too early to tell whether the kill switch will stop the Wana Decryptor attack for good. He warned that other versions of the same ransomware strain may be out there that have fixed the kill-switch problem or are configured to contact another web domain.
Unfortunately, computers already infected with Wana Decryptor will remain infected, he said.
Friday’s ransomware attack first spread through a massive email phishing campaign. At least some of those emails appeared to be messages from a bank about a money transfer, according to Cisco’s Talos group.
Victims who opened the attachment in the email were served with the ransomware, which takes over the computer, security researchers said.
The Wana Decryptor itself is no different from other typical ransomware strains. Once it infects the PC, it’ll encrypt all the files on the machine, and then demand the victim pay a ransom to free them.