Kevin MageeOn Friday afternoon, the UK’s National Health System (NHS) began reporting infections of a new ransomware strain known as WannaCry. Throughout Friday and into Saturday morning, it spread like wildfire across the world, infecting computers in over 150 countries. In the news was account after account of PCs, Smart TVs, ATMs, and arrival and departure displays getting hit as WannaCry sought to find and infect everything it would get its hands on.
And then . . . it seemed to just . . . well . . . stop.
With the help of Darien Huss from security firm Proofpoint, an “accidental hero” who goes by the twitter handle of @malwaretechblog found and inadvertently activated a “kill switch” in the malicious software.
“I was out having lunch with a friend and got back about 3pm and saw an influx of news articles about the NHS and various UK organisations being hit,” he told the Guardian. “I had a bit of a look into that and then I found a sample of the malware behind it, and saw that it was connecting out to a specific domain, which was not registered. So I picked it up not knowing what it did at the time.”
And just like that, he spent $10.69 to register the domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, which activated the kill switch and inadvertently saved the world!
It almost reads like a to-good-to-be-true holiday movie plot, and it likely is. Because, like all successful movies in Hollywood today, you know we’re getting a sequel whether we want it or not and it’s going to be way worse than the original.
Already on Sunday, reports were coming in from security researchers, as well as new victims from around the world, that new variants of WannaCry were beginning to pop up. One of the first new variants was found by @benkow_ and reverse engineered by @msuiche, who quickly found the new kill switch domain ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com and registered it to stop the next wave of attacks. @msuiche was able to coordinate with @malwaretechblog and mapped the new domain to sinkhole name servers to feed the live interactive infection map.
New kill switch detected ! https://t.co/sMyyGWbgnF #WannaCry – Just pushed for an order ! pic.twitter.com/cV6i8DpaF4
— Matthieu Suiche (@msuiche) May 14, 2017
Costin Raiu, Director of Global Research and Analysis Team at Kaspersky Lab, discovered another variant 07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd that appears to be
corrupted and only partially works.
But by late Sunday afternoon, new variants without a kill switch were beginning to be collected by researcher’s honeypots, including MD5:d724d8cc6420f06e8a48752f0da11c66—which Matt Suiche reversed and confirmed has no kill switch and had been patched, not recompiled.
A patched (non recompiled) variant with *NO* kill-switch is out there too. Patched jump and zeroed the URL. See screenshots below. #WannaCry pic.twitter.com/RliIRigXwH
— Matthieu Suiche (@msuiche) May 14, 2017
Microsoft has issued an unprecedented number of patches, including ones for unsupported operating systems, and security teams around the world have had the weekend to activate incident response and business continuity plans. They’ve been working around the clock, but, then again, likely so too have the bad guys.
For the most part, the world got lucky. Many workers, particularly in Asia, had logged off and headed home for the weekend before WannaCry really got going and a good portion of North America was still not into work by the time our accidental hero triggered the kill switch. This left largely European targets who were in the right time zone at the wrong time to bear the brunt of the attack.
The big question is: What happens on Monday when workers return to their office PCs, bring in their laptops from home, and plug into the corporate LAN or VPN for their regular work day? There’s bound to be not only updated variants hastily patched and eventually properly recompiled in the wild by then (created by both the original attackers and countless other copy cats), but also many organizations (e.g., the NHS who proactively shut down computers on Friday) who may come online already infected with one or more of the WannaCry variants.
There’s been little media coverage or speculation about the details of the investigation by the world’s law enforcement agencies, which might change the narrative of this story drastically on Monday as well, especially if silence means that they are closing in on the perpetrators.
That doesn’t sound too likely though as Europol’s executive director Robert Wainwright has said, “Europol is working with the FBI to track down the criminals responsible for the malware,” and it’s going to be “very difficult.”
“We have never seen anything like this. We’ve seen the rise of ransomware becoming the principal cyber threat, but this is something we’ve never seen before, the global reach is unprecedented.”
Like most of the world, I am very curious to see what Monday brings . . .
