The WannaCry ransomware campaign that saw 61 NHS Trusts in the UK attacked has been stopped thanks to the actions of a UK security blogger and malware researcher. The individual, who wishes to remain anonymous, found a kill switch for the ransomware that prevented it from encrypting files.
The WannaCry ransomware campaign was launched on Friday May 12, 2017, with infections occurring at lightning speed. In contrast to many ransomware campaigns that are highly targeted on specific industries or geographical locations, this attack was global.
It soon became apparent that the WannaCry ransomware campaign was one of the largest ever conducted. On Saturday, there were 57,000 known infections in 100 countries. This morning, as the dust started to settle, the victim count has soared to more than 200,000, with those victims spread across 150 countries.
The attackers have made around $50,000 from the WannaCry ransomware campaign so far although that figure will rise considerably over the next few days.
There is no decryptor for this ransomware variant. Organizations have two choices. Recover files from a backup or pay the ransom demand. The ransom payment is $300 per device, with the amount set to double in 3 days if payment is not received. If payment is not made within 7 days, the attackers say they will permanently delete the keys to unlock the encryption.
While the kill switch on the ransomware has been activated, that only means a temporarily stop to infections. Any individual or business that has already been attacked will still have to pay the ransom or recover files from a backup. Further, just because this ransomware variant had a flaw allowing the campaign to be neutralized, it does not mean the attacks will not continue. The cybercriminals behind this campaign will not be happy that their income stream has been blocked. New variants of the ransomware without the kill switch are almost certain to be released.
The kill switch in question was discovered by researcher and blogger ‘Malware Tech.’ He/She is based in the South West of the UK and started looking into the ransomware on Friday when the attacks commenced. During the analysis, Malware Tech noticed a reference to domain in the worm code. That domain had not been registered and no site existed.
Malware Tech purchased the domain which prevented the ransomware from encrypting files. While it was not known at the time, by purchasing of the domain, the kill switch was activated. While that failsafe could have been included to allow the attackers to stop the ransomware attacks, it was likely a mechanism used to determine whether the ransomware had been installed in a virtual environment to prevent analysis by security researchers.
Had Malware Tech not discovered the kill switch, it is probable that a great deal many more computers would have been infected.
IT security professionals have therefore been bought a little time. It is now essential that all vulnerable systems are protected by applying the patch issued by Microsoft in March – MS17-010. If the patch cannot be applied, other mitigations will need to be developed quickly.