As soon I saw on CNN that registering a single web address may have stopped a global malware attack I knew I had to find out what this domain name was, AND how in the world registering a domain name could stop a ransomware. In case you missed it, Wannacry (a.k.a. WCry, WannaCry, WanaCrypt0r, WannaCrypt, Wana Decrypt0r) malicious software (arrives as an email with an attachment in your inbox) attacked over 200,000 users in over 150 countries.
What it basically does is takes over all your files, encrypts them and asks for a ransom of $300 if you want to decrypt them. Unfortunately, this is another bad advertisement for Bitcoin because the payments are accepted only in Bitcoin giving the criminals opportunity to collect funds while remaining anonymous.
Without making the explanation to technical, the malware would query this unregistered domain. If it was still unregistered, the malware would continue it’s job. Team at MalwareTech wanted to figure out if the malware would proceed to spread and work if this domain was registered. They registered the domain name, and voila, global catastrophe stopped. Have in mind that MalwareTech usually:
- Look for unregistered or expired C2 domains belonging to active botnets and point it to their sinkhole (a sinkhole is a server designed to capture malicious traffic and prevent control of infected computers by the criminals who infected them).
- Gather data on the geographical distribution and scale of the infections, including IP addresses, which can be used to notify victims that they’re infected and assist law enforcement.
- Reverse engineer the malware and see if there are any vulnerabilities in the code which would allow us to take-over the malware/botnet and prevent the spread or malicious use, via the domain we registered.
I was digging a lot to find the domain name in question, until I found a tweet that someone triad to hijack the domain from them!
Got this email last night, looks like someone in China attempted to steal the domain (link is expired so posting).https://t.co/OsMgKdfT5c
— MalwareTech (@MalwareTechBlog) May 14, 2017
This allowed me to finally see the domain name in question, and to make a whois request (below) if the domain is in fact pointed to a sinkhole and who is the owner. Indeed, with our Whois API, I was able to see that the domain name iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com was registered 2017-05-12 and pointed to a ns1.sinkhole.tech nameserver.
Have in mind that this isn’t the end of WannaCry, and we highly recommend that you update your Windows systems, perform regular backups, and do not open suspicious attachments! Remember that these cyber extortionists tricked victims into opening malicious malware attachments to spam emails that seemed to contain invoices, job offers, security warnings and other legitimate files.