As soon I saw on CNN that registering a single web address may have stopped a global malware attack, I knew I had to find out what this domain name was and how in the world registering a domain name could stop ransomware. In case you missed it, Wannacry (a.k.a. WCry, WannaCry, WanaCrypt0r, WannaCrypt, Wana Decrypt0r) malicious software (arrives as an email with an attachment in your inbox) attacked over 200,000 users in over 150 countries.
What it basically did was take over all your files, encrypt them, and asks for a ransom of $300 if you want to decrypt them. Unfortunately, this is another bad advertisement for Bitcoin because the payments are accepted only in Bitcoin, giving criminals the opportunity to collect funds while remaining anonymous.
Without making the explanation to technical, the malware would query this unregistered domain. If it was still unregistered, the malware would continue its job. The team at MalwareTech wanted to figure out if the malware would proceed to spread and work if this domain was registered. They registered the domain name, and voila, global catastrophe stopped. Have in mind that MalwareTech usually:
- Look for unregistered or expired C2 domains belonging to active botnets and point it to their sinkhole (a sinkhole is a server designed to capture malicious traffic and prevent control of infected computers by the criminals who infected them).
- Gather data on the geographical distribution and scale of the infections, including IP addresses, which can be used to notify victims that they’re infected and assist law enforcement.
- Reverse engineer the malware and see if there are any vulnerabilities in the code that would allow us to take over the malware/botnet and prevent the spread or malicious use, via the domain we registered.
I was digging a lot to find the domain name in question until I found a tweet that someone tried to hijack the domain from them!
Got this email last night, looks like someone in China attempted to steal the domain (link is expired so posting).https://t.co/OsMgKdfT5c
— MalwareTech (@MalwareTechBlog) May 14, 2017
This allowed me to finally see the domain name in question, and to make a whois request (below) if the domain is in fact pointed to a sinkhole and who is the owner. Indeed, with our Whois API, I was able to see that the domain name iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com was registered 2017-05-12 and pointed to a ns1.sinkhole.tech nameserver.
Have in mind that this isn’t the end of WannaCry, and we highly recommend that you update your Windows systems, perform regular backups, and do not open suspicious attachments! Remember that these cyber extortionists tricked victims into opening malicious malware attachments to spam emails that seemed to contain invoices, job offers, security warnings and other legitimate files.
What was WannaCry?
WannaCry, also known as WannaCrypt, was a notorious ransomware attack that occurred in May 2017. It quickly became one of the most widespread and damaging cyberattacks in history. Here are the key details about WannaCry:
- Ransomware: WannaCry is a type of malicious software (malware) known as ransomware. Ransomware encrypts a victim’s files and demands a ransom, usually in Bitcoin or another cryptocurrency, in exchange for a decryption key that can unlock the files.
- Propagation: WannaCry spread rapidly across the globe by exploiting a vulnerability in Microsoft Windows operating systems. It primarily targeted computers running outdated or unpatched versions of Windows, particularly Windows XP. Microsoft had actually released a security patch for the vulnerability in March 2017, two months before the attack, but many systems had not been updated.
- Encryption: Once it infected a system, WannaCry encrypted the user’s files, making them inaccessible. Victims then received a ransom note demanding payment in Bitcoin, with the threat of permanent file deletion if the ransom wasn’t paid within a specified timeframe.
- Global Impact: WannaCry infected hundreds of thousands of computers in over 150 countries within a few days of its release. Hospitals, businesses, government agencies, and individuals were among its victims. This widespread impact led to significant disruptions and financial losses.
- Kill Switch: A security researcher accidentally discovered a “kill switch” in WannaCry’s code. By registering a specific domain, the researcher was able to halt the ransomware’s spread temporarily, providing some relief to affected organizations and allowing them to patch their systems.
- Attribution: The attack was initially attributed to the North Korean government by various cybersecurity firms and government agencies. However, attribution in the world of cybersecurity can be complex, and there has been ongoing debate about the true identity of the attackers.
- Lessons Learned: WannaCry served as a wake-up call for the importance of keeping software up to date and applying security patches promptly. It also highlighted the need for robust cybersecurity practices, including regular data backups and employee training to recognize and avoid phishing attacks.
In summary, WannaCry was a major ransomware attack that exploited a Windows vulnerability to rapidly infect computers worldwide, encrypt files, and demand ransom payments. Its impact underscored the importance of cybersecurity hygiene and the need for organizations and individuals to take steps to protect themselves against such threats.