What is the domain name that stopped WannaCry?

As soon I saw on CNN that registering a single web address may have stopped a global malware attack I knew I had to find out what this domain name was, AND how in the world registering a domain name could stop ransomware. In case you missed it, Wannacry (a.k.a. WCry, WannaCry, WanaCrypt0r, WannaCrypt, Wana Decrypt0r) malicious software (arrives as an email with an attachment in your inbox) attacked over 200,000 users in over 150 countries.

What it basically does is takes over all your files, encrypt them, and asks for a ransom of $300 if you want to decrypt them. Unfortunately, this is another bad advertisement for Bitcoin because the payments are accepted only in Bitcoin giving the criminals the opportunity to collect funds while remaining anonymous.

website security

Without making the explanation to technical, the malware would query this unregistered domain. If it was still unregistered, the malware would continue its job. The team at MalwareTech wanted to figure out if the malware would proceed to spread and work if this domain was registered. They registered the domain name, and voila, global catastrophe stopped. Have in mind that MalwareTech usually:

  1. Look for unregistered or expired C2 domains belonging to active botnets and point it to their sinkhole (a sinkhole is a server designed to capture malicious traffic and prevent control of infected computers by the criminals who infected them).
  2. Gather data on the geographical distribution and scale of the infections, including IP addresses, which can be used to notify victims that they’re infected and assist law enforcement.
  3. Reverse engineer the malware and see if there are any vulnerabilities in the code that would allow us to take over the malware/botnet and prevent the spread or malicious use, via the domain we registered.

I was digging a lot to find the domain name in question until I found a tweet that someone tried to hijack the domain from them!

This allowed me to finally see the domain name in question, and to make a whois request (below) if the domain is in fact pointed to a sinkhole and who is the owner. Indeed, with our Whois API, I was able to see that the domain name iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com was registered 2017-05-12 and pointed to a ns1.sinkhole.tech nameserver.

iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Have in mind that this isn’t the end of WannaCry, and we highly recommend that you update your Windows systems, perform regular backups, and do not open suspicious attachments! Remember that these cyber extortionists tricked victims into opening malicious malware attachments to spam emails that seemed to contain invoices, job offers, security warnings and other legitimate files.

wannacry domain name

Wannacry domain name

Related Posts
DNS zone API – explained
machine readable dns zone file

Within WhoAPI there is a particular API called Domain DNS zone (discontinued in 2022), that I would like to cover Read more

Be careful where you brainstorm domain names
Domain availability iPhone app - WhoNS

Not to point any fingers at any particular company, however, there have been reported strange cases of "being too late" Read more

Interview with Donuts and Uniregistry
WhoAPI news

I meet a lot of interesting people (online and offline). Lately, I've been asking all of them the same question: Read more

How to check if a domain name is available or not?
WhoAPI news

I can't remember how many people told me that a certain domain is available for registration, and when I asked Read more

Infographic top 1000 websites
Domain data infographic

Back in December 2013, we conducted research that confirmed we are out of 4 letter .com domains. More than 30,000 Read more

New WhoAPI blog!
WhoAPI news

We are proud to introduce you with our new blog design. On this day, lets remind ourselves what Steve Jobs Read more

Founder and CEO of WhoAPI Inc. Goran Duskic is an internet entrepreneur since 2006. He co-founded and sold several online ventures, including a web hosting company.

Comments

  • Bob
    June 2, 2017

    It was spread using the DoublePulsar SMB exploit, not email.
    BackUp regularly, and use a private IP.

    reply

Post a Comment