Wannacry ransomware attack hits one hundred fifty countries, brought down by a domain name registration.
A massive eruption of malware on Friday hit thousands of organizations in an estimated one hundred fifty countries and had an enormous impact on the United Kingdom National Health Service before being quickly foiled by one domain name registration.
WannaCry targets Windows boxes that haven’t put in a March security patch. It encrypts files on the hosts it infects and demands cash for the cryptography key.
The attack is massive News for many reasons.
- First, it unfold ransomware over the network employing a remotely exploitable vulnerability that needed no user error or social engineering to put in itself.
- Second, it hit a calculable quarter-million machines, together with thousands at huge organizations like Telefonica, the NHS, Deutsche Bahn and FedEx.
- Third, it exposed a true risk to human life. Seventy thousand NHS machines, as well as medical devices, were infected. Reportedly, some non-critical patients had to be turned off from United Kingdom hospitals and operations were off as a result of the lack of doctors to access medical records.
- Fourth, WannaCry ransomware attack seems to be based on a code developed by the US National Security Agency and leaked last month.
All in all, it was an attack the size of that we’ve not seen for years.
But it looks like it has been accidentally prevented from propagating more on Friday with the easy act of registering a domain name.
A young British security investigator who goes by the web called “MalwareTech” was studying the WannaCry code on Friday afternoon once he stumbled on an unregistered domain name.
On the belief that the malware author maybe planned to use that domain as a command center, MalwareTech spent the 10 usd to register it.
MalwareTech discovered that once the domain was registered, the malware stopped encrypting.
He thought it was a fail-safe or kill-switch, however he later came to the conclusion that the author had enclosed the domain search as the way to thwart security researchers like himself, who run malware code in protected sandbox environments.
In sure sandbox environments traffic is intercepted by replying to all URL lookups with an IP address belonging to the sandbox instead of the real IP address the URL points to, a facet result of this is often if an unregistered domain is queried it’ll respond as [if] it were registered
Once the domain was registered, WannaCry ransomware attack iterations on recently infected machines assume they were running in sandboxes and turned themselves off before inflicting further harm.
MalwareTech was announced the hero of the day by the news , however it seems that versions of the malware without the kill-switch already started infecting over the weekend.
Many are warning that the beginning of the work week these days may even see a brand new rash of infections.