“You probably can’t picture a grown man jumping around with the excitement of having just been ransomwared, but this was me,” MalwareTech says in his blog. We don’t know his identity yet, but at the peak of the WannaCry ransomware outbreak, a 22-year-old was sitting at his desk, devising a way to plug the ransomware. By his own admission, when he found the kill switch, MalwareTech wasn’t aware that he had killed the ransomware in its tracks. However, he explains in his blog post that the steps he took were that of a seasoned veteran.
What’s the killswitch?
“A researcher going by the name MalwareTech managed to suspend infection by registering a domain, with a long and nonsensical name,” explained Alexander Gostev, Chief Security Expert, Global Research and Analysis Team, Kaspersky Lab. In his blog, MalwareTech explained that finding this domain was part of the usual steps he would take to plug malware. The WannaCry ransomware addressed this domain and without a positive reply from it, would install the encryptor on the affected PC, proceeding to take over.
The domain in question wasn’t registered to anyone and hence would not return a positive reply. MalwareTech basically bought this domain, and created what is called a sinkhole to capture data coming to it. A sinkhole is a server that has been setup to capture traffic, which prevents the malware from gaining control of infected PCs. MalwareTech and other security researchers, including Gostev have explained that this was only a temporary fix, since the attackers could simply change the domain name and carry on with their nefarious activities.
Despite that, MalwareTech actually prevented a lot of PCs from suffering WannaCry’s devastating effects. “In the remainder of the day, the domain was addressed tens of thousands of times, which means that tens of thousands of computers were spared,” said Gostev. In his blog, MalwareTech said he found the sinkhole servers close to maximum load shortly after he set it up.
Did the attackers catch a feeling?
There have been theories that the killswitch within the ransomware’s code was kept intentionally, in place something goes wrong. One wonders whether the attackers caught a feeling, keeping a backdoor in case their exploit became too big to handle. The unregistered domain trick would serve as a circuit breaker, which MalwareTech used to break the circuit.
Experts, including MalwareTech himself do not agree. Of course, the fact that newer versions of WannaCry came out after the killswitch was found, pretty much nullifies that theory. Kaspersky’s Gostev says the killswitch was a way to “complicate analysis of the malware’s behaviour”. Testing environments used in research are often designed such that any domain returns a positive response; in such cases, the Trojan would do nothing in the testing environment, Gostev explained. “Having heard to conflicting answers (as to why the killswitch was placed in the first place), I anxiously loaded back up my analysis environment and ran the sample….nothing. I then modified my host file so that the domain connection would be unsuccessful and ran it again…..RANSOMWARED,” wrote MalwareTech. His first test environment is in sync with what Gostev explained, while he redid the same to perfect his tests.
What these experts are saying is that while the killswitch may have been intentional, its intended purpose wasn’t the same.
For the record, the loophole in Windows systems had been plugged by Microsoft some months ago. The malware exploits a loophole made public by a group called Shadow Brokers, and you and your business can still be safe from it. Here’s a story explaining how.