Header graphic for print
LimeGreenIP News

$10 domain name halts spread of WannaCry ransomware

BEMalwareA major global ransomware attack going by the name of WannaCry was recently short circuited by the registration of a single domain name costing just over $10.  The unregistered domain name consisting of random characters was apparently programmed into the WannaCry malware by its creators in order to function as a “kill switch” and was discovered by a young British Internet security researcher, who promptly registered the domain name, thus halting spread of the ransomware.

Ransomware is a type of malware that, once downloaded, uses vulnerabilities, known as “exploits” in computer operating systems in order to encrypt a user’s data; it then demands payment in exchange for unlocking this data.  Such malware is often downloaded via an infected email attachment, although, in the case of the WannaCry malware, it was via a worm that sought out vulnerable computers and then spread the infection on its own.  Users affected by the WannaCry malware thus switched on their systems to find the following message:

Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted.  Maybe you are busy looking for a way to recover your files, but do not waste your time.   Nobody can recover your files without our decryption service.

This message was accompanied by a demand for the payment of $300 to a Bitcoin wallet address in order to unlock the encrypted files.  Bitcoins are a so called “cryptocurrency” used for making digital payments and they can be bought online (or even via Bitcoin ATMs, of which there are apparently over 800 worldwide). 
The number of active Bitcoin users will, it has been estimated, reach 4.7 million by the end of 2019.  Nevertheless, the digital currency is regarded with either suspicion or outright hostility by many governments due to its close association with illegal activities such as money laundering and tax evasion. Bitcoin accounts (or wallets) are identified only by pseudonyms and are not managed by any central authority, making them the ideal conduit for the proceeds of fraud.

It is alleged that the exploit that the WannaCry malware took advantage of to wreak its havoc was discovered by a special cyber team within the National Security Agency (NSA), the US agency responsible for the global monitoring, collection, and processing of information and data for foreign intelligence and counterintelligence purposes.  It appears that knowledge of the exploit was either leaked or hacked from the NSA, subsequent to which, it was released to the public in April 2017, when Wikileaks published information obtained by a group of hackers called Shadow Brokers.

A patch against the vulnerability exploited by the WannaCry malware has been available since March of this year, probably subsequent to a tip off by the NSA, but users who had not installed the security update, as well as those using older systems that are no longer supported, were left vulnerable to the attack.

Alongside several large companies that were badly affected, one of the worst hit by the WannaCry malware was the United Kingdom’s National Health Service (NHS), which experienced chaos and delays to critical medical services as computer systems lost access to patient files and the ability to communicate with each other.  It appears that the NHS was among the hardest hit by the virus due to the fact that a high percentage of NHS trusts were still using obsolete computer software that is no longer supported with security updates and patches.

In the midst of the chaos unleashed by the release of the virus, a 22-year-old British security researcher, who goes by the pseudonym of MalwareTech, was scanning the codes for the software behind WannaCry when he noticed in them a very long and nonsensical domain name.  Finding that this domain name was unregistered, MalwareTech promptly registered it for $10.69 not knowing precisely what outcome to expect from doing so.  As it turned out, he found himself to be an accidental hero as he had effectively activated an inbuilt “kill switch” for the software.  Further attacks were circumvented as the malware queried the domain name and, upon finding it registered, ceased to carry out its mission.

Pursuant to recounting the story of his discovery on his blog, the previously anonymous MalwareTech found himself inundated with worldwide media attention, including from the notorious British tabloid press, who eventually revealed his identity.  MalwareTech subsequently complained via this Twitter account of a campaign of harassment and “doxing” and has even said that he will need to move house after his address was leaked by “one of the largest UK newspapers”.  Doxing is the name given by hackers to the practice of exposing the identity and/or whereabouts of a person (usually another hacker) by publishing on the Internet details about them acquired from searching publicly available databases and social networks as a form of revenge.

MalwareTech, who has no formal qualifications and was scouted by his employer (an LA-based threat intelligence company), on the basis of his ethical hacking, was awarded a $10,000 bounty for halting the WannaCry attack by HackerOne, a group that rewards ethical hackers for finding software flaws.  He went on to divide the reward money between various charities and educational resources for IT security students.

The WannaCry malware attack was notable for its speed and scope, facilitated as it was by the leaked exploit, but it revealed itself to be rather amateurish in its execution.  A short time after MalwareTech’s registration of the kill switch domain name, a new version of the malware was released with a different domain name embedded as a kill switch.  Unsurprisingly, this domain was quickly picked up by another security researcher in Dubai and this second version also thwarted.

Additionally, it seems that the WannaCry malware did not automatically verify whether a particular victim had paid the Bitcoin ransom by assigning them a unique Bitcoin address, but rather only one of four hardcoded Bitcoin addresses.  This meant that the creators of the malware would need to work out manually which parties had sent payment and then send them the decryption key.  With thousands of users affected, this could only be a recipe for error and confusion and it demonstrated a lack of seriousness, even for a criminal operation.

All these elements have led some commentators to speculate that the motivation behind the attack was more political than financial and that it could even have been the work of the Shadow Brokers attempting to further embarrass the NSA.

As for the ill-gotten gains of the WannaCry software creators, the @actual_ransom Twitter handle was set up to regularly tweet updates with regard to the amount of payments to the Bitcoin wallet associated with the ransomware.  At the time of this story going to print, there had been 316 payments amounting to 50.48263529 Bitcoins, or $111,998.95, and no withdrawals.  This is actually a very low profit for an attack of the scale of the WannaCry malware.  By way of comparison, a lesser known ransomware attack in 2015 dubbed Angler generated around $60 million in revenue for its perpetrators.

Regardless of who is behind the WannaCry malware, the lesson to be gleaned from this latest outbreak of viral mayhem is undoubtedly the importance of keeping computer systems updated and properly backed up.

First published on Anchovy News: Anchovy® is our comprehensive and centralised online brand protection service for global domain name strategy, including new gTLDs together with portfolio management and global enforcement using a unique and exclusive online platform developed in-house. For more information please contact us at  anchovynews@hoganlovells.com