As the Wcry ransomware burned across the globe yesterday, spreading to more than 80 countries thanks to a bug in Windows that the NSA deliberately kept secret in order to weaponize it, it seemed unstoppable.
But the pseudonymous security researcher behind the @malwaretechblog account and Darien Huss from Proofpoint discovered a kill-switch lurking in Wcry's code: before infected systems attempted to find new systems to attack, they checked to see if iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com was registered — and if it was, they aborted the attack.
When @malwaretechblog registered the domain, they immediately began to receive thousands of inbound connections from infected systems. When @malwaretechblog's server responded, the infection stopped spreading. The tens of thousands of systems already affected remain locked up, but no new systems are being infected — for now.
It would be the work of minutes to make a new version of this malware without the killswitch. So now it's a race between people who are alarmed enough about this live vulnerability to encourage others to patch their systems and malware authors who are planning to take another crack at world domination.
The Wcry epidemic illustrates a bizarre fact of life in the 21st century: petty criminal nitwits are able to pull off heists on the scale that we used to association with nation-state-backed militias. In the case of Wcry, it's not just the dumb mistake of hiding a killswitch in the code and assuming no one would find it — it's also the petty nature of the ransom, a mere $300, which appears to have netted the criminal masterminds behind it a whopping $18,000 — to reactivate systems whose downtime was costing millions.
This is actually pretty bad news. A lot of threat modeling is based on something like economic rationality by your adversary: you assume that no one would spend $10 to steal $1 from you. But with nitwits, all bets are off: this isn't about designing a safe to keep out a smart mastermind cat-burglar, it's trying to figure out if a drunk and belligerent dudebro will walk up to you on the street and punch you in the face to blow off some pent-up hormonal steam.
Now on the one hand, nearly $18k is a nice little earn yet on the other, for tens of thousands of infections to have totalled only 52 payments seems very small. That could well go up though; regardless of the kill switch, many machines remain infected and if there's a 3-day window of payment before the cost escalates, you'd expect plenty of people to be holding off for a bit. It'll be interesting to look at those Bitcoin addresses in another 48 hours.
Everything you need to know about the WannaCry / Wcry / WannaCrypt ransomware
[Troy Hunt]
'Accidental hero' finds kill switch to stop spread of ransomware cyber-attack
[Olivia Solon/The Guardian]
.@malwareunicorn This is the reason infections are dropping off – it contained a kill switch, that was activated before US woke up. NEW propagation = dead. pic.twitter.com/l4VKZ45kq7
— Kevin Beaumont (@GossiTheDog) May 12, 2017
