contador web Skip to content

Accidental hero? Who ‘stopped’ the WannaCrypt ransomware attack

How to protect your data from WannaCrypt ransomware attack

The world’s largest information security teams are investigating WannaCrypt – malware that hit several companies and institutions last Friday (12). However, the threat was stopped (but not entirely) by an unknown person. A young man who serves @malwaretechblog on Twitter paused the ransomware infection and prevented the attack from spreading to more countries.

The sectors most targeted by ransomware scams in Brazil

The 22-year-old Briton, who does not want to be named, works at an American threat intelligence firm. He reportedly deactivated WannaCrypt after discovering a domain (internet address) associated with the spread of the malware. To continue contaminating more computers, the virus checked whether this site was online or not.

1 of 2 Understand how the WannaCrypt ransomware attack was stopped – Photo: Pond5

Understand how the WannaCrypt ransomware attack was stopped – Photo: Pond5

TechTudo’s App: Get Tech Tips and News on Mobile

I took a quick look, got a sample of the malware, and realized that it was connecting to a specific unregistered domain

«I took a quick look [nos ataques], I got a sample of the malware and realized that it was connecting to a specific unregistered domain. So I went there and registered [o domínio]», account. For this, he received help from a technician from the security company Proofpoint.

The boy bought the domain for US $ 10.69 (equivalent to R $ 33). According to him, the company he works for usually buys domains involved in cyber attacks for research purposes. It is common for these addresses to indicate how a virus works.

At first, the young man was accused of having started the attack on servers around the world because of his link to the domain recorded in the malware. However, he later realized that it was the other way around: by registering and taking possession of the address, he activated a pause mechanism in the WannaCrypt propagation process.

«The intention was just to monitor the spread and see if we could do something about it later. But, really, I ended up preventing [o ransomware] spread just by registering the domain, «he said.

Investigating further, @malwaretechblog found out why this all happened. WannaCrypt had a kind of deliberate shutdown mechanism linked to a strange domain. If the criminals who created the threat wanted to disable it at any time, it would be enough to register the address anonymously. Apparently, hackers did not expect that someone would discover the domain name hidden in the WannaCrypt code anytime soon.

However, if the PCs are on an internal network, but not connected to the Internet at the time of infection, using a proxy or other feature, it is possible that the virus will continue to spread, since it will not be possible to access the registered domain. Versions without online verification can also circulate, perpetuating the ransomware cycle.

Ransomware is a type of threat that hijacks computer data, encrypts personal files and calls for ransom – usually in bitcoins, difficult to track. In the case of WannaCrypt, there is also an extra component that makes an infected machine a distribution point for malware on a network.

2 of 2 Kaspersky map shows countries affected by WannaCrypt – Photo: Reproduction / Kaspersky

Kaspersky map shows countries affected by WannaCrypt – Photo: Playback / Kaspersky

Upon entering a computer from an institution with a closed network, potentially all vulnerable Windows PCs are affected. According to Kaspersky Lab, more than 45 thousand attacks were registered in 74 countries, including Brazil. Luckily, the young man’s action ended up preventing the problem from reaching more computers in the United States. With the decrease in infections, companies and the US government had enough time to update the machines.

Microsoft confirmed that WannaCrypt originates from cyber weapons from the United States’ National Security Agency (NSA), which were allegedly stolen by hackers earlier this year.

You still have to worry. After all, the virus’s functioning was disabled by something implemented on purpose by the creators. “This isn’t over. Hackers will notice how we stop them and will change the code. Then, it will start all over again ”, warned the young man.

For now, the only precautionary measure against WannaCrypt is to update Windows immediately. The malware exploits a bug fixed by Microsoft since March, but outdated computers remain exposed. To resolve, simply activate Windows Update.

Learn more about ransomware and see tips on how to protect yourself:

What is ransomware: five tips to protect yourself

What is ransomware: five tips to protect yourself

WannaCrypt: has anyone paid bitcoins to return files blocked by ransomware? Respond in the TechTudo Forum.