Screenshot


Here's how the ransomware attack was stopped – and why it could soon start again

The ransomware cyber attack that has so far affected around 300,000 computers in 150 countries could have been much worse. In fact, it still could be. The spread of the malicious software (malware), nicknamed WannaCry or WannaCrypt, has been halted several times by researchers who have identified flaws in the program known as kill switches. But cybercriminals are already fighting back by altering the code, leading to a game of cat and mouse as researchers then have to hunt for a new kill switch.

Ransomware is a type of malware that blocks access to a computer until money is paid to release it. It is normally spread as an attachment on an email but WannaCry is different because it can spread through a local network on its own.

It looks for other computers running a file and printer sharing protocol called Server Message Block (SMB), which is found in older operating systems such as Windows XP that no longer receive routine security updates. It then uses a flaw in SMB to spread to other computers without their users having to download the file. This explains why more computers have been affected than is typical with this kind of malware.

The Achilles heel of malware is the need to call home to its operator. For ransomware, there has to be a mechanism for the program’s operator to collect the ransom money and unlock the data. These communications can provide a way for law enforcement to track down the cybercriminals, so they often build into their malware something called a kill switch.

Generally, a kill switch is a mechanism for turning off a device or a piece of software remotely – and abruptly – in an emergency, such as when it has been stolen or accessed without authorisation. In malware, a kill switch is a way for the operator to terminate their connection to the software to prevent authorities from discovering their identity.

One kill switch method is to redirect the malware’s communications to a “sinkhole” server, which can render it ineffective. Investigators can study the malware and look for such a kill switch or a way to take over the software.

A sophisticated piece of malware will often run its control communication across multiple unregistered internet domains. By periodically changing the domain it uses, the software can thwart attempts to understand or neutralise it. This means investigators need to constantly adapt and register any new domains the malware may try to use to make the sinkhole effective.

In the case of WannaCry, a researcher using the pseudonym MalwareTech ended up accidentally activating the kill switch when he tried to create a sinkhole in order to study the software. WannaCry included code that looked to check if a specified domain had been registered. If it received a response from the domain, it shut down. If not, it continued to work. So when MalwareTech registered the domain, it effectively activated the kill switch.

This kill switch was probably inserted to prevent investigators studying the software in a closed virtual environment called a “sandbox”. These typically respond to all communication attempts by the malware with signals from registered domains. So when WannaCry received a response from the domain, it was tricked into thinking it was in a sandbox and shut down to protect itself.

The problem is that modifying WannaCry’s code so it looks for a different unregistered domain will allow new versions of the software to continue running. In fact, one new variant of the malware has already been stopped after researchers registered the new domain, activating the related kill switch.

An interesting paradox is that WannaCry was developed using a surveillance tool called EternalBlue created by the US National Security Agency (NSA) and leaked by a group of hackers known by the pseudonym Shadow Brokers. They are now claiming to have further harmful source code for WannaCry and are threatening to release it into the wild for anyone to modify freely. Based on the history of previous similar malware, copycats are extremely likely. With major modifications to the source code, the recent updates made to anti-malware software will become futile as the the cycle begins again.

Researchers are even questioning why WannaCry’s kill switch existed at all given that it was so easy to discover and execute. The danger is that WannaCry was just a test to illicit the response of defenders so deadlier variants can be unleashed later.

This article was originally published on The Conversation. Read the original article.

Adrian Winckles receives funding from iCure/DCMS for Cyber Security Innovation Member of Open Web Application Security PRoject European Board & Cambridge Chapter Leader BCS Vice Chair Cybercrime Forensics Special Interest Group UK Cyber Security Forum - Cambridge Cluster Chair

Views: 40
Author: Regular Articles
Tell a friend
Average rating:
(0 votes)

Buy Freeport-McMoRan Inc (FCX) Stock Ahead of Q2 Earnings

Copper producer Freeport-McMoRan Inc (NYSE:FCX) is set to report second-quarter fiscal 2017 earnings results ahead of Tuesday’s opening bell. Thanks to efforts to trim its massive debt, the... Read More

Is the Clock Running out on Freeport-Mcmoran Inc (FCX)?

With Freeport-McMoRan Inc (NYSE:FCX) preparing to release second-quarter results on Tuesday, July 25, Berenberg analyst Fawzi Hanano is out with a bearish forecast. Hanano opined, "Freeport has... Read More

Freeport Indonesia mine workers extend strike for fourth month

JAKARTA/TORONTO (Reuters) - An estimated 5,000 workers at the giant Grasberg copper mine operated by Freeport-McMoRan Inc's (FCX.N) Indonesian unit will extend their strike for a fourth month, a... Read More

Texas Pastor Asks For Prayers and a Miracle While Wife and Newborn Fight for Their Lives

The internet is responding in a BIG way. Read More

This Mom Freaked Out During a New Kids on the Block Concert and the Photos Are Hilarious

Can you blame her? It's NKOTB! Read More

How to Make Lightened Up Peanut Butter Kiss Cookies

Because there’s no greater dessert combo than peanut butter and chocolate, we created these healthier peanut butter kiss cookies that are low in fat and calories, and still totally tasty. Watch the... Read More

'James Bond 25' Gets 2019 Release Date

No word yet on whether or not Daniel Craig will be back as 007 for a fifth time; film’s cast, director, more details will be announced at a later date Read More

Olivia Munn Talks About Her Experience Making — and Meeting — 'The Predator'

Actress at Comic-Con says meeting the monster was 'a visceral experience' and the film will stand on its own while also harking back to its predecessors Read More

'Valerian and the City of a Thousand Planets': What's the Deal With the Doghan Daigus?

'Valerian' director Luc Besson tells Yahoo Movies about making the Doghan Daigus, standout alien creatures in the movie that look like ducks, sell info Read More

Democrats hope ‘better deal’ message will resonate

Congressional Democrats rolled out their message for the 2018 midterm elections Monday, vowing to focus on raising wages and creating jobs as they vie to reclaim majorities in the House and Senate.... Read More

Jared Kushner and the politics of nepotism

White House senior adviser Jared Kushner arrives to speak to the media outside the West Wing on July 24, 2017. Jared Kushner, Donald Trump’s trusted senior aide and son-in-law, will be questioned... Read More

Alabama Senate candidate uses tape of congressional shooting in campaign ad

The campaign of a Republican congressman running for the Senate, Alabama Rep. Mo Brooks, is being denounced after releasing an ad Monday that uses audio from a shooting that targeted GOP... Read More

Hot new job for middle-class students: manual labor

Hunched over their workspaces in a dusty, sunlit room in the North Bennett Street School in Boston’s North End, Jim Reid-Cunningham’s bookbinding workshop seems grateful for an interruption. “It’s... Read More

How do refugee students make the jump to Germany's universities?

Mohamad Taqi Sohrabi has had to fight for an education his entire life. An Afghan refugee born in Iran, Mr. Sohrabi says it wasn’t easy for him to go to school. Sohrabi was eventually able to... Read More

In Ethiopia, model drought defenses are put to the test

Battered by drought and civil wars, more than 20 million people from Yemen to Tanzania are at risk of starvation in what aid workers call the largest humanitarian crisis since World War II. But... Read More