Here's how the ransomware attack was stopped – and why it could soon start again

Error Saving Reaction

Screenshot


Here's how the ransomware attack was stopped – and why it could soon start again

The ransomware cyber attack that has so far affected around 300,000 computers in 150 countries could have been much worse. In fact, it still could be. The spread of the malicious software (malware), nicknamed WannaCry or WannaCrypt, has been halted several times by researchers who have identified flaws in the program known as kill switches. But cybercriminals are already fighting back by altering the code, leading to a game of cat and mouse as researchers then have to hunt for a new kill switch.

Ransomware is a type of malware that blocks access to a computer until money is paid to release it. It is normally spread as an attachment on an email but WannaCry is different because it can spread through a local network on its own.

It looks for other computers running a file and printer sharing protocol called Server Message Block (SMB), which is found in older operating systems such as Windows XP that no longer receive routine security updates. It then uses a flaw in SMB to spread to other computers without their users having to download the file. This explains why more computers have been affected than is typical with this kind of malware.

The Achilles heel of malware is the need to call home to its operator. For ransomware, there has to be a mechanism for the program’s operator to collect the ransom money and unlock the data. These communications can provide a way for law enforcement to track down the cybercriminals, so they often build into their malware something called a kill switch.

Generally, a kill switch is a mechanism for turning off a device or a piece of software remotely – and abruptly – in an emergency, such as when it has been stolen or accessed without authorisation. In malware, a kill switch is a way for the operator to terminate their connection to the software to prevent authorities from discovering their identity.

One kill switch method is to redirect the malware’s communications to a “sinkhole” server, which can render it ineffective. Investigators can study the malware and look for such a kill switch or a way to take over the software.

A sophisticated piece of malware will often run its control communication across multiple unregistered internet domains. By periodically changing the domain it uses, the software can thwart attempts to understand or neutralise it. This means investigators need to constantly adapt and register any new domains the malware may try to use to make the sinkhole effective.

In the case of WannaCry, a researcher using the pseudonym MalwareTech ended up accidentally activating the kill switch when he tried to create a sinkhole in order to study the software. WannaCry included code that looked to check if a specified domain had been registered. If it received a response from the domain, it shut down. If not, it continued to work. So when MalwareTech registered the domain, it effectively activated the kill switch.

This kill switch was probably inserted to prevent investigators studying the software in a closed virtual environment called a “sandbox”. These typically respond to all communication attempts by the malware with signals from registered domains. So when WannaCry received a response from the domain, it was tricked into thinking it was in a sandbox and shut down to protect itself.

The problem is that modifying WannaCry’s code so it looks for a different unregistered domain will allow new versions of the software to continue running. In fact, one new variant of the malware has already been stopped after researchers registered the new domain, activating the related kill switch.

An interesting paradox is that WannaCry was developed using a surveillance tool called EternalBlue created by the US National Security Agency (NSA) and leaked by a group of hackers known by the pseudonym Shadow Brokers. They are now claiming to have further harmful source code for WannaCry and are threatening to release it into the wild for anyone to modify freely. Based on the history of previous similar malware, copycats are extremely likely. With major modifications to the source code, the recent updates made to anti-malware software will become futile as the the cycle begins again.

Researchers are even questioning why WannaCry’s kill switch existed at all given that it was so easy to discover and execute. The danger is that WannaCry was just a test to illicit the response of defenders so deadlier variants can be unleashed later.

This article was originally published on The Conversation. Read the original article.

Adrian Winckles receives funding from iCure/DCMS for Cyber Security Innovation Member of Open Web Application Security PRoject European Board & Cambridge Chapter Leader BCS Vice Chair Cybercrime Forensics Special Interest Group UK Cyber Security Forum - Cambridge Cluster Chair

Views: 72
0
0
0
Author: Regular Articles
Tell a friend
Average rating:
(0 votes)
Average rating from Reviews:
(0 votes)

Write a review

Reviews

Zacks Industry Outlook Highlights: Freeport-McMoRan, Newmont Mining, Golden Star Resources, Randgold Resources and Kinross Gold

Zacks Industry Outlook Highlights: Freeport-McMoRan, Newmont Mining, Golden Star Resources, Randgold Resources and Kinross Gold Read More

Gold Mining Stock Outlook - Sept. 2017

Gold Mining Stock Outlook - Sept. 2017 Read More

Why Freeport-McMoran (FCX) Stock Might be a Great Pick

Freeport-McMoran (FCX) is seeing solid earnings estimate revision activity, and is a great company from a Zacks Industry Rank perspective. Read More

Friend of slain Georgia Tech student: 'If Scout was more gender-conforming, would it have been different?'

Scout Schultz, a Georgia Tech student, was shot by campus police on Saturday night, and a protest two days later led to arrests. In the aftermath of those events, Yahoo Lifestyle talked to a friend... Read More

How to Make Healthy Leftover Turkey Tacos

These tacos get a healthy makeover by using turkey as the main lean protein. It all comes together with some beans, avocado, and a little cheese. Watch the video to learn how to make this easy... Read More

Little People, Big World's Audrey Roloff Just Gave Birth to Her First Child

It's a girl! Read More

Mel Brooks: ‘Blazing Saddles’ Would Never Be Made in Today’s ‘Stupidly Politically Correct’ Culture

“Blazing Saddles” may be a groundbreaking comedy, but director Mel Brooks doesn’t think Hollywood would make the iconic Western parody in this current “stupidly politically correct” climate. The... Read More

Box Office: 'Kingsman: The Golden Circle' Unseats 'It' as 'Lego Ninjago' Disappoints

Kingsman: The Golden Circle is the new ruler of the box office. The sequel from Fox is expected to earn $39 million this weekend from 4,003 locations. That’s slightly below where tracking had... Read More

Bradley Cooper-Lady Gaga’s ‘Star Is Born’ Moves to May 2018

Warner Bros.’ “A Star Is Born” remake starring Stefani Germanotta (Lady Gaga) and Bradley Cooper, who is also directing, is moving up its release to May 18, 2018. The pic was originally set to open... Read More

White House officials defend Trump, say athletes 'can do free speech on their own time'

Treasury Secretary Steve Mnuchin defended Trump’s call for NFL players who kneel during the national anthem to be suspended or fired. “It’s not about free speech,” Mnucin said Sunday. “They can do... Read More

In wake of U.N. speech, Kim calls Trump a ‘dotard.’ Trump fires back at ‘madman.’

President Trump and North Korean leader Kim Jong Un have unleashed personal attacks on one another after the U.S. commander in chief’s speech at the United Nations. “Kim Jong Un of North Korea,... Read More

As Russia probe turns to fake Facebook ads, Trump follows with a tweet

President Trump continued his efforts to belittle accusations of Russian meddling in the 2016 election on Friday, turning to the latest set of charges, involving targeted political ads placed on... Read More

Reluctant champion: How Nadia Murad has become the international face of Yazidi suffering – and resilience

Weeks earlier, Nadia Murad had been ripped from her village by Islamic State (ISIS) fighters who murdered her family and took her captive. Along with other young Yazidi women, she was transported... Read More

Readers write: The work of downsizing, evidence of climate change, hopeful coverage on famine

Regarding the Aug. 21 Monitor Daily story “Home prices, and a thought shift, give ‘small living’ a boost”: Interesting concept. My friend has done it, downsizing and living in a tiny apartment.... Read More

Time for the world to step up on Rohingya issue, Aung San Suu Kyi’s astounding hypocrisy, Irma’s destruction in Britain’s Caribbean islands, The US should stop saber rattling, On the Nadal-Federer comeback

“It is high time the world made an all-out effort to stop the ongoing pogrom against Myanmar’s minority Rohingya...,” writes Mohammad Amjad Hossain. “The pogrom resembles those crimes perpetrated... Read More