Screenshot


Here's how the ransomware attack was stopped – and why it could soon start again

The ransomware cyber attack that has so far affected around 300,000 computers in 150 countries could have been much worse. In fact, it still could be. The spread of the malicious software (malware), nicknamed WannaCry or WannaCrypt, has been halted several times by researchers who have identified flaws in the program known as kill switches. But cybercriminals are already fighting back by altering the code, leading to a game of cat and mouse as researchers then have to hunt for a new kill switch.

Ransomware is a type of malware that blocks access to a computer until money is paid to release it. It is normally spread as an attachment on an email but WannaCry is different because it can spread through a local network on its own.

It looks for other computers running a file and printer sharing protocol called Server Message Block (SMB), which is found in older operating systems such as Windows XP that no longer receive routine security updates. It then uses a flaw in SMB to spread to other computers without their users having to download the file. This explains why more computers have been affected than is typical with this kind of malware.

The Achilles heel of malware is the need to call home to its operator. For ransomware, there has to be a mechanism for the program’s operator to collect the ransom money and unlock the data. These communications can provide a way for law enforcement to track down the cybercriminals, so they often build into their malware something called a kill switch.

Generally, a kill switch is a mechanism for turning off a device or a piece of software remotely – and abruptly – in an emergency, such as when it has been stolen or accessed without authorisation. In malware, a kill switch is a way for the operator to terminate their connection to the software to prevent authorities from discovering their identity.

One kill switch method is to redirect the malware’s communications to a “sinkhole” server, which can render it ineffective. Investigators can study the malware and look for such a kill switch or a way to take over the software.

A sophisticated piece of malware will often run its control communication across multiple unregistered internet domains. By periodically changing the domain it uses, the software can thwart attempts to understand or neutralise it. This means investigators need to constantly adapt and register any new domains the malware may try to use to make the sinkhole effective.

In the case of WannaCry, a researcher using the pseudonym MalwareTech ended up accidentally activating the kill switch when he tried to create a sinkhole in order to study the software. WannaCry included code that looked to check if a specified domain had been registered. If it received a response from the domain, it shut down. If not, it continued to work. So when MalwareTech registered the domain, it effectively activated the kill switch.

This kill switch was probably inserted to prevent investigators studying the software in a closed virtual environment called a “sandbox”. These typically respond to all communication attempts by the malware with signals from registered domains. So when WannaCry received a response from the domain, it was tricked into thinking it was in a sandbox and shut down to protect itself.

The problem is that modifying WannaCry’s code so it looks for a different unregistered domain will allow new versions of the software to continue running. In fact, one new variant of the malware has already been stopped after researchers registered the new domain, activating the related kill switch.

An interesting paradox is that WannaCry was developed using a surveillance tool called EternalBlue created by the US National Security Agency (NSA) and leaked by a group of hackers known by the pseudonym Shadow Brokers. They are now claiming to have further harmful source code for WannaCry and are threatening to release it into the wild for anyone to modify freely. Based on the history of previous similar malware, copycats are extremely likely. With major modifications to the source code, the recent updates made to anti-malware software will become futile as the the cycle begins again.

Researchers are even questioning why WannaCry’s kill switch existed at all given that it was so easy to discover and execute. The danger is that WannaCry was just a test to illicit the response of defenders so deadlier variants can be unleashed later.

This article was originally published on The Conversation. Read the original article.

Adrian Winckles receives funding from iCure/DCMS for Cyber Security Innovation Member of Open Web Application Security PRoject European Board & Cambridge Chapter Leader BCS Vice Chair Cybercrime Forensics Special Interest Group UK Cyber Security Forum - Cambridge Cluster Chair

Views: 11
Author: Regular Articles
Tell a friend
Average rating:
(0 votes)

Freeport-McMoran (FCX) Down 11.9% Since Earnings Report: Can It Rebound?

Freeport-McMoran (FCX) reported earnings 30 days ago. What's next for the stock? We take a look at earnings estimates for some clues. Read More

Zacks Industry Outlook Highlights: Freeport-McMoRan, Golden Star Resources, New Gold and Seabridge Gold

Zacks Industry Outlook Highlights: Freeport-McMoRan, Golden Star Resources, New Gold and Seabridge Gold Read More

Freeport says large number of 4,000 Grasberg workers deemed "resigned"

Freeport McMoRan Inc, the world's largest publicly traded copper miner, said a "large number" of the approximately 4,000 workers at its giant Grasberg mine in Indonesia who failed to report for... Read More

Tick-Proof Your Yard Without Spraying

Consumer Reports has no relationship with any advertisers on this website. This year is expected to be one of the worst on record for ticks, and not just in the Northeast. At least one variety of... Read More

Double Up on Sun Safety

Consumer Reports has no relationship with any advertisers on this website. Here comes summer—and along with it, poolside parties and beach vacations. If you plan on taking refuge from the... Read More

These Raw Photos of a Mom Delivering Her Preemie Are a Reminder of How Powerful Birth Really Is

"I know that I did everything I could at that time to help bring our girl into the world." Read More

'Pirates of the Caribbean' Flashback: Remember How Critics Raved About Johnny Depp's Captain Jack?

Just a taste of some of the raves for Johnny Depp's woozy pirate Read More

'Alien' Creature Design Duo Takes Us Inside Their 20-Plus Years of Xenomorph-ing

Meet 'Alien' special effects aces Alec Gillis and Tom Woodruff Jr., who talk about their work on every film in the franchise between 1986 and 2007 Read More

‘Wonder Woman’: Theater Behind Women-Only Screenings Responds to Complaints by Adding More

After online complaints about the ladies-only 'Wonder Woman' screenings, theater chain Alamo Drafthouse adds more showings. Read More

In Chicago, an undertaker tries to save teens from the streets — and is burying those he can’t

Spencer Leak Sr. has never known life without death. From the moment he was old enough to remember, he was ambling around the funeral home his father founded here on Chicago’s South Side in 1933,... Read More

Former national security adviser Zbigniew Brzezinski dies at 89

Zbigniew Brzezinski, the hawkish Polish-born Cold War strategist and former top aide to US president Jimmy Carter, has died, his family said. He was 89. Read More

Trump exalts ‘great win’ for candidate charged with assault

No other leader at the G-7 meeting mentioned Thursday’s GOP victory in Montana, so President Trump praised it himself. Read More

Readers write: Inspiring story, open communication, chain of knitting

Regarding the April 24 & May 1 People Making a Difference story about Esther Zeiher: Thank you so much, Isabelle de Pommereau. Recommended: Could you pass a US citizenship test? Regarding the... Read More

Digital Geneva Convention needed after ransomware attack, Is the Syrian regime worried about international justice?, Friendly approach won't dissuade Kim Jong-un, Facebook Live presents ethical concerns, The economic benefits of solar and wind energy

"The cybersecurity wake-up call the world has long needed has occurred...," states an editorial. "The obvious lesson is that computer operating systems need to be kept updated with the latest... Read More

A day for Africans to rise

Across Africa on May 25, thousands of people celebrated Africa Day, an event first marked in 1963 to honor the continent’s liberation from colonial powers. The day was dubbed “Africans Rising,”... Read More