Thanks to a lucky find by a UK-based security researcher, yesterday's massive global ransomware attack is reported to be slowing down today. Dubbed WannaCry or WannaCrypt, the monstrous ransomware hack hit hospitals, schools, government agencies, and other organizations around the globe, Friday, May 12 -- locking them out of their own systems and demanding ransom to be paid in Bitcoin.
While now on the decline, WannaCrypt could still pose a potential threat to users who have not updated their systems to patch the vulnerability, which affects older versions of Microsoft Windows.
Europol's European Cybercrime Centre, EC3, said in a statement today that the attack was "at an unprecedented level and will require a complex international investigation to identify the culprits." The ransomware appeared to have hit some 100,000 systems, more than half in Russia, according to a tweet yesterday by malware researcher Jakub Kroustek.
Citing the far-reaching potential impact on customers, Microsoft took the unusual step of offering a custom support security update for users with versions of Windows that are no longer supported.
Domain Registration Killed Attack
In a post today, UK-based security researcher MalwareTech described how he checked a cyber threat sharing platform after returning home from lunch to discover that National Health Service systems across Britain were being hit by a cyberattack.
"Although ransomware on a public sector system isn't even newsworthy, systems being hit simultaneously across the country is (contrary to popular belief, most NHS employees don't open phishing emails which suggested that something to be this widespread it would have to be propagated using another method)," MalwareTech wrote. "I was quickly able to get a sample of the malware with the help of Kafeine, a good friend and fellow researcher. Upon running the sample in my analysis environment I instantly noticed it queried an unregistered domain, which I promptly registered."
Shortly after registering the domain, MalwareTech discovered that "our registration of the domain had actually stopped the ransomware and prevent the spread."
It turned out that the ransomware code was written to connect to an unregistered domain and "if the connection is not successful it ransoms the system, if it is successful, the malware exits."
However, MalwareTech added, the kill switch that was activated doesn't prevent the actors responsible for the ransomware from removing the domain check in their code and re-launching an attack, "so it's incredibly important that any unpatched systems are patched as quickly as possible."
Unlocking Tools at NoMoreRansom.org
While the domain registration put a stop to the ransomware's spread, it did not solve the problem for any system that had already been hit by the attack. EC3 advises any organizations affected to use the unlocking tools provided at NoMoreRansom.org, a free resource developed by Europol in partnership with the Dutch police and other industry partners.
"Seeing businesses and individuals affected by cyberattacks, such as the ones reported today, was painful," Microsoft's principal security group manager Phillip Misner wrote yesterday in an update on the TechNet site. "Microsoft worked throughout the day to ensure we understood the attack and were taking all possible actions to protect our customers."
Misner noted that Microsoft released a security update in March to address the WannaCrypt MS17-010 vulnerability, which affected systems running Windows XP, Windows 8 and Windows Server 2003, among others, but does not apply to Windows 10 users. Users that haven't yet applied the update should immediately deploy the necessary fix, he added.
The vulnerability was one of many revealed in April by the hacking group Shadow Brokers, which claimed to have stolen the exploits from the U.S. National Security Agency.
"The vulnerability was first found by the NSA," UK-based security researcher Graham Cluley noted in a blog post yesterday. "However, they chose not to tell Microsoft about it. (Which is a shame, because that would have meant computers would have been patched earlier)."
Cluley said yesterday's attack also highlighted the risks that organizations take by not investing in updated IT systems and security.
"The NHS wasn't targeted," he wrote. "They're just a huge organisation which has had insufficient investment in computer security over the years. In short, it has a lot of computers and at least some of them weren't able to withstand an attack like this."
In addition to the UK's NHS, the WannaCrypt ransomware also hit Spain's Telefonica telco and other companies in Russia, Spain, Taiwan and Ukraine, according to the security firm Malwarebytes. A report in The Guardian yesterday said the attack had hit systems in 99 countries.