Yesterday, through a series of publications, we announced that we know about the biggest ransomware attack that began on Friday. Using one of NSA's exploits recently leaked by the Shadow Brokers team, attackers could infect computers world-wide with WannaCry (a Windows exploit embedded in NSA's EternalBlue tool).
Microsoft has already released Several updates about this vulnerability, but many users and organizations did not bother updating their systems.
The company in front of the devastating effects of the worm that continues to spread, overwhelmed and released updates for Windows XP, Windows (server) 2003 and Windows 8.
Yesterday we also mentioned that in the malware code there was also a disabling switch in the form of a kill switch domain.
What does this mean in simple words? when the malware detects that there is a specific domain, stops infections. This domain was created (registered) earlier today by a researcher, who observed the dot-com in the reverse-engineered binary. When the listing was detected by the malicious software, the ransomware distribution, and its worldwide spread, was immediately stopped.
But let's make it clear what the kill switch does:
The kill switch can not help devices that are already infected and locked with WannaCry.
By registering the domain and then moving it to a server environment that is meant to record and keep the sinkhole MalwareTech essentially bought time for systems that are not already infected.
"Fortunately, MalwareTech had the infrastructure to create a sinkhole," says Darien Huss, senior security research engineer at the security company Proofpoint.
"If someone had bought doamin and not prepared then we would be seeing too many infections right now."
If the installation did not have enough space and the server did not have enough bandwidth, the malware would not be trapped and would not be self-destructing.
We should add that the discovery of MalwareTech is not a permanent solution. All it needs to start again is a new strain of WannaCry whose code will disable the kill switch or use a more sophisticated generator URL instead of a static IP address.
However, the discovery of MalwareTech has helped slow down the process.
We hope that with so many security analysts observing, and analyzing the behavior of WannaCry malware with reverse engineering, someone else will eventually find a more permanent way to disable it. Every minute counts….