Yesterday through a series of posts, we announced that we are aware of the largest ransomware attack that began last Friday. Using one of the NSA exploits recently leaked by the Shadow Brokers group, attackers were able to infect computers globally with WannaCry (a Windows exploit embraced by the NSA's EternalBlue tool).
Microsoft has already released Several updates about this vulnerability, but many users and organizations did not bother updating their systems.
The company in the face of the catastrophic effects of the worm that continues to spread, went too far and released updates even for systems it no longer supports: Windows XP, Windows (server) 2003 and Windows 8.
Yesterday we also mentioned that in the malware code there was also a disabling switch in the form of a kill switch domain.
What does this mean in simple words? When malware detects that there is a specific domain, it stops infections. This domain was created (registered) earlier today by a researcher, who observed the dot-com in the reverse-engineered binary. When the listing was detected by the malicious software, the ransomware distribution, and its worldwide spread, was immediately stopped.
But let's make it clear what the kill switch does:
The kill switch can not help devices that are already infected and locked with WannaCry.
By registering the domain and then moving it to a server environment that is meant to record and keep the sinkhole MalwareTech essentially bought time for systems that are not already infected.
"Ευτυχώς, ο MalwareTech διέθετε την υποδομή δημιουργίας ενός “sinkhole”, αναφέρει ο Darien Huss, senior security research engineer στην εταιρεία ασφαλείας Proofpoint.
"Αν κάποιος είχε αγοράσει το doamin και δεν είχε προετοιμαστεί τότε θα βλέπαμε πάρα πολλές λοιμώξεις αυτή τη στιγμή."
If the installation did not have enough space and the server did not have enough bandwidth, the malware would not be trapped and would not be self-destructing.
Let's add that the discovery of MalwareTech is not a permanent solution. All it takes to get started again is a new WannaCry executive whose code will block the kill switch or use a more sophisticated URL generator instead of a static IP address.
However, the discovery of MalwareTech has helped slow down the process.
Ευελπιστούμε ότι με τόσους πολλούς αναλυτές ασφαλείας που παρατηρούν, και αναλύουν την συμπεριφορά του κακόβουλου λογισμικού WannaCry με αντίστροφη μηχανική, κάποιος άλλος θα βρει τελικά μια μονιμότερη λύση απενεργοποίησης του. Κάθε λεπτό μετράει....
