PINDROP BLOG

WannaCry Ransomware Infections Slow as Researchers Fight Back

Three days after the WannaCry ransomware outbreak began, many organizations are still fighting it, despite some temporary solutions implemented over the weekend and the release of some tools to help stop new infections.

The ransomware ran rampant through a number of hospitals, telecom providers, and other companies throughout Europe on Friday and continued to spread over the weekend. Unlike many other ransomware strains, WannaCry includes the ability to exploit a known vulnerability in Windows to infect new machines. Most other types of ransomware rely on users opening infected attachments or clicking on malicious links, but WannaCry has functionality that can exploit the MS17-010 vulnerability and then install the encryption mechanism on the compromised machine.

The ransomware hit thousands of machines in hospitals in the U.K., as well as at the Spanish telecom company Telefonica on Friday, causing some hospitals to divert patients and ask others not to come for scheduled appointments. As the infections spread–to more than 200,000 machines by one estimate–security researchers looked for ways to slow WannaCry’s progress. One researcher who uses the name MalwareTech noticed during an analysis of the WannaCry code that the malware tried to contact an unregistered domain, which he then registered. That had the effect of stopping new infections, as the malware would stop its infection routine if it got a response from a server at that domain.

“The surest way to prevent WannaCry infections is to install the MS17-010 patch.”

“All this code is doing is attempting to connect to the domain we registered and if the connection is not successful it ransoms the system, if it is successful the malware exits,” MalwareTech said in his analysis of the sinkhole operation against WannaCry.

“The reason which was suggested is that the domain is a “kill switch” in case something goes wrong, but I now believe it to be a badly thought out anti-analysis. In certain sandbox environments traffic is intercepted by replying to all URL lookups with an IP address belonging to the sandbox rather than the real IP address the URL points to, a side effect of this is if an unregistered domain is queried it will respond as it it were registered (which should never happen). I believe they were trying to query an intentionally unregistered domain which would appear registered in certain sandbox environments, then once they see the domain responding, they know they’re in a sandbox the malware exits to prevent further analysis.”

A second version of the ransomware emerged over the weekend, but researchers again discovered a kill switch domain in its code and were able to register it. French researcher Matt Suiche registered the new domain and said the move prevented thousands of new infections.

Meanwhile, Spain’s national cybersecurity center, CCN-CERT, released a tool that will prevent the execution of the exploit code that allows WannaCry to install itself on vulnerable machines.

“This tool is available to all organisations that need to use it. It creates a mutex (mutual exclusion algorithm) on the computer that prevents the execution of the malicious code WannaCry 2.0. It is important to note that this tool is Not intended to clean compromised machines. CCN-CERT indicates that the tool should be run after each restart. This process can be automated by modifying the Windows registry or through the implementation of the proper policies in the domain,” CCN-CERT said.

The tool works, but the surest way to prevent WannaCry infections is to install the MS17-010 patch, which Microsoft released in March.