Massive ransomware attack hits 150 countries, brought down by a domain reg
A massive outbreak of malware on Friday hit thousands of organizations in an estimated 150 countries and had a big impact on the UK National Health Service before being temporarily thwarted by a single domain name registration.
WannaCry, as the malware has been called, targets Windows boxes that have not installed a March security patch. It encrypts files on the hosts it infects and demands money for the decryption key.
The attack is Big News for several reasons.
First, it spread ransomware over the network using a remotely exploitable vulnerability that required no user error or social engineering to install itself.
Second, it hit an estimated quarter-million machines, including thousands at big organizations such as Telefonica, the NHS, Deutsche Bahn and FedEx.
Third, it posed a real risk to human life. A reported 70,000 NHS machines, including medical devices, were said to be infected. Reportedly, some non-critical patients had to be turned away from UK hospitals and operations were cancelled due to the inability of doctors to access medical records.
Fourth, WannaCry appears to have been based on code developed by the US National Security Agency and leaked last month.
All in all, it was an attack the scale of which we have not seen for many years.
But it seems to have been “accidentally” prevented from propagating further on Friday, at least temporarily, with the simple act of registering a domain name.
A young British security researcher who goes by the online handle MalwareTech said he was poring over the WannaCry code on Friday afternoon when he came across an unregistered domain name.
On the assumption that the malware author perhaps planned to use the domain as a command and control center, MalwareTech spent the ten bucks to register it.
MalwareTech discovered that after the domain was registered, the malware stopped encrypting the hard drives it infected.
He first thought it was a fail-safe or kill-switch, but he later came to the conclusion that the author had included the domain lookup as a way to thwart security researchers such as himself, who run malware code in protected sandbox environments.
MalwareTech wrote:
In certain sandbox environments traffic is intercepted by replying to all URL lookups with an IP address belonging to the sandbox rather than the real IP address the URL points to, a side effect of this is if an unregistered domain is queried it will respond as [if] it were registered
Once the domain was registered, WannaCry iterations on newly infected machines assume they were running in sandboxes and turned themselves off before causing additional damage.
MalwareTech was naturally enough proclaimed the hero of the day by many news outlets, but it appears that versions of the malware without the DNS query kill-switch already started circulating over the weekend.
Many are warning that the start of the work week today may see a new rash of infections.
The researcher’s account of the incident can be read in full here.
Nominet fires CCO over baby death “cover-up”
Nominet has terminated its recently appointed chief commercial officer, Jill Finney, who was today alleged to have been involved in the “cover-up” of baby deaths at a British hospital.
The allegations concern Finney’s previous job as deputy CEO of the Care Quality Commission, which regulates the UK’s National Health Service.
According to reports today, Finney was one of three people responsible for suppressing an internal CQC report detailing its own failure to spot problems at a maternity unit.
Poor standards of care at the hospital in question led to the deaths of as many as 16 babies and two mothers, the Guardian reported today.
It’s a big story in the UK, where a tendency for NHS executives to put the reputations of their hospitals over transparency and patient care has become a political football.
In a statement, Nominet, which regularly faces its own complaints about transparency and accountability, said:
The increasing public scrutiny over our CCO’s former role at CQC has made it impossible for her to continue with her role and responsibilities at Nominet.
With regret, we felt it necessary to terminate Jill Finney’s employment with immediate effect. Ms Finney will be paid one month’s salary in lieu of notice.
Finney joined Nominet directly from the CQC in February. Her name had been associated with transparency failures at the CQC even then, which made the hire seem odd at the time.
Recent Comments