How a $10.69 pur­chase may have side­lined the global mal­ware at­tack

The Washington Post Sunday - - POLITICS & THE NATION -

london — As the world was just be­gin­ning to un­der­stand the di­men­sions of Wanna De­cryp­tor 2.0, the ran­somware that crip­pled com­put­ers world­wide, a va­ca­tion­ing Bri­tish cy­ber­se­cu­rity re­searcher was al­ready sev­eral steps ahead.

About 3 p.m. Eastern time Fri­day, the spe­cial­ist with U.S. cy­ber­se­cu­rity en­ter­prise Kryp­tos Logic bought an un­usu­ally long and non­sen­si­cal do­main name end­ing with “” The 22-year-old says he paid $10.69, but his pur­chase might have saved com­pa­nies and gov­ern­ment in­sti­tu­tions around the world bil­lions of dol­lars.

By pur­chas­ing the do­main name and reg­is­ter­ing a web­site, the cy­ber­se­cu­rity re­searcher claims he ac­ti­vated a kill switch. It im­me­di­ately slowed the spread of the mal­ware and could ul­ti­mately stop its cur­rent ver­sion, cy­ber­se­cu­rity ex­perts said Satur­day.

Hid­den in the mal­ware, the kill switch prob­a­bly was not sup­posed to be ac­ti­vated any­time soon. Per­haps it wasn’t sup­posed to be there in the first place.

“What it had not counted on was a re­searcher do­ing the world a ser­vice and tak­ing ad­van­tage of a flaw that now seemed glar­ingly ob­vi­ous in hind­sight,” said Robert McAr­dle, a re­search direc­tor with Toky­obased cy­ber­se­cu­rity com­pany Trend Mi­cro.

When Darien Huss and a col­league, both re­searchers with U.S. cy­ber­se­cu­rity com­pany Proof­point, came across the strange do­main in the code early Fri­day af­ter­noon, Huss im­me­di­ately flagged his dis­cov­ery on so­cial me­dia.

Alerted by the find­ing, a 22year-old uniden­ti­fied re­searcher who tweets us­ing the han­dle @Mal­wareTechBlog de­cided to take ac­tion, not know­ing what im­pact that reg­is­ter­ing the do­main would have.

While spread­ing to com­put­ers, the mal­ware made re­quests to the un­reg­is­tered web­site end­ing with “” Un­til about 3 p.m. Fri­day, all those re­quests went unan­swered — prob­a­bly trig­ger­ing the ac­ti­va­tion of the mal­ware.

But as soon as the web­site was reg­is­tered, au­to­matic re­quests sky­rock­eted, ac­cord­ing to screen shots pub­lished on the re­searcher’s Twit­ter ac­count. And by reg­is­ter­ing the web­site, the kill switch ap­par­ently was thrown.

“If the do­main suc­cess­fully re­solves to an IP ad­dress, the mal­ware will stop run­ning,” McAr­dle ex­plained.

The 22-year-old, who spoke with The Wash­ing­ton Post on Satur­day via email on the con­di­tion of anonymity, said the use of a do­main name as a kill switch ap­peared un­prece­dented to him. “Pre­vi­ous mal­ware has used such a check to de­tect anal­y­sis en­vi­ron­ments but not in a way which can be used to stop the mal­ware,” he said.

It re­mains un­known, how­ever, whether the Web do­main was in­tended to be a de­lib­er­ate kill switch. McAr­dle said an ac­ci­den­tal flaw in the ran­somware is a more prob­a­ble ex­pla­na­tion.

“At first glance, this may ap­pear to be a de­lib­er­ate kill switch in the mal­ware for the au­thors’ use,” McAr­dle said, re­fer­ring to the pos­si­bil­ity that the mal­ware’s cre­ators in­cluded the do­main to be able to stop its spread if their op­er­a­tion gets out of con­trol.

But “in re­al­ity, it’s a flaw that ac­tu­ally al­lowed for the spread of the mal­ware to be greatly slowed down, al­beit ac­ci­den­tally, by the re­searcher who reg­is­tered it early dur­ing the out­break,” McAr­dle said.

Fri­day’s dis­cov­ery may have slowed the mal­ware’s spread, but it is un­likely to stop it, se­cu­rity ex­perts said, be­cause the mal­ware’s cre­ators could re­lease a dif­fer­ent ver­sion with­out a kill switch.

“At this point, we have to as­sume that it will re­turn,” said Ryan Kalem­ber, a se­nior vice pres­i­dent at Proof­point.

Still, slow­ing the spread of the mal­ware could give com­pa­nies cru­cial time to con­duct back­ups or to up­date their se­cu­rity soft­wares — pro­vided they are able to do so.

“Many large or­ga­ni­za­tions con­tinue to use out-of-date sys­tems for which reg­u­lar [up­dates] are not avail­able any­more,” Kalem­ber said.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.