A cyber security researcher has described how he halted the spread of ransomware that has affected hundreds of organisations worldwide, including the UK’s national health service. The man, known by the pseudonym MalwareTech, had taken a week off work, but decided to investigate after hearing about the global cyber-attack. He managed to bring the spread to a halt when he found what appeared to be a “kill switch” in the rogue software’s code.
Despite not being at work, the researcher had checked into a UK cyber threat sharing platform “where I had been following the spread of the Emotet banking malware. There were a few of your usual posts about various organisations being hit with ransomware, but nothing significant…yet. I ended up going out to lunch with a friend. Meanwhile the WannaCrypt ransomware campaign had entered full swing. When I returned home at about 2:30, the threat sharing platform was flooded with posts about various NHS systems all across the country being hit.
“Although ransomware on a public sector system isn’t even newsworthy, systems being hit simultaneously across the country is; contrary to popular belief, most NHS employees don’t open phishing emails which suggested that something to be this widespread it would have to be propagated using another method. I was quickly able to get a sample of the malware [and after] running the sample in my analysis environment I instantly noticed it queried an unregistered domain, which I promptly registered.”
It cost him £8 and his thinking was that it would allow him to see where computers were accessing it from, and give him an idea of how widespread the ransomware was. But by doing so he interrupted part of the ransomware’s code that told it to continue spreading as long as the web address did not exist, something known as a “kill switch” which in some cases is used to halt the spread of software.
“Registration of the domain was not on a whim. My job is to look for ways we can track and potentially stop botnets, and other kinds of malware, so I’m always on the lookout to pick up unregistered malware control server (C2) domains. In fact I registered several thousand of such domains in the past year. Our standard model goes something like this.
- Look for unregistered or expired C2 domains belonging to active botnets and point it to our sinkhole (a sinkhole is a server designed to capture malicious traffic and prevent control of infected computers by the criminals who infected them).
- Gather data on the geographical distribution and scale of the infections, including IP addresses, which can be used to notify victims that they’re infected and assist law enforcement.
- Reverse engineer the malware and see if there are any vulnerabilities in the code which would allow us to take-over the malware/botnet and prevent the spread or malicious use, via the domain we registered.
“In the case of WannaCrypt, step 1, 2 and 3 were all one and the same, I just didn’t know it yet.” It took more investigation and collaboration with fellow security researchers to establish that the ransomware had been halted. But in a blog post he added: “One thing that is very important to note is our sinkholing only stops this sample and there is nothing stopping them removing the domain check and trying again, so it’s incredibly importiant that any unpatched systems are patched as quickly as possible.”
This afternoon, the Scottish Government issued an update on the impact on Scotland, saying that 13 of its 14 health boards had been affected but “measures to isolate any issues are now in place, with some systems expected to be operational over the weekend”. The boards affected are: NHS Borders, NHS Dumfries and Galloway, NHS Fife, NHS Forth Valley, NHS Lanarkshire, NHS Greater Glasgow and Clyde, NHS Tayside, NHS Western Isles, NHS Highlands, NHS Grampian, NHS Ayrshire and Arran, NHS National Services and Scottish Ambulance Service.
It said that in many areas, with the exception of NHS Lanarkshire, the number of PCs or systems affected is in “single figures”. In a statement it added: “There is no evidence that patient data has been compromised and patient services, including emergency service, are continuing to operate across Scotland. Other public bodies are currently running checks on their systems as a precaution ahead of the working week starting on Monday.”