The ransomware “WannaCry” worm has devastated the globe overnight when it utilized spam, deployed multiple infection methods, and even stole from leaked NSA exploits. Roughly 75,000 PCs were infected. But, what made the situation even worse was that the ransomware hit 48 NHS hospitals across Britain, seizing operations and causing panic amongst the medical community.
Fortunately, a researcher from the U.K. that goes by the name of MalwareTech saw an opportunity to temporarily halt the worm before it began to spread even further. Upon tracking where the source was coming from, MalwareTech saw a golden opportunity when he noticed one of the web domains that the attackers were using wasn’t registered. Immediately, the 22-year-old took control of the domain by purchasing it for $10. Upon buying it, he started noticing connections from the infected victims, and began devising a plan to halt the progress of the ransomware.
It doesn’t stop there. MalwareTech also took down the WannaCry operation – which wasn’t in his original plans. The attackers that designed the ransomware created a set of security tools that were disguised to fake Internet access from a variety of quarantined PCs. With a stroke of good luck, MalwareTech managed to halt the operation of the ransomware along with its safeguarded system designed to fool PCs into granting them access to the infection itself. According to MalwareTech he stated, “It was meant as an anti-sandbox measure that they didn’t quite think through.” Meaning, the malware essentially destroyed itself as a result of this ping.
Because of the danger of the ransomware, due to its ability to spread itself across a network, detection and protection must be prioritized with any PC. Many clients tend to utilize Norton and Symantec services to protect themselves against infections. Notably speaking, Norton and Symantec have proactively blocked the ransomware’s infection utilizing a combination of different methods – SEP14 Advanced Machine Learning and The Blue Coat Global Intelligence Network (GIN) are two examples.
Customers that have technologies such as: IPS network-based protection, Advanced Machine Learning, Intelligent Threat Cloud, and SONAR behavior detection technology should always ensure that they remain active for full protection. Failure to do so could result in one’s PC being thoroughly infected by the malware.
The ransomware WannaCry scopes out and encrypts a variety of different file types and appends. It then notifies the user to send a $300 ransom in Bitcoins along with a note detailing the prioritization of the payment. The note also dictates that the ransom will double in three days and the encrypted files will be deleted after seven. Symantec has run tests on the ransomware itself and did not discover any code that would allow the attacker to gain the ability to delete such files. Essentially the ransom is an empty threat that fools people into donating to thieves and cons. Do not pay the ransom and do not attempt to communicate with the note that has been left if you are infected by the malware. Be sure to backup important files on a separate hard drive beforehand to counter this.