WannaCry malware stops spreading, files still unrecoverable

Researcher activates kill switch to stop spread, but code still under analysis amid fear of more attacks

  • E-Mail
WannaCry malware stops spreading, files still unrecoverable WannaCry is known to have infected systems in dozens of countries.
By  Mark Sutton Published  May 13, 2017

The WannaCry ransomware, which has infected systems in over 99 countries, appears to have stopped spreading, although there is still no known way to decrypt infected files.

A security researcher reports accidentally activating a ‘kill switch', which will prevent the malware from spreading itself further. Wannacry checks for a specific URL before attacking files, and once the researcher created the URL, the ransomware stopped spreading.

Security researchers from several companies have warned of the potential for a second stage in the malware or for new attacks that adapt the same ransomware.

Microsoft has released patches for older versions of Windows which are out of normal support, to allow organisations to patch the vulnerability which was exploited by WannaCry. Patches are now available for Windows XP, Windows 8, and Windows Server 2003. Customers running Windows 10 were not targeted by the attack.

The ransomware attacks began on Friday, and infected telcos, utilities, universities, ministries, rail companies, local government and private companies. As many as 104,000 infections have been reported so far.

In the GCC, infections have been reported in Kuwait, Saudi Arabia and the UAE, although not on the same scale as in Europe.

The attacks were not targeted, but were able to spread through initial infection through phishing techniques, and then through a worm which searched for other vulnerable PCs.

According to Kaspersky Lab the attack was initiated through a Server Message Block version 2 (SMBv2) remote code execution in Microsoft Windows. SMB is mainly used for providing shared access to files, printers, and serial ports among other applications.

The MS17-010 bug was exploited by the US National Security Agency (NSA), which developed its own hacking tool, ‘Eternalblue', to use the exploit to spy on systems. This tool was stolen and made public in April, and has already been used by hackers to attack vulnerable systems.

The WannaCry malware has added a ransomware component to the NSA tool, encrypting a large number of file types and demanding a ransom of $300 in bitcoins, rising to $600 after three days. The malware threatens to delete all encrypted files after seven days. Security researchers are still analysing the code, but at present there is no way to decrypt infected files.

WannaCry also uses another NSA tool, Doublepulsar, as a backdoor to remotely control infected systems via Tor.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code