Hackers trying to bring back WannaCry attacks by DDoSing its KillSwitch

It was over a week ago when the nasty WannaCry ransomware attack started infecting critical cyber infrastructure in more than 150 countries. Its target was Windows users demanding a ransom payment of $300 in Bitcoin in order to unlock their files. Not to mention that it was all possible due to an NSA exploit leaked by a hacking group calling itself Shadow Brokers.

The WannaCry infection is not only limited to computers but also affecting medical devices. The IT security community are doing whatever it takes to stop the cyber criminals behind the whole campaign from spreading the virus further and targeting unsuspecting users. One of those researchers was Marcus Hutchins from the United Kingdom who discovered a domain used by WannaCry to communicate at the point of infection. Marcus did not only discover the domain but also registered it resulting in halting infection since the domain turned out to be the KillSwitch for WannaCry attack.

Now, Marcus has revealed that the domain he registered is receiving distributed denial-of-service (DDoS) attack which means the hackers are trying to take down the domain so they can carry on with the malware attack. The hackers are using variants of the Mirai botnet for their attacks. The infamous Mirai malware was discovered last year and conducted the Internet’s largest ever DDoS attack on DYN’s DNS and OVH hosting in France through compromised CCTV, DVRs and routers.


According to Wired, the KillSwitch is under DDoS attack and the attacks have peaked at 20 gigabits per seconds and are trending up. If they succeed, the inoperative WannaCry system will come back to life and begin to spread again.

Now a few devious hackers appear to be trying to combine those two internet plagues: They’re using their own copycats of the Mirai botnet to attack WannaCry’s kill-switch. So far, researchers have managed to fight off the attacks. But in the unlikely event that the hackers succeed, the ransomware could once again start spreading unabated.

“Pretty much as soon as it went public what had happened, one of the Mirai botnets started on the sinkhole,” says Marcus Hutchins, the British security researcher who registered the WannaCry kill-switch domain. Since then, he says, near-daily attacks from that first botnet and others built with the same Mirai malware have steadily ticked up in size and impact.

If the DDoS assault succeeds, WannaCry infections would immediately reignite. The ransomware stops scanning for new victims 24 hours after installing itself on a computer, says Matt Olney, a security researcher with Cisco’s Talos team. But anytime one of those infected machines reboots, it starts scanning again. “The ones that were successfully encrypted are in this zombie state, where they’re waiting to be reactivated if that domain goes away,” says Olney.

It must be noted that the second KillSwtich for WannaCry was identified by a French security researcher Matthieu Suiche but as of now, there is no indication if the KillSwitch domain owned by him is receiving DDoS attacks or not. However, the good news is that Suiche has come up with “wannakiwi,” a tool which helps users to clean their devices from WannaCry infection. 

If your device has been infected with this nasty malware download ‘wannakiwi’ tool from here.

Image Credit: Shutterstock/BeeBright

DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.

Related Posts