Researcher Finds Kill Switch for new variant of WannaCry Ransomware

Internet users worldwide are now familiar with the WannaCry or WanaCrypt0r ransomware attack and how cybercriminals used it to infect cyber infrastructure of banking giants, hospitals, tech firms and sensitive installation in more than 90 countries.

The users may also know that a British security researcher MalwareTechBlog accidentally discovered the kill switch of WanaCry by registering a domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea [dot] com) for just $10.69. The domain registry slowed down the attacks but didn’t stop them entirely

125 victims paying now. ~18.5 bitcoin. ~$32K USD.

I rly hope this doesn’t get worse tomorrow. pic.twitter.com/0JHdyOAUrr

— boB Rudis (@hrbrmstr) May 14, 2017

Soon after, a security researcher from France going by the handle of @benkow_ on Twitter discovered a new variant WanaCrypt0r 2.0 and sent it to Matthieu Suiche for an in-depth analysis who is also an IT security researcher.

Upon analyzing, Suiche successfully discovered its kill switch which was another domain (ifferfsodp9ifjaposdfjhgosurijfaewrwergwea [dot] com). According to Suiche’s blog post, he then successfully registered the domain to halt the new and growing wave of cyber attacks through WannaCry ransomware.

New kill switch detected ! https://t.co/sMyyGWbgnF #WannaCry – Just pushed for an order ! pic.twitter.com/cV6i8DpaF4

— Matt Swish @ BH/DC (@msuiche) May 14, 2017

This version found on the right by @craiu was found on https://t.co/C4PLgbzCHw using YARA rules. Not in the wild, unlike the other variant.

— Matt Swish @ BH/DC (@msuiche) May 14, 2017

Thanks to @benkow_ who found what looks like a new 'kill switch' domain and @msuiche who registered it and transferred it to our sinkhole.

— MalwareTech@Vegas (@MalwareTechBlog) May 14, 2017

• “The security community has been active all week-end on this to slow down the progression of the attack as much as possible to avoid further damages in institutions like the NHS. The longer we wait for the faster the malware spreads, this is why I’m glad really I was able to register this second domain so quickly to avoid post-pone chaos like we saw with the NHS,” Suiche told HackRead

Although registering the new kill switch is just a temporary solution; one should expect more new variants of WannaCry ransomware. Therefore, for now, users are on their own and need to implement emergency security measures to make sure they don’t fall victim to these attacks. For this, users need to make sure following things:

1. Do not open an unknown email
2. Do not download files from an unknown email
3. Do not click files from an unknown email
4. Avoid visiting malicious sites
5. Do not download software and apps from a third-party store/website
6. Show hidden file extensions
7. Keep your system updates
8. Make sure you are using a reputable security suite
9. Back up your data
10. Use System Restore to get back to a known-clean state

What should Microsoft users do?

Windows is the most affected operating system in this cyber attack since WannaCry exploits a security flaw in SMB within Windows. The users can simply disable SMB to prevent against WannaCry attacks.

Microsoft has also taken the matter seriously and released an update earlier today which detects this threat as Ransom: Win32/WannaCrypt. However, one user on Imgur compiled a “direct download” list of all the patches released by Microsoft.

For more information visit Microsoft’s blog post on the WanaCry attack, apply patch asap and kudos to the security researchers who are spending all their time to protect users against WannaCry attack.

DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.