How One Security Reseacher Stopped WannaCry Ransomware Attack

The expert added that the standard model was to search for expired command and control (C2) domains belonging to botnets and redirect them to sinkholes (servers designed to capture malicious traffic rather than allowing it to reach victims).

This allows them to gather data on the geographic distribution and scale of the attack which can then be used to protect users and inform authorities.

It is also standard practice to reverse engineer the code to check for vulnerabilities that could potentially be used to takeover the malware and the botnet via a registered domain.

Ongoing threat

However by registering the domain, the MalwareTech had done all three. Essentially the malware had a piece of code that meant it would cease if the domain in question was active.

The researcher said it took a while for them to realise the botnet had been disabled but doesn’t believe this was a deliberate killswitch. Instead, they speculated it was designed to stop the malware functioning in a testing environment so further analysis could not be performed.

Microsoft ended formal support for Windows XP in 2014 but several organisations have paid for extended updates because of their reliance on the aging and increasingly insecure platform.

The NHS was one of these organisations, signing a one year extension in 2014. However this was not extended in 2015 and a possible attack has long been mooted. Indeed, according to NHS Digital as many as five percent of NHS devices run Windows XP.

Microsoft rushed out an emergency patch for WannaCry, a step which it admitted was unusual. In March, the SMB exploit in questiion was fixed, but it appears the update was not applied in many parts of the NHS, while the lack of support for Windows XP meant these systems were vulnerable.

The fallout from the debacle will reopen many arguments – not least investment in cybersecurity, funding for the health service and the ongoing threat of ransomware – but MalwareTech is adamant that another assault could be on the way – as early as Monday.

All the botnet has to do to become a threat again is change the domain. So, the advice is simple: patch now. And probably stop using Windows XP.

Quiz: The triumph and the tragedy of public sector IT