Worldwide WCrypt Ransomware Attack…Stopped by Accident

By Faye Higbee

On May 12, a worldwide WCrypt ransomware attack hurled hospitals and other entities into chaos. It seemed unstoppable as it replicated itself across the world, hitting hospitals, governments, businesses… it exploited a vulnerability known to the NSA/CIA and used a “cyberweapons” software, though a different one from Wikileaks’ Vault 7. One astute computer technician accidentally stopped the attack, and didn’t know he did it.

Ransomware -a type of malicious software designed to block access to a computer system until a sum of money is paid.

WannaCry, WanaCryptor, WCrypt

The problem is, with hospitals and other emergency services, a blocked screen can be life-threatening. Yesterday’s attack had spanned 74 countries before it was inadvertently stopped.

UPDATE: Europol stated that the attack spanned 150 nations and over 100,000 companies.

This is a map of the infections by the malware as of yesterday.

Some hospitals that were hit with the malware had to move their patients to other hospitals, or cancel surgeries. As of yesterday, the cybercriminals had gained 16 payments totaling $4,675.

According to the BBC,

The total number of NHS services which have been affected stands at 39 hospital trusts with GP practices and dental services also targeted across England and Scotland
Some 74 countries including the UK, US, China, Russia, Spain, Italy and Taiwan have reported being affected by a virus
Theresa May said the attack was not targeted at the NHS, it was part of an international incident

The ransomware was operating out of an unregistered domain. That platform gave the malware a foothold to replicate. What it did specifically was encrypt the files on the computers, essentially locking them away. Then threatening to destroy the files that were locked.

Stopped it by accident

According to Tom’s Guide, a website dedicated to computers,

The pseudonymous IT pro, who blogs under the name MalwareTech, analyzed WanaCryptor’s code and noticed that it reached out to a server at a specific web address. He saw that there was no actual server at that URL, so he bought the address name — in technical terms, he registered the domain — and set up his own “sinkhole’ server to see how many infected computers would connect to it.

Much to MalwareTech’s surprise, the ransomware samples he and other researchers were analyzing suddenly stopped encrypting infected machines.

“I will confess that I was unaware registering the domain would stop the malware until after I registered it, so initially it was accidental,” MalwareTech tweeted late on Friday. “So I can only add ‘accidentally stopped an international cyber attack’ to my résumé.”

Indeed he can. Normally, when infected machines are turned off, the infection is stopped unless the machine is turned back on too soon. P2P means peer to peer machine hopping and suggests a worm type malware.

“One thing that is very important to note is our sinkholing only stops this sample. There is nothing stopping them removing the domain check and trying again, so it’s incredibly important that any unpatched systems are patched as quickly as possible.” MalwareTech

You can read more about how MalwareTech shut it down here.


Featured graphic via