'Accidental hero' finds kill switch to stop spread of ransomware cyber-attack

[tao]

Spread of malware curtailed by expert who simply registered a domain name for a few dollars, giving many across world time to protect against attack

 

An “accidental hero” has halted the global spread of the WannaCry ransomware, reportedly by spending a few dollars on registering a domain name hidden in the malware.

 

The ransomware has wreaked havoc on organizations including FedEx and Telefonica, as well as the UK’s National Health Service (NHS), where operations were cancelled, x-rays, test results and patient records became unavailable and phones did not work.

 

However, a UK cybersecurity researcher tweeting as @malwaretechblog, with the help of Darien Huss from security firm Proofpoint, found and activated a “kill switch” in the malicious software.

 

The switch was hardcoded into the malware in case the creator wanted to stop it spreading. This involved a very long nonsensical domain name that the malware makes a request to – just as if it was looking up any website – and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading.

 

“I saw it wasn’t registered and thought, ‘I think I’ll have that’,” he is reported as saying. The purchase cost him $10.69. Immediately, the domain name was registering thousands of connections every second.

 

“They get the accidental hero award of the day,” said Proofpoint’s Ryan Kalember. “They didn’t realize how much it probably slowed down the spread of this ransomware.”

 

The time that @malwaretechblog registered the domain was too late to help Europe and Asia, where many organizations were affected. But it gave people in the US more time to develop immunity to the attack by patching their systems before they were infected, said Kalember.

 

The kill switch won’t help anyone whose computer is already infected with the ransomware, and and it’s possible that there are other variants of the malware with different kill switches that will continue to spread.

 

The malware was made available online on 14 April through a dump by a group called Shadow Brokers, which claimed last year to have stolen a cache of “cyber weapons” from the National Security Agency (NSA).

 

Ransomware is a type of malware that encrypts a user’s data, then demands payment in exchange for unlocking the data. This attack was caused by a bug called “WanaCrypt0r 2.0” or WannaCry, that exploits a vulnerability in Windows. Microsoft released a patch (a software update that fixes the problem) for the flaw in March, but computers that have not installed the security update remain vulnerable.

 

The ransomware demands users pay $300 worth of cryptocurrency Bitcoin to retrieve their files, though it warns that the “payment will be raised” after a certain amount of time. Translations of the ransom message in 28 languages are included. The malware spreads through email.

 

“This was eminently predictable in lots of ways,” said Ryan Kalember from cybersecurity firm Proofpoint. “As soon as the Shadow Brokers dump came out everyone [in the security industry] realized that a lot of people wouldn’t be able to install a patch, especially if they used an operating system like Windows XP [which many NHS computers still use], for which there is no patch.”

 

Security researchers with Kaspersky Lab have recorded more than 45,000 attacks in 74 countries, including the UK, Russia, Ukraine, India, China, Italy, and Egypt. In Spain, major companies including telecommunications firm Telefónica were infected.

 

By Friday evening, the ransomware had spread to the United States and South America, though Europe and Russia remained the hardest hit, according to security researchers Malware Hunter Team. The Russian interior ministry says about 1,000 computers have been affected.

 

[Note: URL (of the article) is in the header.]

 

[dufus]

that good funny no cyber intelligence agency discover wanted ransom in bitcoin time to make illegal control or buzzing word regulate

[clubhouse]

Quote

UK tabloids were on a twisted mission the other day - find out, at whatever price, just who is behind the MalwareTech Twitter handle. In other words, they wanted to know the name of the "accidental hero" who stopped the spread of one of the largest cyber attacks in history. 

Their methods weren't exactly the greatest - they doxxed him. They dug and dug the Internet for traces of any information that may help identify him. They stalked his Instagram, tracked a girl and stalked her too. It was completely insane and not something you should do to someone who was already more than willing to speak to you, albeit not face to face. 

The only thing the young researcher wanted to do was remain anonymous, do what he loves and continue saving the world. Against his will, his name has now been made public. Personal details about him were made public too, even though they held no weight in what he did and why he did it. 

The only information anyone really needed about him was that he managed to put a stop to the spread of the WannaCry ransomware by taking a chance of registering a simple, jibberish domain he found inside the malware's code. That's it. It seems we live in a world where some can't respect people's privacy no matter what. 

A security risk

MalwareTech was quite responsive to media requests in the beginning, even sharing some info about himself - his age, where he lived and that he worked for a security firm in L.A. He expressed no desire for fame, hence his decision to not come forth with his identity. 

There was even the concern that now that his identity is no longer private, the attackers whose plans were foiled by him triggering the kill switch, would somehow come after him. 

"For the record I don't "fear for my safety," I'm just unhappy with trying to help clear up Friday's mess with th+e doorbell going constantly," he tweeted. 

 

 

 

Tabloid scum!

 

 

 

http://news.softpedia.com/news/british-tabloids-doxxed-wannacry-accidental-hero-515737.shtml

 

[Batu69]

Topic has been merged.

[CrAKeN]

 

HackerOne rewards "accidental hero" white hat

 

The security researcher that put a stop to the spread of WannaCry last week was rewarded a $10,000 bug bounty by HackerOne. 

 

The white hat hacker MalwareTech, who has since been identified after British tabloids doxxed him while he clearly wanted to keep his anonymity, managed to put a stop to the spread of this ransomware by registering a jibberish domain found deep within the malware's code, effectively triggering the kill switch.

 

Of course, ever since then other variants have popped up in the wild, some with kill switches of their own, others without. Nonetheless, the worst wave had been stopped. In total, around 220,000 computers have been infected in over 150 countries across the world. Even more such infections were blocked by security solutions. 

 

HackerOne, the bug bounty platform used by dozens of companies and even the US Army, has decided it would be a good idea to reward MalwareTech for the great service he did the world. 

 

The young white hat doesn't plan to keep the money. According to his tweets, he plans to split the money between to-be-decided charities and purchasing infosec based books to give to students who can't afford them. 

 

 

Everyone loves pizza

Since those very same tabloids that managed to dig up the hacker's name (as well as every other personal detail about him that no one needs to know becuase it's not relevant to how he managed to save hundreds of thousands of devices from being infected by ransomware), they also found out he apparently likes pizza. Therefore, Just Eat pizza chain joined the PR bandwagon and announced they were supplying him with free pizza for a year. 

 

"Guy pretty much saves the world – Just Eat give him free pizza for a year. A sentence so beautiful it brings a tear to one’s eye. Modern-day superheroes travel by surfboard, are really good at stopping nasty computer hackers, and LOVE pizza from Just Eat restaurants. That’s now a fact. So old superheroes, step aside and have a long old look in the mirror," folks over at Just Eat wrote in a blog post. 

 

Source

[Batu69]

Topic by @CrAKeN moved from general news forum & merged.