While security researchers have had some success in preventing the WannaCry ransomware campaign from becoming a true epidemic with the use of kill switches hidden in the malware’s code, experts say those are just temporary solutions that may not last much longer.
The two versions of WannaCry that have emerged so far each have included a domain hard-coded into the malware. Researchers aren’t positive why the domains are there, but they have been able to figure out a way to stop the spread of the ransomware by registering them. Each of the domains was unregistered at the time the WannaCry variants were found in the wild, and a researcher who uses the name MalwareTech discovered one in the first version that emerged late last week. Many botnets and other malware campaigns have domains hidden in their code and they’re typically used for command and control.
Knowing this, the researcher registered the domain and then began noticing that when an infected machine tried to contact the domain and succeeded, it would then halt the infection routine. WannaCry is a worm-like piece of malware that uses compromised PCs to then scan for other vulnerable targets, so this tactic stopped the infection and scanning routine. When a second variant of the ransomware appeared over the weekend, French researcher Matt Suiche discovered another domain in the code and registered it, again stopping widespread infections. Researchers theorize that the domain in the code is a kind of primitive anti-analysis tool.
“We got incredibly lucky [the kill switch] was even involved in the creation of the malware.”
“I believe they were trying to query an intentionally unregistered domain which would appear registered in certain sandbox environments, then once they see the domain responding, they know they’re in a sandbox the malware exits to prevent further analysis,” MalwareTech said in a post.
But those kill switches are essentially the only things standing between vulnerable machines and a huge wave of WannaCry infections. Although Microsoft released a patch in March for the vulnerability that the ransomware uses to infect new machines, there are plenty of PCs that haven’t been patched yet. Researchers say a new version of the malware without a kill switch could be brutally effective.
“We got incredibly lucky that was even involved in the creation of the malware,” said Juan Andres Guerrero-Saade, a senior security researcher at Kaspersky Lab, said Wednesday during a webinar on the WannaCry outbreak.
“It actually means that we’ve barely bought a little time. If another version comes out without this, we’re going to have a very, very serious problem because there won’t be an easy way to slap a band aid on this.”
In some previous ransomware campaigns, researchers have been able to help victims by finding a mistake in the code or building a decryption tool. But Suiche said that’s unlikely in this case, because WannaCry uses a separate AES encryption key for each file and destroys the private key early on in the infection routine.
“Unless there’s some intelligence agency that works with supercomputers, we’re pretty much stuck with all those encrypted files,” Suiche, founder of Comae Technologies, said during the webinar. “It’s quite problematic.”
Image: Tim Regan, CC by license.