A cybersecurity researcher appears to have discovered a "kill switch" that can prevent the spread of the WannaCry ransomware - for now - that crippled the NHS on Friday and affected almost 100 countries .
The researcher, tweeting as @MalwareTechBlog, said the discovery was accidental, but that registering a domain name used by the malware stops it from spreading.
ALSO READ: Ransomware attacks reported worldwide
"Essentially they relied on a domain not being registered and by registering it, we stopped their malware spreading," @MalwareTechBlog told Agence France-Presse in a private message on Twitter.
The researcher warned, however, that people "need to update their systems ASAP" to avoid attack .
"The crisis isn't over, they can always change the code and try again," @MalwareTechBlog said.
It's very important everyone understands that all they need to do is change some code and start again. Patch your systems now! https://t.co/L4GIPLGKEs
— MalwareTech (@MalwareTechBlog) May 13, 2017
Friday's wave of cyberattacks, which affected dozens of countries, apparently exploited a flaw exposed in documents leaked from the US National Security Agency.
The attacks used a technique known as ransomware that locks users' files unless they pay the attackers a designated sum in the virtual currency Bitcoin.
So long as the domain isn't revoked, this particular strain will no longer cause harm, but patch your systems ASAP as they will try again.
— MalwareTech (@MalwareTechBlog) May 13, 2017
Affected by the onslaught were computer networks at hospitals in Britain, Russia's interior ministry, the Spanish telecom giant Telefonica and the US delivery firm FedEx and many other organisations.
Rail passengers in Germany were confronted with the ransom message when looking up train information at stations after Deutsche Bahn was targeted.
"I will confess that I was unaware registering the domain would stop the malware until after I registered it, so initially it was accidental," @MalwareTechBlog tweeted.
I will confess that I was unaware registering the domain would stop the malware until after i registered it, so initially it was accidental.
— MalwareTech (@MalwareTechBlog) May 13, 2017
Unfortunately however, computers already affected will not be helped by the solution.
"So long as the domain isn't revoked, this particular strain will no longer cause harm, but patch your systems ASAP as they will try again."
The malware's name is WCry, but analysts were also using variants such as WannaCry .
Forcepoint Security Labs said in a Friday statement that the attack had "global scope" and was affecting networks in Australia, Belgium, France, Germany, Italy and Mexico.
In the United States, FedEx acknowledged it had been hit by malware and was "implementing remediation steps as quickly as possible."
Also badly hit was National Health Service, which declared a "major incident" after the attack, which forced some hospitals to divert ambulances and scrap operations.
Pictures posted on social media showed screens of NHS computers with images demanding payment of $300 in Bitcoin, saying: "Ooops, your files have been encrypted!"
It demands payment in three days or the price is doubled, and if none is received in seven days, the files will be deleted, according to the screen message.
A hacking group called Shadow Brokers released the malware in April claiming to have discovered the flaw from the NSA, according to Kaspersky Lab, a Russian cybersecurity provider.
Kaspersky researcher Costin Raiu cited 45,000 attacks in 74 countries as of Friday evening.
The researcher, tweeting as @MalwareTechBlog, said the discovery was accidental, but that registering a domain name used by the malware stops it from spreading.
ALSO READ: Ransomware attacks reported worldwide
"Essentially they relied on a domain not being registered and by registering it, we stopped their malware spreading," @MalwareTechBlog told Agence France-Presse in a private message on Twitter.
The researcher warned, however, that people "need to update their systems ASAP" to avoid attack .
"The crisis isn't over, they can always change the code and try again," @MalwareTechBlog said.
It's very important everyone understands that all they need to do is change some code and start again. Patch your systems now! https://t.co/L4GIPLGKEs
— MalwareTech (@MalwareTechBlog) May 13, 2017
Friday's wave of cyberattacks, which affected dozens of countries, apparently exploited a flaw exposed in documents leaked from the US National Security Agency.
The attacks used a technique known as ransomware that locks users' files unless they pay the attackers a designated sum in the virtual currency Bitcoin.
So long as the domain isn't revoked, this particular strain will no longer cause harm, but patch your systems ASAP as they will try again.
— MalwareTech (@MalwareTechBlog) May 13, 2017
Affected by the onslaught were computer networks at hospitals in Britain, Russia's interior ministry, the Spanish telecom giant Telefonica and the US delivery firm FedEx and many other organisations.
Rail passengers in Germany were confronted with the ransom message when looking up train information at stations after Deutsche Bahn was targeted.
"I will confess that I was unaware registering the domain would stop the malware until after I registered it, so initially it was accidental," @MalwareTechBlog tweeted.
I will confess that I was unaware registering the domain would stop the malware until after i registered it, so initially it was accidental.
— MalwareTech (@MalwareTechBlog) May 13, 2017
Unfortunately however, computers already affected will not be helped by the solution.
"So long as the domain isn't revoked, this particular strain will no longer cause harm, but patch your systems ASAP as they will try again."
The malware's name is WCry, but analysts were also using variants such as WannaCry .
Forcepoint Security Labs said in a Friday statement that the attack had "global scope" and was affecting networks in Australia, Belgium, France, Germany, Italy and Mexico.
In the United States, FedEx acknowledged it had been hit by malware and was "implementing remediation steps as quickly as possible."
Also badly hit was National Health Service, which declared a "major incident" after the attack, which forced some hospitals to divert ambulances and scrap operations.
Pictures posted on social media showed screens of NHS computers with images demanding payment of $300 in Bitcoin, saying: "Ooops, your files have been encrypted!"
It demands payment in three days or the price is doubled, and if none is received in seven days, the files will be deleted, according to the screen message.
A hacking group called Shadow Brokers released the malware in April claiming to have discovered the flaw from the NSA, according to Kaspersky Lab, a Russian cybersecurity provider.
Kaspersky researcher Costin Raiu cited 45,000 attacks in 74 countries as of Friday evening.
No comments:
Post a Comment