Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 



Sign in to follow this  
alacran

Wana Decrypt0r Ransomware Outbreak Temporarily Stopped By "Accidental Hero"

Recommended Posts

Posted (edited)

Link: https://www.bleepingcomputer.com/news/security/wana-decrypt0r-ransomware-outbreak-temporarily-stopped-by-accidental-hero-/

A security researcher that goes online by the nickname of MalwareTech is the hero of the day, albeit an accidental one, after having saved countless of computers worldwide from a virulent form of ransomware called Wana Decrypt0r (also referenced as WCry, WannaCry, WannaCrypt, and WanaCrypt0r).

What MalwareTech did was spend around £10 to register a domain he found in the ransomware's source code.
Security researcher finds ransomware kill switch

The researcher discovered that the virulent and self-spreading Wana Decrypt0r ransomware was making a pre-infection check to a domain located at iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com.

If the domain was unregistered, the ransomware would start encrypting files. But if the domain was registered, the ransomware would stop its infection process.

By registering this domain, MalwareTech had accidentally triggered a worldwide kill-switch for the ransomware's self-spreading feature.
Everyone needs to update their computers!

"It's very important everyone understands that all they [Wana Decrypt0r gang] need to do is change some code and start again," MalwareTech explained last night. "Patch your systems now!"

The Wana Decrypt0r ransomware used a self-spreading mechanism derived from an NSA exploit leaked by the Shadow Brokers. That exploit can be mitigated by installing the patches included with Microsoft security bulletin MS17-010.

Additionally, Microsoft has released an update for older operating systems that are no longer officially supported, such as Windows XP, Windows 8, and Windows Server 2003. The update can be downloaded from here.

People already infected with this ransomware will not get their files back just because that domain was registered. It means that no new infections will occur with yesterday's strain. Currently, there's no known method of breaking the ransomware's encryption.

The only viable method of getting files back at the moment is from previous operating system backups, and by paying the ransom note, as a last resort.

During yesterday's ransomware outbreak, MalwareTech also created a tracker for Wana Decrypt0r victims, and a live map, showing infections in real time, which is now terribly silent. For those affected, you can discuss this ransomware and receive support in the dedicated WanaCrypt0r & Wana Decrypt0r Help & Support Topic. Bleeping Computer also published a technical analysis of the Wana Decrypt0r ransomware.

That exploit can be mitigated by installing the patches included with Microsoft security bulletin MS17-010 : https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Additionally, Microsoft has released an update for older operating systems that are no longer officially supported, such as Windows XP, Windows 8, and Windows Server 2003. The update can be downloaded from here: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

alacran

Edited by alacran

Share this post


Link to post
Share on other sites

Actual page of the good guy already posted:
 

Share this post


Link to post
Share on other sites

Was it anything like this?

  • Upvote 2

Share this post


Link to post
Share on other sites

I think I'm even more surprised that Microsoft took pity on those not migrating off Windows XP and still released a patch for them as well. But then it might not be so much because of their goodwill towards XP users as it is trying to stop the spread of the malware itself.

  • Upvote 1

Share this post


Link to post
Share on other sites

I'm not sure how accidental hero it is. There are some people that will register non-existant domains that are seen in advertisements or other forms of media just because. :whistle:

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×