Massive Ransomware Attack Has Slowed, But Probably Isn’t Over Forever

Image courtesy of Coyoty

Ransomware — malicious software that encrypts your computer until you pay up — is, sadly, not new, but a recent, massive global attack on computer networks has pushed ransomware into the spotlight. While security researchers have figured out how to slow the havoc down, another wave of attacks seems likely.

The first sign the attack was really going global came on Friday morning when more than a dozen National Health Service hospitals in England were affected at once. From there, the WannaCry worm spread to large phone and gas utilities in Spain as well as moving around the rest of Europe and into the United States, where it nailed FedEx.

By Sunday, security experts were estimating that WannaCry had hit more than 200,000 computers in more than 150 countries. Many were concerned that when the Monday workday began in Europe and the East Coast, that the spread would worsen.

However, this round appears to have been drawn to a near halt by one security researcher. The expert, known only by pseudonym MalwareTech, found — and activated — a kill switch in the code.

As the Guardian explains, the 22-year-old, who probably does not look like Jeff Goldblum in Independence Day, had a look at the code after lunch with a friend.

He found that the software was programmed to specifically look for a particular web address, 42 nonsense characters long. So he registered it, at a cost of about $10, to see what would happen.

The reasons why the malware queries that URL are fairly technical, but as it turned out, he was easily able to make it work as a kill switch. By registering that domain, he could make any instance of the malware that looked for it basically grind to a halt.

Of course, one of the many things software viruses have in common with the biological sort is mutation. Experts predicted that they’d see a new, harder-to-stop variant appear, and they did: Another researcher registered another “kill switch” domain on Sunday, and infection rates continued to drop. Quartz now reports that in 24 hours, the rate of computers online and infected has plummeted, from hundreds of thousands to simply hundreds.

But experts caution that this doesn’t mean you’re safe. Another new variant has already been spotted in the wild, according to ZDnet, and can easily keep spreading to unpatched computers.

As for those computers, Microsoft’s chief legal officer posted to the company blog over the weekend to basically beg people to update their computers whenever a security update is available.

“This attack is a powerful reminder that information technology basics like keeping computers current and patched are a high responsibility for everyone, and it’s something every top executive should support,” executive Brad Smith wrote. And indeed, businesses and organizations that hadn’t yet updated their networks to include the security patch from March are the entities hardest-hit.

But Smith also pointed the finger directly at the feds for allowing this to happen, because the Windows vulnerability the hackers used was first discovered — and kept by — the NSA.

“This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem,” Smith writes. “This is an emerging pattern in 2017 … now this vulnerability stolen from the NSA has affected customers around the world.”

Smith adds that, “An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. … The governments of the world should treat this attack as a wake-up call. … We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.”

Meanwhile, for an attack that managed to cripple systems worldwide, the folks behind WannaCry have made surprisingly little money. A Twitter bot reportedly tracking the bitcoin wallets ransomware victims are instructed to send money to most recently updated that so far 181 payments, totaling about $50,500, have been sent.