Yesterday’s global ransomware attack was scary for several reasons, but quick action by a security researcher at MalwareTech at least put an end to its spreading — although the researcher didn’t realize it at the time. The whole story is here, but the gist is this. The ransomware, as you may have heard, was spreading using an exploit disclosed from NSA records by the Shadow Brokers last month. It had the potential to spread quickly and far, as it in fact did, and in doing so attract the attention of IT people who would want to contain and study it.
As a safety against this, the payload contained some code that queried a certain domain known to the authors to be unregistered. This is because some network environments, such as contained VMs in which to study malicious code, will capture all outgoing data, like an attempt to connect to a domain, and return traffic of its own choosing.
The ransomware wanted to avoid activating itself in an environment like this, so it was designed to ping a certain unregistered domain — say, afn38sj729.com — and if it returns anything but a DNS error, chances are that its traffic is being manipulated, so it shuts down to avoid further analysis.
The security researcher, on seeing that the ransomware called out to this unregistered domain, immediately registered it so they could monitor the traffic (they could — producing the map above). They thought it would just help track its spreading, but in fact by registering that domain they effectively killed the whole attack. Because now when the code pinged that domain, it returned that it was registered, and therefore the ransomware would never activate itself! They’d pulled the plug and didn’t even realize it. (The researcher cottoned to it later during some tests of this type of behavior.)
It may have been accidental, but registering was the correct thing for the researcher to do — that may have been a command and control server, or perhaps it was a kill switch like this — and at any rate, you can’t argue with the results. Unfortunately, it doesn’t help people who are already hit by the ransom, but at least it prevented it rolling out further.