The last weekend saw a global ransomware attack that was seriously sinister. Not only did it manage to cripple huge chunk’s of UK’s health network, it also spread rapidly and in a matter of hours, was affecting computers in Italy, Spain and several other parts of the world. It was later stopped by researchers from MalwareTech, saving the global cyber network from a potential disaster.
Apparently, it was a shot in the dark that saved the day, as opposed to some sudden stroke of genius. The ransomware was spreading using an exploit that was first deployed by the NSA and later made public by Shadow Brokers.
So basically, the payload also contained code that queried a domain that was thought to be unregistered by the authors. It did so because many networks also contained environments that are capable of studying such code and capturing all the outgoing data — for instance, an attempt to connect to a domain. This could have further led to traffic manipulation and analysis of the ransom software — something it wouldn’t have liked.
To avoid this very situation, the ransomware would ping a particular unregistered domain and if anything apart from a DNS error was reported, it would shut itself down. This was done to avoid further analysis of its traffic.
So, in an attempt to monitor the ransomware’s traffic, the security researchers registered the unregistered domain the ransomware was calling out to. However, not only were they able to study the traffic, they also managed to stop the attack from this simple move. This was because the code within the ransomware was betting on an unregistered domain. It suddenly started finding a registered domain at the other end. Which meant that it could never ever activate itself and was effectively rendered harmless.
And that is how folks, one of the biggest ransomware threats ever, was stopped in its tracks.