Just 2 Domain Names Now Stand Between the World and Global Ransomware Chaos
Researchers predict this will be increasingly harder to stop.
A second wave of global infections caused by hackers in a global ransomware attack has been halted. The hackers responsible for the cyberattack, unprecedented in its global scale, demanded ransom be sent to three bitcoin addresses. So far, they have amassed the equivalent of over $42,000 in ransom. But a new “kill switch” by Matthieu Suiche, the founder of cybersecurity startup Comae Technologies, has prevented about 10,000 infected machines from propagating the ransomware since it was flipped roughly 24 hours ago.
Since registering the 2nd killswitch yesterday, we stopped ~10K machines from spreading further - mainly from Russia. #WannaCry #OKLM pic.twitter.com/eQziRoq8UN
— Matthieu Suiche (@msuiche) May 15, 2017
The three bitcoin wallets tied to #WannaCry ransomware have received 151 payments totaling 24.75899797 BTC ($42,640.91 USD).
— actual ransom (@actual_ransom) May 15, 2017
The WannaCry ransomware was originally halted by the U.K. cybersecurity researcher who goes by the name MalwareTech. He “accidentally” stopped the rapidly spreading infection by registering a domain name (9iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com) he found in WannaCry’s code, without knowing what its effect would be. The domain turned out to be a kill switch left in the code to stop the ransomware’s propagation. (The act of registering the domain name halted the malware’s spread.)
After the initial WannaCry kill switch was found, researchers predicted variants would soon appear that were harder to stop. Suiches analyzed two new variants that appeared yesterday, and found one of them contained a similar kill switch mechanism, but using a different domain name (ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com). He registered the new domain about 20 hours ago, and infection rates have plummeted.
The number of active, infected, machines overall is down to the hundreds now, from about 200,000 machines just two days ago, according to data collected by MalwareTech. In the chart below, “online” indicates whether a machine is still connected to the internet and capable of spreading the malware:
The worst is not quite over. Yet, more variants will appear, and large organizations must scramble to install a fix released by Microsoft to prevent further infections and propagation. Until those variants crop up, as Suiche observed, just two domain names stand between the world and total anarchy on the internet.