'Accidental hero' halts ransomware attack and warns: this is not over
Expert who stopped spread of attack by activating software’s ‘kill switch’ says criminals will ‘change the code and start again’
Nadia Khomami in London and Olivia Solon in San Francisco
Saturday 13 May 2017 10.49 EDT First published on Friday 12 May 2017 21.41 EDT
The “accidental hero” who halted the global spread of an unprecedented ransomware attack by registering a garbled domain name hidden in the malware has warned the attack could be rebooted.
The ransomware used in Friday’s attack wreaked havoc on organisations including FedEx and Telefónica, as well as the UK’s National Health Service (NHS), where operations were cancelled, X-rays, test results and patient records became unavailable and phones did not work.
But the spread of the attack was brought to a sudden halt when one UK cybersecurity researcher tweeting as @malwaretechblog, with the help of Darien Huss from security firm Proofpoint, found and inadvertently activated a “kill switch” in the malicious software.
Disruption from cyber-attack to last for days, says NHS Digital – as it happened
British prime minister thanks NHS staff for working overnight after attack of ‘unprecedented’ scale
The researcher, who identified himself only as MalwareTech, is a 22-year-old from south-west England who works for Kryptos logic, an LA-based threat intelligence company.
“I was out having lunch with a friend and got back about 3pm and saw an influx of news articles about the NHS and various UK organisations being hit,” he told the Guardian. “I had a bit of a look into that and then I found a sample of the malware behind it, and saw that it was connecting out to a specific domain, which was not registered. So I picked it up not knowing what it did at the time.”
The kill switch was hardcoded into the malware in case the creator wanted to stop it spreading. This involved a very long nonsensical domain name that the malware makes a request to – just as if it was looking up any website – and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading. The domain cost $10.69 and was immediately registering thousands of connections every second.
MalwareTech explained that he bought the domain because his company tracks botnets, and by registering these domains they can get an insight into how the botnet is spreading. “The intent was to just monitor the spread and see if we could do anything about it later on. But we actually stopped the spread just by registering the domain,” he said. But the following hours were an “emotional rollercoaster”.
“Initially someone had reported the wrong way round that we had caused the infection by registering the domain, so I had a mini freakout until I realised it was actually the other way around and we had stopped it,” he said.
MalwareTech said he preferred to stay anonymous “because it just doesn’t make sense to give out my personal information, obviously we’re working against bad guys and they’re not going to be happy about this.”
He also said he planned to hold onto the URL, and he and colleagues were collecting the IPs and sending them off to law enforcement agencies so they can notify the infected victims, not all of whom are aware that they have been affected.
He warned people to patch their systems, adding: “This is not over. The attackers will realise how we stopped it, they’ll change the code and then they’ll start again. Enable windows update, update and then reboot.”
He said he got his first job out of school without any real qualifications, having skipped university to start up a tech blog and write software.
“It’s always been a hobby to me, I’m self-taught. I ended up getting a job out of my first botnet tracker, which the company I now work for saw and contacted me about, asking if I wanted a job. I’ve been working there a year and two months now.”
But the dark knight of the dark web still lives at home with his parents, which he joked was “so stereotypical”. His mum, he said, was aware of what had happened and was excited, but his dad hadn’t been home yet. “I’m sure my mother will inform him,” he said.
“It’s not going to be a lifestyle change, it’s just a five-minutes of fame sort of thing. It is quite crazy, I’ve not been able to check into my Twitter feed all day because it’s just been going too fast to read. Every time I refresh it it’s another 99 notifications.”
Proofpoint’s Ryan Kalember said the British researcher gets “the accidental hero award of the day”. “They didn’t realise how much it probably slowed down the spread of this ransomware”.
The time that @malwaretechblog registered the domain was too late to help Europe and Asia, where many organisations were affected. But it gave people in the US more time to develop immunity to the attack by patching their systems before they were infected, said Kalember.
use link for video -
https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack
The kill switch won’t help anyone whose computer is already infected with the ransomware, and it’s possible that there are other variants of the malware with different kill switches that will continue to spread.
The malware was made available online on 14 April through a dump by a group called Shadow Brokers, which claimed last year to have stolen a cache of “cyber weapons” from the National Security Agency (NSA).
Ransomware is a type of malware that encrypts a user’s data, then demands payment in exchange for unlocking the data. This attack used a piece of malicious software called “WanaCrypt0r 2.0” or WannaCry, that exploits a vulnerability in Windows. Microsoft released a patch (a software update that fixes the problem) for the flaw in March, but computers that have not installed the security update remain vulnerable.
The ransomware demands users pay $300 worth of cryptocurrency Bitcoin to retrieve their files, though it warns that the “payment will be raised” after a certain amount of time. Translations of the ransom message in 28 languages are included. The malware spreads through email.
“This was eminently predictable in lots of ways,” said Kalember. “As soon as the Shadow Brokers dump came out everyone [in the security industry] realised that a lot of people wouldn’t be able to install a patch, especially if they used an operating system like Windows XP [which many NHS computers still use], for which there is no patch.”
Security researchers with Kaspersky Lab have recorded more than 45,000 attacks in 74 countries, including the UK, Russia, Ukraine, India, China, Italy, and Egypt. In Spain, major companies including telecommunications firm Telefónica were infected.
By Friday evening, the ransomware had spread to the United States and South America, though Europe and Russia remained the hardest hit, according to security researchers Malware Hunter Team. The Russian interior ministry says about 1,000 computers have been affected.
https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attac
Expert who stopped spread of attack by activating software’s ‘kill switch’ says criminals will ‘change the code and start again’
Nadia Khomami in London and Olivia Solon in San Francisco
Saturday 13 May 2017 10.49 EDT First published on Friday 12 May 2017 21.41 EDT
The “accidental hero” who halted the global spread of an unprecedented ransomware attack by registering a garbled domain name hidden in the malware has warned the attack could be rebooted.
The ransomware used in Friday’s attack wreaked havoc on organisations including FedEx and Telefónica, as well as the UK’s National Health Service (NHS), where operations were cancelled, X-rays, test results and patient records became unavailable and phones did not work.
But the spread of the attack was brought to a sudden halt when one UK cybersecurity researcher tweeting as @malwaretechblog, with the help of Darien Huss from security firm Proofpoint, found and inadvertently activated a “kill switch” in the malicious software.
Disruption from cyber-attack to last for days, says NHS Digital – as it happened
British prime minister thanks NHS staff for working overnight after attack of ‘unprecedented’ scale
The researcher, who identified himself only as MalwareTech, is a 22-year-old from south-west England who works for Kryptos logic, an LA-based threat intelligence company.
“I was out having lunch with a friend and got back about 3pm and saw an influx of news articles about the NHS and various UK organisations being hit,” he told the Guardian. “I had a bit of a look into that and then I found a sample of the malware behind it, and saw that it was connecting out to a specific domain, which was not registered. So I picked it up not knowing what it did at the time.”
The kill switch was hardcoded into the malware in case the creator wanted to stop it spreading. This involved a very long nonsensical domain name that the malware makes a request to – just as if it was looking up any website – and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading. The domain cost $10.69 and was immediately registering thousands of connections every second.
MalwareTech explained that he bought the domain because his company tracks botnets, and by registering these domains they can get an insight into how the botnet is spreading. “The intent was to just monitor the spread and see if we could do anything about it later on. But we actually stopped the spread just by registering the domain,” he said. But the following hours were an “emotional rollercoaster”.
“Initially someone had reported the wrong way round that we had caused the infection by registering the domain, so I had a mini freakout until I realised it was actually the other way around and we had stopped it,” he said.
MalwareTech said he preferred to stay anonymous “because it just doesn’t make sense to give out my personal information, obviously we’re working against bad guys and they’re not going to be happy about this.”
He also said he planned to hold onto the URL, and he and colleagues were collecting the IPs and sending them off to law enforcement agencies so they can notify the infected victims, not all of whom are aware that they have been affected.
He warned people to patch their systems, adding: “This is not over. The attackers will realise how we stopped it, they’ll change the code and then they’ll start again. Enable windows update, update and then reboot.”
He said he got his first job out of school without any real qualifications, having skipped university to start up a tech blog and write software.
“It’s always been a hobby to me, I’m self-taught. I ended up getting a job out of my first botnet tracker, which the company I now work for saw and contacted me about, asking if I wanted a job. I’ve been working there a year and two months now.”
But the dark knight of the dark web still lives at home with his parents, which he joked was “so stereotypical”. His mum, he said, was aware of what had happened and was excited, but his dad hadn’t been home yet. “I’m sure my mother will inform him,” he said.
“It’s not going to be a lifestyle change, it’s just a five-minutes of fame sort of thing. It is quite crazy, I’ve not been able to check into my Twitter feed all day because it’s just been going too fast to read. Every time I refresh it it’s another 99 notifications.”
Proofpoint’s Ryan Kalember said the British researcher gets “the accidental hero award of the day”. “They didn’t realise how much it probably slowed down the spread of this ransomware”.
The time that @malwaretechblog registered the domain was too late to help Europe and Asia, where many organisations were affected. But it gave people in the US more time to develop immunity to the attack by patching their systems before they were infected, said Kalember.
use link for video -
https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack
The kill switch won’t help anyone whose computer is already infected with the ransomware, and it’s possible that there are other variants of the malware with different kill switches that will continue to spread.
The malware was made available online on 14 April through a dump by a group called Shadow Brokers, which claimed last year to have stolen a cache of “cyber weapons” from the National Security Agency (NSA).
Ransomware is a type of malware that encrypts a user’s data, then demands payment in exchange for unlocking the data. This attack used a piece of malicious software called “WanaCrypt0r 2.0” or WannaCry, that exploits a vulnerability in Windows. Microsoft released a patch (a software update that fixes the problem) for the flaw in March, but computers that have not installed the security update remain vulnerable.
The ransomware demands users pay $300 worth of cryptocurrency Bitcoin to retrieve their files, though it warns that the “payment will be raised” after a certain amount of time. Translations of the ransom message in 28 languages are included. The malware spreads through email.
“This was eminently predictable in lots of ways,” said Kalember. “As soon as the Shadow Brokers dump came out everyone [in the security industry] realised that a lot of people wouldn’t be able to install a patch, especially if they used an operating system like Windows XP [which many NHS computers still use], for which there is no patch.”
Security researchers with Kaspersky Lab have recorded more than 45,000 attacks in 74 countries, including the UK, Russia, Ukraine, India, China, Italy, and Egypt. In Spain, major companies including telecommunications firm Telefónica were infected.
By Friday evening, the ransomware had spread to the United States and South America, though Europe and Russia remained the hardest hit, according to security researchers Malware Hunter Team. The Russian interior ministry says about 1,000 computers have been affected.
https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attac
Today at 3:18 pm by Rocky
» utube MM&C 4/26/24 Iraqi Dinar - US Treasury Exchange Rates- Focus - Banking Partnerships - Rate C
Today at 3:17 pm by Rocky
» Parliamentary efforts to transform Iraq into a global market for transferring Internet capacities
Today at 3:07 pm by Rocky
» A parliamentary committee that enriches the political forces: Stop plundering Iraq’s wealth and work
Today at 2:56 pm by Rocky
» Politician: Salem Al-Issawi is the most likely to assume the presidency of Parliament
Today at 2:55 pm by Rocky
» The price of the dollar is close to 145 thousand dinars؛ how much is $100 worth of transactions؟
Today at 12:57 pm by wciappetta
» Al-Sudani: The world today is witnessing crises whose impact has been reflected in the global econo
Today at 10:50 am by Rocky
» The Federal Court responds to an inquiry by Al-Sudani regarding the powers of the provincial council
Today at 10:40 am by Rocky
» Among them are the Iraqis... a list of the most sought-after immigrants to America
Today at 10:38 am by Rocky
» An expert talks about the "biggest barrier" and the positives of merging Iraqi and Arab banks
Today at 10:29 am by Rocky
» The House of Representatives adjourns its session
Today at 10:24 am by Rocky
» Parliamentary demands to expedite the legislation of the Eid al-Ghadir holiday law (documents)
Today at 10:23 am by Rocky
» Parliament adds the paragraph “Electing the Speaker of the House of Representatives” to its agenda
Today at 10:21 am by Rocky
» Alsumaria publishes the text of the law against prostitution and homosexuality
Today at 10:20 am by Rocky
» A parliamentarian reveals the reason for the failure of the Speaker of Parliament to pass during tod
Today at 10:19 am by Rocky
» Al-Sudani: The government has launched many strategies and initiatives that will improve the reality
Today at 9:42 am by Rocky
» International Business: Iraq has made progress in supporting businesses through investment and priva
Today at 9:33 am by Rocky
» Association of Banks: Iraq is witnessing great development in the transition to electronic governmen
Today at 9:25 am by Rocky
» The House of Representatives votes to add an item to its agenda (election of the Speaker of the Hous
Today at 9:22 am by Rocky
» Parliamentary integrity: Combating corruption requires parliamentary legislation
Today at 9:15 am by Rocky
» Al-Karaawi: America is trying to restrict Iraq
Today at 9:13 am by Rocky
» The State of Law coalition moves to form the local government in Diyala
Today at 9:12 am by Rocky
» The Sudanese and his battle against corruption.. Where is the fault with the government or with the
Today at 9:11 am by Rocky
» Prime Minister's Advisor: We will see the dollar fall on the black market soon
Today at 9:09 am by Rocky
» The Sunni blocs are resolute. The presidency of the Council is ours, away from Al-Halbousi
Today at 9:08 am by Rocky
» Al-Sudani discusses with a workers’ organization his government’s steps in this field
Today at 8:58 am by Rocky
» Parliament holds its session in the presence of 170 deputies
Today at 8:57 am by Rocky
» In the presence of Nechirvan Barzani and Al-Sudani... the State Administration Coalition holds an “i
Today at 8:55 am by Rocky
» The UAE company ADNOC resorts to Iraqi oil. Find out the reasons
Today at 8:53 am by Rocky
» The Iraqi Parliament votes to add an item to elect a president to its agenda
Today at 8:52 am by Rocky
» The Federal Court responds to an inquiry by Al-Sudani regarding the powers of the provincial council
Today at 8:51 am by Rocky
» Al-Sudani: It is necessary to attract women to work as a productive energy that cannot be disrupted
Today at 8:47 am by Rocky
» Zebari regarding targeting the Kormor field: a systematic attack on the economy of Kurdistan
Today at 8:46 am by Rocky
» Saudi Arabia tops, and this is Iraq's rank... a list of major suppliers of crude oil to South Korea
Today at 8:45 am by Rocky
» With a value of 125 million dollars.. Iraq is at the forefront of countries importing Iranian textil
Today at 8:44 am by Rocky
» More than a billion dollars in sales from the Iraqi Central Bank within a week
Today at 8:43 am by Rocky
» Al-Sudani stresses the need for the expertise of the International Labor Organization to legislate a
Today at 8:29 am by Rocky
» Including the return of 21 wanted persons.. The Iraq Money Recovery Fund counts its achievements in
Today at 8:27 am by Rocky
» The path to development is the criterion between true patriotism and political clowning.
Today at 8:25 am by Rocky
» The file of the Presidency of Parliament is on the state administration table... this evening
Today at 8:22 am by Rocky
» Director General of the International Labor Organization: Many challenges in the world of work and t
Today at 8:20 am by Rocky
» Al-Sudani: The world is witnessing crises that reflect negatively on the Arab and international peop
Today at 8:11 am by Rocky
» Prime Minister: Our government has provided great support for the success of the activities, program
Today at 8:08 am by Rocky
» Al-Asadi: Iraq places the social protection file among its priorities
Today at 8:07 am by Rocky
» Al-Sudani: Iraq is one of the first countries in the region to join the International Labor Organiza
Today at 8:05 am by Rocky
» In the presence of Al-Sudani and Barzani, the State Administration Coalition holds an “important” me
Today at 8:03 am by Rocky
» Appreciating the presence of Al-Sudani... Director General of the Arab Labor Organization: Here from
Today at 6:29 am by Rocky
» Prime Minister: Our government has provided great support for the success of the activities, program
Today at 6:28 am by Rocky
» Al-Sudani: The world is witnessing crises that reflect negatively on the Arab and international peop
Today at 6:24 am by Rocky
» The Parliamentary Development Institute organizes a workshop on the political role of the representa
Today at 6:22 am by Rocky
» With Arab and international participation. Tomorrow will be the start of the Fourth Baghdad Internat
Today at 6:21 am by Rocky
» OPEC Secretary General: The end of oil is not on the horizon
Today at 6:19 am by Rocky
» Closing a number of unlicensed offices and companies south of Baghdad
Today at 6:16 am by Rocky
» Repercussions of the bombing...intensive government movements to resume work in the “Kormor” field
Today at 6:15 am by Rocky
» In the presence of Al-Sudani...the opening of the Arab Labor Conference in its 50th session in Baghd
Today at 6:14 am by Rocky
» Al-Sudani: We are working on drawing future visions regarding the “green and digital” economic secto
Today at 6:13 am by Rocky
» Barzani after the Kormor attack: We are ready to coordinate with Baghdad to put an end to these atta
Today at 6:10 am by Rocky
» Al-Sudani directs the formation of an investigative committee into the circumstances of the Kormo fi
Today at 6:08 am by Rocky
» Bismayah is confused about the new electronic portal.. What about the landlord and the subcontracts?
Today at 6:07 am by Rocky
» Kurdistan Government: Loss of 2,500 megawatts of electricity due to targeting the Kormor field
Today at 6:06 am by Rocky
» Crisis in Kurdistan: 12-hour daily power outage and complaints of “confusion”
Today at 6:05 am by Rocky
» The Supreme Anti-Corruption Commission demands Nineveh for the contracts concluded by “Najm Al-Jubou
Today at 6:04 am by Rocky
» Al-Khanjar, Al-Samarrai, and Abu Mazen are hosted by Shaalan Al-Karim to discuss accelerating the se
Today at 6:03 am by Rocky
» Iraq asks the countries of the world to respond to its requests to extradite wanted persons: We have
Today at 6:02 am by Rocky
» “It is coming soon.” The Sudanese advisor sets the date for the referral of the Baghdad metro and th
Today at 6:01 am by Rocky
» Al-Mubarqa: Iraq reserves its full right to respond to the Australian behavior
Today at 6:00 am by Rocky
» Dollar exchange rates on Iraqi stock exchanges... recorded a decline, and this is the list
Today at 5:58 am by Rocky
» Mr. Al-Sadr supports the position of American university students
Today at 5:56 am by Rocky
» Iraqis are ranked 7th in the Arab world on the list of those most seeking immigration to America. He
Today at 5:55 am by Rocky
» Soon.. 3 new hospitals will open in Baghdad
Today at 5:52 am by Rocky
» Sponsored by Al-Sudani...the opening of the Arab Labor Conference in its fiftieth session in Baghdad
Today at 5:51 am by Rocky
» Al-Shammari chairs a meeting at the controlling headquarters to review the results of the security o
Today at 5:49 am by Rocky
» Arab Labor Organization: We commend Iraq's interest in the Arab Labor Conference
Today at 5:48 am by Rocky
» Al-Sudani: The development road project will provide many job opportunities
Today at 5:47 am by Rocky
» Sudanese advisor criticizes Kuwaiti analyzes regarding the development road project
Yesterday at 3:21 pm by Rocky
» Al-Mandalawi stresses the need to strengthen economic and trade cooperation between Iraq and Poland
Yesterday at 3:04 pm by Rocky
» Power maneuvers: America provides defensive weapons to Kurdistan in exchange for withholding from Ba
Yesterday at 11:26 am by Rocky
» Kuwait is drilling an oil well near Umm Qasr, towards Iraqi territory
Yesterday at 11:24 am by Rocky
» In the document... the first Iraqi ministry identifies the obstacles to changing the new official wo
Yesterday at 11:22 am by Rocky
» Italian Institute: Iraq is stuck in its own crises, including Baghdad’s efforts to undermine the “au
Yesterday at 11:21 am by Rocky
» The head of the Integrity Commission announces the holding of an international Interpol conference i
Yesterday at 11:18 am by Rocky
» Planning: Iraqi companies are not efficient in conducting the population census
Yesterday at 11:14 am by Rocky
» MM&C 4/25/24 National Bank of Iraq goes live with Temenos core banking and payments
Yesterday at 9:06 am by Rocky
» A banking official indicates a "danger" to Iraq by depriving more than half of its banks of dollars
Yesterday at 8:55 am by Rocky
» With the participation of the Association of Private Banks, investment opportunities are on the tabl
Yesterday at 8:45 am by Rocky
» Within a month... an Iranian border crossing recorded a noticeable increase in exports of goods to I
Yesterday at 8:44 am by Rocky
» The Association of Private Banks appreciates the efforts of the government and the Central Bank to c
Yesterday at 8:43 am by Rocky
» Al-Maliki's coalition presents a third candidate for the position of governor of Diyala
Yesterday at 7:57 am by Rocky
» Arab gathering: The Kirkuk problem is getting complicated and the Sudanese must intervene
Yesterday at 7:56 am by Rocky
» Next week.. a Kurdish delegation will visit Baghdad to meet with the Minister of Finance
Yesterday at 7:54 am by Rocky
» Under the pretext of salaries... Al-Party refrains from handing over port revenues to Baghdad
Yesterday at 7:53 am by Rocky
» Association of Banks: For the first time, we are witnessing a clear targeting of depriving half of t
Yesterday at 7:51 am by Rocky
» Parliament does not know the reason for the delay in sending the 2024 budget schedules: Voting takes
Yesterday at 7:49 am by Rocky
» Applicants for the 2024 Hajj are demanding that the Central Bank secure the dollar for them through
Yesterday at 6:09 am by Rocky
» Governmental and private banks will showcase their services tomorrow during Financial Inclusion Week
Yesterday at 6:08 am by Rocky
» Iraq's oil exports rise despite OPEC+ cuts
Yesterday at 6:06 am by Rocky
» A study explodes a "surprise"... Iraq is among the countries that export oil to "Israel": How is the
Yesterday at 6:04 am by Rocky
» Al-Araji emphasizes working to strengthen national identity
Yesterday at 6:02 am by Rocky
» Al-Sudani visits Saudi Arabia to participate in the World Economic Forum in Riyadh
Yesterday at 6:01 am by Rocky