WannaCry ransomware attack that crippled the globe since Friday stopped using DNS Sinkhole

WannaCry / Screen capture by Kafeine
Cover photo by Kafeine

A massive ransomware attack commonly named WannaCry spread across the globe Friday May 12th, with reports of computer systems being locked up in Russia, Western Europe, East Asia and North America. British hospitals, FedEx in the US, Telephonica in Spain and the car maker, Renault, in France  were among the most visible victims, but the largest number of attacks seemed to targeted in Russia.

However, it seems that the propagation has now been stopped thanks to a technique called “Sinkhole”. The “Sinkhole” was put in place by people at Malware Tech, according to this article and this article. In a Tweet dated March 12th, Proofpoint researcher, Darien Huss, claims that the ransomware used previously unregistered domain and that execution now fails as domain has been “Sinkholed”.

What is a domain or DNS Sinkhole ?

A sinkhole is a standard DNS server that has been configured to hand out non-routable addresses for all domains in the sinkhole, so that every computer that uses it will fail to get access to the real website. The higher up the DNS server is, the more computers it will block. Some of the larger botnets have been made unusable by TLD sinkholes that span the entire Internet. DNS Sinkholes are effective at detecting and blocking malicious traffic, and used to combat bots and other unwanted traffic.

Experts say that a total of 33 domains names were used by the ransomeware during this attack.

What does WannaCry do ?

The WannaCry ransomware operates by encrypting the files on an infected PC, along with any other systems on the network the PC is attached to. It then asks for a ransom of between $300 to $600 in to be paid in Bitcoin to release the files, threatening to delete them after a set period of days if the ransome is not paid.

A Twitter feed purportedly belonging to a hacktivist group calling itself SpamTech claimed responsibility for the attack, stating that “The ‘WannaCry/WCRY’ was created by one of our members”.

The ransomware, variably called WanaCryptor 2.0, WannaCry, WCry or WCrypt, seemed to be using an exploit that was developed years ago by the US National Security Agency (NSA) and revealed publicly in a data dump last month. Microsoft secretly patched Windows against the attack in March, but many systems in large organizations had apparently not been updated.

What is the impact of WannaCry ?

Spain’s computer response team, CCN-CERT, warned of  a “massive attack” from the ransomware strain, amid reports that local telecommunications firm Telefonica was hit.

Security firm Avast said it has detected the ransomware, largely attacking Russia, Ukraine and Taiwan.

Europol said Saturday that the attack was of an “unprecedented level and requires international investigation.”

In China, the internet security company Qihoo360 issued a “red alert” saying that a large number of colleges and students in the country had been affected by the ransomware, which is also referred to as “WannaCrypt.” State media reported that digital payment systems at PetroChina gas stations were offline, forcing customers to pay cash.

Russia’s Interior Ministry released a statement acknowledging a ransomware attack on its computers, adding that less than 1% of computers were affected, and that the virus is now “localized.” The statement said antivirus systems are working to destroy it.

Megafon, a Russian telecommunications company, was also hit by the attack. Spokesman Petr Lidov told CNN that it affected call centers but not the company’s networks. He said the situation is now under control.

The ransomware works by leveraging a Windows vulnerability that came to light last month when a cache of mysterious hacking tools was leaked on the internet.

The BBC reported that 25 hospital systems were affected in the UK and said that Prime Minister Theresa May was being kept informed of the situation. English and Scottish hospitals were reportedly postponing appointments and directing patients to unaffected facilities.

Russian antivirus firm Kaspersky Lab said it had detected more than 45,000 infections in 74 countries, the vast majority of them in Russia.

According to local media reports on Friday, French car maker Renault has also been affected.

The released tools which apparently came from the NSA, include an exploit codenamed EternalBlue that makes hijacking older Windows systems easy. The first patch against this vulnerability was fixed by Microsoft in March, 2017 for all operating systems that were still under maintenance. It specifically targets the Server Message Block (SMB) protocol in Windows, which is used for file-sharing purposes.

On Saturday March 13th Microsoft, in an unprecedented move, has released patches for its older operating systems not under maintenance including Windows XP and Windows Server 2003 to protect against this strain of ransomware.

It’s not the first time hackers have used the leaked NSA tools to infect computers. Soon after the leak, hackers infected thousands of vulnerable machines with a backdoor called DOUBLEPULSAR.

What should I do ?

If your computer is already infected, there is nothing much you can do at this time. Our advise here would be that you deactivate WiFi and unable the network cable from affected computers so that you will not propagte the virus to other un affected computers on your network.

If your computer does not look affected, security experts are urging organizations and Windows users to patch vulnerable systems, upgrade to the latest versions of OSes, and make offline backups of any critical files.

So, If you have not installed the March, April or May Windows Update bundles, do so immediately. If you’re still using Windows XP, you’re not out of luck as Microsoft has just released a patch for Windows XP and its server counterpart Windows 2003.  The March and April update bundles are also available to Windows Vista.

It is not the first time that hackers have used the recently leaked NSA tools to infect computers. Soon after the leak, hackers infected thousands of vulnerable machines with a backdoor called DOUBLEPULSAR.

Final thought

As one would say, Big Brother was always watching you… but now things have gotten out of hand as tools have leaked and are in bad hands, they are now used for other (business) purposes rather than just to spy you !

Cover photo by Kafeine (Twitter)