The Hero Who Stopped WannaCry, Accidentally


Believe it or not, the massive WannaCry ransomware that shot down tens of thousands of computers has a back door that will kill itself when exploited. Luckily, we have got a hero standing our side this time.

Animated Map of How Tens of Thousands of Computers Were Infected With Ransomware 2017 05 15 21 31 35 600x302 - The Hero Who Stopped WannaCry, Accidentally

Apparently, there was a kill switch built into the malware. It attempts an HTTP GET call on iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com, a “randomly” human-typed address that primarily consists of keys in the top row of the keyboard. This was found in the WannaCry’s code:

WannaCry Code with the killer switch 600x334 - The Hero Who Stopped WannaCry, Accidentally

If the call to that domain succeeds, it stopped propagating and would exit. Because the domain wasn’t registered during the first outbroke, the malware continued to execute, propagate, and spread like wildfire until a researcher worked out what was going on and simply registered the domain name!

That’s our hero, though accidental, @MalwareTechBlog who observed the traffic to the fake domain, registered it, and sink-holed it, thus stopping the bleeding in a major way.

It’s still a mystery why the kill switch existed in the first place. It seems totally to against the goal of infecting as many machines as possible, as quickly as possible. Anyway, while this variant of WannaCry should be spreading any further, however, there are more copycats emerging soon. You still need to follow the instructions to patch your system and protect your own data.

Also, note that the kill switch is not proxy aware. It won’t work on a network that has a proxy server in place.


Please enter your comment!
Please enter your name here