Monday May 15, 2017

A security expert whose firm helped stop the spread of Friday’s massive cyberattack by activating a secret kill switch discovered by an anonymous computer whiz says we haven’t seen the last of the so-called WannaCry virus. 

British media are hailing as a “hero” an unnamed 22-year-old cybersecurity researcher — who uses the online handle Malware Tech and works for the security firm Kryptos Logic — for halting the spread of the global ransomware attack that paralyzed, hospitals, factories, banks, government agencies and transport systems around the world.

“One of our researchers actually found the malware sample and provided it to Malware Tech,” Ryan Kalember, senior vice-president at the security firm Proofpoint, told As It Happens host Carol Off. 

“He and our own internal research team both got to work doing basically reverse-engineering of the malware, trying to figure out what it did, how it did it and whether there was any way to stop it.”

They discovered an unregistered domain name — or website address — coded into the malware. That turned out to be a kill switch, planted by the malware’s authors in case they needed to stop it spreading. 


This is the ransom message that popped up on hundreds of thousands of computers hit by the WannaCry virus. (Ritchie B. Tongo/EPA)

“Malware Tech took that first step and spent about $10 US registering the domain name itself to create what we call a sinkhole, where instead of actually doing the bidding of the malware’s author, we as defenders can have it do something else that’s benign,” Kalember said. 

Essentially, by activating the domain name, they stopped the WannaCry virus in its tracks by diverting it to a dead end on the internet.

But the story doesn’t end there. Kalember and other security experts, including those at Malware Tech, are sounding the alarm that people are still at risk if they don’t upgrade their systems.

Microsoft released patches last month and on Friday to fix a vulnerability that allowed the worm to spread across networks.

Code for exploiting that bug, which is known as “Eternal Blue,” was released on the internet last month by a hacking group known as the Shadow Brokers. Security experts believe that code originated with the U.S. National Security Agency.

Infected computers appear to largely be out-of-date devices that organizations deemed not worth the price of upgrading or, in some cases, machines involved in manufacturing or hospital functions that proved too difficult to patch without possibly disrupting crucial operations. 

Computers using pirated software were also disproportionately affected. 

All of this means someone could come along and create a new version of the WannaCry virus — and this time, they probably won’t put in a kill switch. 

“Sadly, it’s not over until we’re all patched,” Kalember said. “These things have a longer life than anyone should ever have a reasonable expectation that they will.”