Cyber attack: Hackers in China try to seize control of WannaCry ransomware's 'kill switch'

The attempt fails but could have allowed the kill switch to be disabled, expert says

Ian Johnston@montaukian
Sunday 14 May 2017 17:22
comments
The instruction file that Nurse Helen Barrow, of Littleborough, Lancashire, found on her desktop after becoming the first known UK victim
The instruction file that Nurse Helen Barrow, of Littleborough, Lancashire, found on her desktop after becoming the first known UK victim

Hackers in China tried to seize control of the ‘kill switch’ used to prevent many of the WannaCry ransomware attacks that have been causing chaos across the world.

A 22-year-old British cyber security analyst discovered a website domain name in the code of a ‘worm’ used to infect computers with ransomware, which took over PCs and demanded money to return control.

When he registered the domain name, it activated a ‘kill switch’ in the coding. Every time the malware first infected a computer, it would try to find the website. If it could not, it would carry out the attack but if it did, it would shut down.

This is believed to have prevented thousands of attacks, but experts have warned the code could easily be rewritten by those responsible.

There are fears of a new wave of problems when people return to work if they have not installed a new security patch issued by Microsoft.

The security analyst, who has asked to remain anonymous but uses the name MalwareTech on social media, said he had been notified of an apparent attempt by someone else to take control of the website.

“Looks like someone in China attempted to steal the domain,” he wrote on Twitter.

Costin Raiu, director of global research and analysis at cyber security company Kaspersky Lab, told The Independent that hackers would sometimes try to take control of a website by pretending to be the owner and getting it transferred to a different register.

In this case, he said: “In theory, they could do two things. One is just count how many victims there are around the world.

“The other thing is they could just disable the kill switch that MalwareTech enabled … but the transfer attempt failed.”

He said it was “unlikely" that the hackers themselves would have done this as it would be simpler just to change the program slightly.

“They can very easily create another variant of this worm which doesn’t have this kill switch or checks for a different domain and they will achieve the same effect [as seizing control of the original domain],” Mr Raiu said.

Instead he suggested hackers unnconnected to the ransomware attacks may have been trying to pull off a feat that would give them a degree of "fame".

He suggested the best way to catch the people responsible for the WannaCry attacks would be to trace the ransom payments, which were to be made in Bitcoins.

“What you can follow is the money,” Mr Raiu said. “You can follow the Bitcoins [although] following the Bitcoins is kind of an art in itself.”

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

View comments