Cyber attack: Hackers in China try to seize control of WannaCry ransomware's 'kill switch'

The attempt fails but could have allowed the kill switch to be disabled, expert says

The instruction file that Nurse Helen Barrow, of Littleborough, Lancashire, found on her desktop after becoming the first known UK victim
The instruction file that Nurse Helen Barrow, of Littleborough, Lancashire, found on her desktop after becoming the first known UK victim

Hackers in China tried to seize control of the ‘kill switch’ used to prevent many of the WannaCry ransomware attacks that have been causing chaos across the world.

A 22-year-old British cyber security analyst discovered a website domain name in the code of a ‘worm’ used to infect computers with ransomware, which took over PCs and demanded money to return control.

When he registered the domain name, it activated a ‘kill switch’ in the coding. Every time the malware first infected a computer, it would try to find the website. If it could not, it would carry out the attack but if it did, it would shut down.

This is believed to have prevented thousands of attacks, but experts have warned the code could easily be rewritten by those responsible.

There are fears of a new wave of problems when people return to work if they have not installed a new security patch issued by Microsoft.

The security analyst, who has asked to remain anonymous but uses the name MalwareTech on social media, said he had been notified of an apparent attempt by someone else to take control of the website.

“Looks like someone in China attempted to steal the domain,” he wrote on Twitter.

Costin Raiu, director of global research and analysis at cyber security company Kaspersky Lab, told The Independent that hackers would sometimes try to take control of a website by pretending to be the owner and getting it transferred to a different register.

In this case, he said: “In theory, they could do two things. One is just count how many victims there are around the world.

“The other thing is they could just disable the kill switch that MalwareTech enabled … but the transfer attempt failed.”

He said it was “unlikely" that the hackers themselves would have done this as it would be simpler just to change the program slightly.

“They can very easily create another variant of this worm which doesn’t have this kill switch or checks for a different domain and they will achieve the same effect [as seizing control of the original domain],” Mr Raiu said.

Instead he suggested hackers unnconnected to the ransomware attacks may have been trying to pull off a feat that would give them a degree of "fame".

He suggested the best way to catch the people responsible for the WannaCry attacks would be to trace the ransom payments, which were to be made in Bitcoins.

“What you can follow is the money,” Mr Raiu said. “You can follow the Bitcoins [although] following the Bitcoins is kind of an art in itself.”

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Please enter a valid email
Please enter a valid email
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Please enter your first name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
Please enter your last name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
You must be over 18 years old to register
You must be over 18 years old to register
Opt-out-policy
You can opt-out at any time by signing in to your account to manage your preferences. Each email has a link to unsubscribe.

By clicking ‘Create my account’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in