Cybercriminals are spreading an updated version of the deadly WannaCry ransomware. It’s called Wcry 2.0, and it’s designed to infect computers through an exploit known as EternalBlue.
It’s designed to work the same way as WannaCry did, but it can be updated to work with a new exploit.
If you’re one of the many people whose computers have been infected with Wcry 2.0, we have a few tips to help you regain control of your data. Here’s a step-by-step guide to prevent yourself from being a victim.
What is the WannaCry Kill Switch?
In short, a lifesaver. The WannaCry kill switch is what finally stopped the spread of the WannaCry ransomware, which had already infected hundreds of thousands of devices throughout the globe.
The kill switch was discovered by Marcus Hutchins and Jamie Hankins, security researchers working for the cybersecurity company Kryptos Logic. The initial WannaCry onslaught was devastating and unprecedented, with the National Health Service (NHS) in the UK being among the hardest hit.
In an astonishing discovery, Hutchins found that part of WannaCry’s protocol was to check for a particular URL prior to infecting a device. The URL seemed like nothing other than gibberish, but Hutchins wanted to identify why the ransomware sought it out.
By spending just $10 to register the domain of the bizarre URL, Hutchins successfully managed to discover the kill switch. This successfully stopped the ransomware from spreading further and ultimately saved hundreds of thousands of devices from infection.
What was the Significance of the URL?
Each time the WannaCry ransomware came into contact with a device, part of its protocol was to check for the URL ‘Iuqerfsodp9Ifjaposdfjhgosurijfaewrwergwea.com’. If the URL was inactive, then the ransomware would proceed with infection.
However, once Hutchins registered the domain, the ransomware could not proceed as it detected the URL as active. The virus was stopped in its tracks, all because of a $10 gamble placed on a seemingly meaningless URL.
This action was not well received by the hackers, who took swift action to try and reverse it. One botnet operator tried to throw the URL offline by hurling hordes of junk internet traffic at it, but thankfully they were unsuccessful.
In another surprising turn of events, French law enforcement seized two of the servers that Hutchins and Hankins were using. They had wrongfully believed that the domain was being used to propagate the virus, rather than prevent it.
Thankfully, Hutchins and Hankins remained stalwart in their opposition of the virus, which ultimately rendered the kill switch so effective. The pressure of keeping the NHS running weighed heavily on their shoulders.
Why did the Kill Switch Exist?
There are numerous theories as to why the WannaCry kill switch was put there. The most widely accepted is that the hackers themselves put it there, just in case the chaos they had released became too much to handle.
The behavior of the ransomware, notably how it checks for this specific URL before proceeding, is a huge indicator that it was a deliberate addition to the code rather than an erroneous mishap.
Ultimately, including this URL was the virus’ downfall and a mistake on the part of the hackers. It was a mistake we are all lucky they made, however, as without it it’s unclear how the continuing infections would have been prevented.
Did the Kill Switch Fix Everything?
Although the kill switch was instrumental in preventing further infections, it was not a miracle cure. Devices that had already been infected could not be saved, meaning their data was still locked behind a Bitcoin paywall.
However, the activation of the domain created a form of ‘sinkhole’ that absorbed all future malicious traffic. This is estimated to have prevented hundreds of thousands of further victims, but significant damage had already been established.
The NHS was forced to turn patients away, cancel appointments, and even experienced the rerouting of ambulances, ultimately meaning emergency treatment was missed. Globally, WannaCry cost businesses and organizations billions of dollars.
Over $130,000 of this was ransom payments alone, that individuals had paid out of sheer desperation. However, the bulk of the money came from damages incurred after the event, predominantly due to key information that had been permanently lost.
Is WannaCry Still a Threat?
The kill switch URL effectively neutralized the first WannaCry outbreak, but that doesn’t mean we are in the clear. Terrifyingly, all it would take for another attack would be another iteration of WannaCry that did not seek out the URL.
Additionally, another version of WannaCry could prove effective if it simply existed without a kill switch at all. As we previously noted, it is widely accepted that the kill switch was implemented by the original hackers. Should a future coder choose not to include this, WannaCry would prove far more difficult to halt.
This is largely due to the type of ransomware that WannaCry is. It operates as a cryptoworm. This means it is entirely self-propagating and self-replicating. It requires no human intervention, so the hacker can simply release it into the world, sit back, and enjoy the chaos.
This essentially means that WannaCry, or any cryptoworm for that matter, will never stop attempting to replicate itself. It is out of the control of the original hacker unless a specific kill switch has been designed already. This makes it particularly volatile.
Despite first emerging in 2017, WannaCry variants remain a highly popular form of malicious encryption. In fact, in 2019, WannaCry made up 25% of encryption cyber attacks. The only real way to stay safe is to stay prepared.
How Can WannaCry be Prevented?
Unfortunately, malware and ransomware isn’t going anywhere. WannaCry isn’t the only threat out there, and there hackers are constantly coming up with new ways to scam victims out of money.
However, this doesn’t mean all hope is lost. There are numerous steps you can take to protect your device from future attacks. Although there is no way to completely guarantee your safety, there are several ways to significantly reduce the risk.
WannaCry ultimately caused so much damage because it took advantage of an exploit found in old Windows operating systems. Had users kept up to date with security patches, the devastating consequences could have been minimized.
So, to review, here are some key behaviors you can enact to reduce the likelihood of falling victim to a cyberattack:
- Keep Your System Updated: Your operating system isn’t constantly asking for updates just to annoy you, they are genuinely helpful
- Backup Your Key Files: A ransom is useless if you are okay with losing whatever they encrypt. Store your most important data on a separate hard drive
- Make Use of Antivirus Software: Browsing the internet with absolutely no protection is asking for trouble. Even free antivirus software is better than nothing!
Staying educated on new threats and enforcing preventative measures can go a long way, even if you only make small changes.
WannaCry is Far From Over
The original threat may have been nullified by the actions of Hutchins and Hankins, but the threat of malicious encryption is far from over. Viruses will always exist, and hackers will always try to innovate.
All we can do is stay vigilant and keep our devices protected to the best of our abilities. A mixture of sensible browsing habits and antivirus software is a great way to reduce the risk of infection.
Christian Scott is the founder and operator of Malware Brains, a comprehensive cybersecurity website dedicated to educating individuals and businesses about malware and its impacts on society. With over 25 years of collective industry experience, Christian and his team of experts provide unbiased, factual information to help users understand and mitigate the risks associated with malicious software.
