Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Connectivity

The WannaCry Ransomware Attack Could’ve Been a Lot Worse

An accidental discovery brought the initial attack—as well as a feared second wave—grinding to a halt.

NSA headquarters, where software vulnerabilities go to be hoarded in secret ... and then stolen, leaked, and unleashed on an unsuspecting public.

You may have heard: a globe-spanning ransomware attack known as WannaCry (and “WannaCrypt” and “WannaDecryptor”) started on Friday, ultimately encompassing some 200,000 computers in 150 countries.

But it could have been a lot worse—and we have cybersecurity researchers to thank for making sure it wasn’t.

Even as word was still spreading Friday that computers at dozens of hospitals in the U.K. were being maliciously locked down, and a notice demanding ransom posted on their screens, an anonymous researcher known as MalwareTech was in the process of shutting down further spread of the program.

As s/he reported in a fascinating blog post, MalwareTech had found an unregistered URL address in WannaCry’s code. Suspecting that the address had something to do with how the virus communicated—a common feature in botnets and other types of malware—MalwareTech registered the domain and watched as traffic from thousands of infected computers came flooding in, nearly overloading the server hosting the domain. Usually this kind of “sinkhole” move is an effort to disrupt a botnet, for example, from issuing commands to infected systems.

In this case, the domain turned out to be a “kill switch”—on any system that made contact with the URL, the virus shut itself down. WannaCry was on its way out.

As MalwareTech noted, however, malicious programmers could easily alter WannaCry’s code to ping a new address instead. And they did. On Sunday a new variant was infecting thousands of systems in Russia. That, too, was curtailed thanks to the quick work of a cybersecurity researcher.

In the meantime, Microsoft took the unusual step of hustling to distribute a patch for a flaw in the unsupported version of Windows that WannaCry was exploiting. The U.S. National Security Agency had been hoarding the vulnerability, but it was leaked after the theft of the agency’s secrets by a hacking group known as the Shadow Brokers.

Sign up for The Download
Your daily dose of what's up in emerging technology

By signing up you agree to receive email newsletters and notifications from MIT Technology Review. You can change your preferences at any time. View our Privacy Policy for more detail.

Unfortunately, as we’ve stated before, ransomware has become a popular form of cybercrime for one simple reason: it pays. It’s also difficult—though not impossible—to stop. Apart from this weekend’s attacks, criminals have locked down part of San Francisco’s public transit system and a hospital in Los Angeles—in the latter case, forcing the hospital to pony up $17,000 to regain access to its files.

The architects of WannaCry were similarly looking for a quick payday. But they made it pretty easy to follow the money: WannaCry’s code contained the addresses of three Bitcoin wallets. As of midafternoon Monday, a Twitter bot tracking payments to the wallets said the accounts had a total of a little over $55,000 in them.

Thanks to such scrutiny, some experts have speculated that whoever is behind WannaCry won’t dare try to make a withdrawal from the wallets, fearing that it will blow their cover. The sum itself might also give them pause. Sure, it’s a lot of money—but it could’ve been a whole lot more.

(Read more: Malware TechLos Angeles Times, BBC, Quartz, “Holding Data Hostage: The Perfect Internet Crime?,” “Two Ways to Stop Ransomware in Its Tracks”)

Keep up with the latest in cyber security at EmTech Digital.
Don't be left behind.

March 25-26, 2019
San Francisco, CA

Register now
NSA headquarters, where software vulnerabilities go to be hoarded in secret ... and then stolen, leaked, and unleashed on an unsuspecting public.
More from Connectivity

What it means to be constantly connected with each other and vast sources of information.

Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    Print + Digital Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

    Technology Review PDF magazine archive, including articles, images, and covers dating back to 1899

    10% Discount to MIT Technology Review events and MIT Press

    Ad-free website experience

/3
You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.