Wana Decrypt0r Ransomware Outbreak Temporarily Stopped By "Accidental Hero"

[alacran]

Link: https://www.bleepingcomputer.com/news/security/wana-decrypt0r-ransomware-outbreak-temporarily-stopped-by-accidental-hero-/

A security researcher that goes online by the nickname of MalwareTech is the hero of the day, albeit an accidental one, after having saved countless of computers worldwide from a virulent form of ransomware called Wana Decrypt0r (also referenced as WCry, WannaCry, WannaCrypt, and WanaCrypt0r).

What MalwareTech did was spend around £10 to register a domain he found in the ransomware's source code.
Security researcher finds ransomware kill switch

The researcher discovered that the virulent and self-spreading Wana Decrypt0r ransomware was making a pre-infection check to a domain located at iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com.

If the domain was unregistered, the ransomware would start encrypting files. But if the domain was registered, the ransomware would stop its infection process.

By registering this domain, MalwareTech had accidentally triggered a worldwide kill-switch for the ransomware's self-spreading feature.

Everyone needs to update their computers!

"It's very important everyone understands that all they [Wana Decrypt0r gang] need to do is change some code and start again," MalwareTech explained last night. "Patch your systems now!"

The Wana Decrypt0r ransomware used a self-spreading mechanism derived from an NSA exploit leaked by the Shadow Brokers. That exploit can be mitigated by installing the patches included with Microsoft security bulletin MS17-010.

Additionally, Microsoft has released an update for older operating systems that are no longer officially supported, such as Windows XP, Windows 8, and Windows Server 2003. The update can be downloaded from here.

People already infected with this ransomware will not get their files back just because that domain was registered. It means that no new infections will occur with yesterday's strain. Currently, there's no known method of breaking the ransomware's encryption.

The only viable method of getting files back at the moment is from previous operating system backups, and by paying the ransom note, as a last resort.

During yesterday's ransomware outbreak, MalwareTech also created a tracker for Wana Decrypt0r victims, and a live map, showing infections in real time, which is now terribly silent. For those affected, you can discuss this ransomware and receive support in the dedicated WanaCrypt0r & Wana Decrypt0r Help & Support Topic. Bleeping Computer also published a technical analysis of the Wana Decrypt0r ransomware.

That exploit can be mitigated by installing the patches included with Microsoft security bulletin MS17-010 : https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Additionally, Microsoft has released an update for older operating systems that are no longer officially supported, such as Windows XP, Windows 8, and Windows Server 2003. The update can be downloaded from here: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

alacran

Edited May 14, 2017 by alacran

[jaclaz]

Actual page of the good guy already posted:
 

[Jody Thornton]

Was it anything like this?

[Tommy]

I think I'm even more surprised that Microsoft took pity on those not migrating off Windows XP and still released a patch for them as well. But then it might not be so much because of their goodwill towards XP users as it is trying to stop the spread of the malware itself.

[Tripredacus]

I'm not sure how accidental hero it is. There are some people that will register non-existant domains that are seen in advertisements or other forms of media just because.