The WannaCry ransomware attack in May 2017 sent shockwaves across the globe, crippling major organizations and highlighting critical vulnerabilities in cybersecurity. While news outlets covered the chaos, the story of how this global epidemic was unintentionally stopped is less known. This is the account of that frantic Friday – a day that was supposed to be a relaxing part of a week off, but instead turned into a race against a rapidly spreading cyber threat.
It started like any other day monitoring online cyber threat platforms. While Emotet banking malware had been the primary concern, a new wave of ransomware reports began to surface. Initially, these seemed like typical isolated incidents. However, a lunch break would change everything.
Returning home around 2:30 PM, the cyber threat sharing platform was exploding with reports – not just isolated incidents, but widespread infections hitting the UK’s National Health Service (NHS). This was the red flag. Ransomware on public sector systems wasn’t new, but simultaneous attacks across the nation indicated something far more sinister than phishing emails. It suggested a propagation method beyond simple user interaction. Contacting a fellow researcher, Kafeine, a malware sample was quickly obtained. Analyzing it in a virtual environment, an immediate anomaly was detected: the malware was querying an unregistered domain. Acting quickly, the domain was registered.
Using Cisco Umbrella, historical query data revealed the WannaCry campaign had begun around 8 AM UTC, hours before the domain registration.
While waiting for domain propagation, the malware sample was re-executed in the virtual environment. The familiar WannaCry ransom screen appeared, but more crucially, after encrypting test files, the malware began aggressively connecting to random IP addresses on port 445 – the port used by the Server Message Block (SMB) protocol, often associated with file sharing and network resource access, especially in systems like Windows XP. The mass connection attempts screamed “exploit scanner,” and the SMB port immediately brought to mind the recent Shadow Brokers leak of NSA exploits – including one targeting SMB. Although concrete evidence was still lacking, the suspicion of an SMB exploit being involved grew rapidly. A tweet was sent out, questioning if the sample’s SMB scanning behavior was part of the larger WannaCry outbreak. The domain registration, however, wasn’t a random act. The ongoing work involved tracking and disrupting botnets and malware, which includes actively seeking unregistered malware control server (C2) domains. Thousands of such domains had been registered in the past year alone.
The standard procedure is:
- Identify unregistered or expired C2 domains associated with active botnets and redirect them to a sinkhole server.
- Collect data on the infection’s geographical distribution and scale, gathering IP addresses to notify victims and assist law enforcement.
- Reverse engineer the malware to find vulnerabilities that could allow for a take-over or disruption of the malware/botnet via the registered domain.
In the case of WannaCry, these steps became intertwined, even before fully understanding the domain’s purpose. Moments after the domain went live, a Talos analyst requested the SMB-scanning sample. Providing it led to initial confusion as they couldn’t replicate the behavior. Unbeknownst to anyone at the time, the domain registration had already inadvertently disabled the malware. With sinkhole servers nearing maximum capacity due to a large botnet takedown the previous week, immediate investigation was impossible. The priority shifted to stabilizing the sinkhole infrastructure and extracting data from the newly registered domain. At this stage, the domain’s exact function remained unclear, only that infected machines were connecting to it, providing a tracking mechanism. Setting up a live tracking map and sharing it on Twitter became the immediate next step.
Around 6:23 PM BST, a colleague was tasked with analyzing the worm code to confirm the domain’s persistence. Simultaneously, the live map was being updated to handle the surge in traffic. Within five minutes, the colleague reported alarming news: domain registration seemed to trigger the ransomware, suggesting files were being encrypted due to our action. Panic ensued, but contacting Kafeine led to a tweet from ProofPoint researcher Darien Huss, presenting the opposite conclusion – domain registration was stopping the ransomware’s spread.
Conflicting reports necessitated immediate re-examination. Rerunning the sample in the analysis environment yielded nothing. Modifying the host file to block domain connection, and re-running the sample resulted in – ransomware activation. This moment of being “ransomwared” was, paradoxically, a moment of elation. The contrasting outcomes confirmed the unintentional kill switch. Registering the domain had indeed halted WannaCry’s spread and further encryption of new machines globally. While initial silence was maintained to verify these findings through reverse engineering, Darien’s tweet was already gaining traction.
The question remained: why did a simple domain sinkhole stop a global ransomware epidemic?
Talos’s detailed analysis clarified the code. The malware contained a hardcoded domain. Before encryption, WannaCry attempted to connect to this domain.
If the connection failed, the ransomware proceeded with encryption. If the connection succeeded, the malware exited. The initially suggested “kill switch” theory was plausible, but a more likely explanation emerged: anti-analysis.
Sandbox environments often intercept network traffic, responding to all URL lookups with a sandbox-controlled IP, even for unregistered domains. The WannaCry authors likely intended to check for such sandbox behavior by querying an intentionally unregistered domain. A successful connection would indicate a sandbox environment, causing the malware to exit and evade analysis. This technique, while not unprecedented, backfired spectacularly. By registering the single hardcoded domain, every WannaCry infection worldwide believed it was in a sandbox, triggering the exit condition and stopping the ransomware in its tracks. This unintentional intervention prevented further spread and encryption. Maintaining control of this domain remains crucial to block this specific sample.
Crucially, this sinkhole only neutralized this specific sample of WannaCry. The attackers could easily remove the domain check and relaunch. Therefore, patching vulnerable systems remains paramount. The incident highlighted the critical need for timely security updates, especially for older operating systems like Windows XP and systems involved in network resource sharing. While “Cara Sharing Scanner Windows Xp” might seem unrelated, the underlying vulnerability exploited by WannaCry – SMB – is often associated with file and printer sharing functionalities prevalent in Windows networks, including older versions like XP. Outdated and unpatched systems, particularly those involved in sharing resources, become prime targets in such attacks. Microsoft’s release of an out-of-band patch for unsupported systems like Windows XP and Server 2003 was a critical step, allowing users to secure even these legacy systems against WannaCry.
The WannaCry incident serves as a stark reminder of the interconnectedness of cybersecurity and the potential for unintended consequences, both malicious and beneficial. The accidental kill switch bought valuable time, but proactive security measures, including patching and robust network security practices, are the true long-term defenses against evolving cyber threats.
Grateful acknowledgements are due to:
NCSC UK: For their invaluable threat intelligence sharing, crucial in identifying the malware family and ensuring sinkhole legitimacy for victim notification.
FBI & ShadowServer: For their rapid assistance in notifying non-UK victims, requiring a sleepless night of collaboration.
2sec4u: For their support and humor during a high-pressure situation.
Microsoft: For their prompt release of critical patches, including for legacy systems, enabling widespread protection.
The key takeaway? Patch everything. Regularly. Resources like the NCSC guide (https://www.ncsc.gov.uk/guidance/protecting-your-organisation-ransomware) are invaluable.
And now, sleep is definitely needed.
