WannaCry ransomware
A young security researcher has found a kill switch that prevents the WannaCry ransomware from spreading.Reuters

Looks like hackers behind the WannaCry ransomware cyberattack, which infected computers across the globe, were not smart after all.

The ransomware attack was indeed a large campaign, and it did manage to cause havoc worldwide. But a sloppy mistake by these cybercriminals helped a young security researcher discover a "kill switch" that can disable all functionality of the "WanaCrypt0r 2.0" (aka WannaCry or WCry) ransomware and stop it from spreading further, at least for now.

After running on a victim's computer, the WannaCry ransomware tries to connect to an unregistered domain. If the connection takes place, the ransomware doesn't start encrypting files and also stops spreading.

The 22-year-old researcher, who tweets as @MalwareTechBlog, spotted this domain and found that registering the domain name prevented it from spreading. According to the researcher, "a bit of analysis" led him to the discovery of the domain, but finding the kill switch was accidental.

So, the WanaCrypt0r 2.0 is no more spreading?

"From what I can see no," the researcher told International Business Times, India. But the crisis isn't over and "people need to patch ASAP or risk being re-infected."

According to @MalwareTechBlog, it's very likely that the hackers will register a new domain and launch new attacks. So the best practice for people is to update their systems immediately.

How does WanaCrypt0r 2.0 spread?

The initial infection vector for this ransomware appears to be phishing e-mails, a method hackers use to trick someone into clicking a malicious link in a seemingly legitimate email. If the victim clicks on the link, it allows the attacker to break into a computer's defences.

After infecting a computer, the WannaCry ransomware can scan the entire internal network and target other machines by exploiting a recently patched Windows vulnerability. What makes it more hazardous is the fact that the encryption process can takes place even if the machines are not connected to the internet.

Windows 10 is unaffected

Microsoft had released a patch (MS17-010) for the vulnerability on March 14th 2017. However, many people have not yet installed the patch on their systems. According to the company, WannaCry ransomware apparently affected computers that have not applied the patch.

"While the attack is unfolding, we remind users to install MS17-010 if they have not already done so," Microsoft said in a blog post, warning that "the attack is still active, and there is a possibility that the attacker will attempt to achieve persistence by reacting to our detection response."

The company also said that WanaCrypt0r 2.0 uses an exploit code that was designed to work only against unpatched Windows 7 and Windows Server 2008 or earlier operating systems. Therefore, PCs running on Windows 10 are not affected by this ransomware attack.

How to protect against WannaCry?

Here're some measures recommended by Microsoft to prevent and protect against this threat:

  • Apply Windows update MS17-010.
  • Disable the outdated protocol SMBv1.
  • Add a rule on your router or firewall to block incoming SMB traffic on port 445.
  • Enable Windows Defender Antivirus to detect this ransomware. (It identifies the ransomware as Ransom:Win32/WannaCrypt as of the 1.243.297.0 update)
  • Use Office 365 Advanced Threat Protection, which can block dangerous email threats, such as the emails carrying ransomware using its machine learning capability.
  • Monitor your network with Windows Defender Advanced Threat Protection.