After crippling computers across various sectors ranging from healthcare to transportation in as many as 150 countries, the WannaCry ransomware is now in a dormant state after an accidental "kill switch" pulled the plug on its spread.
Now, some devious hackers are launching punishing assault on that kill switch with variants of the infamous Mirai botnet, which knocked off major websites last year, including Spotify, Reddit and The New York Times. Cyber-security experts have managed to defend against the attacks so far. However, if successful, the hackers could make the WannaCry ransomware start spreading once again.
The WannaCry kill switch was nothing but a random-looking web address, which was included in the malware's code. Whenever WannaCry infects a computer, it first tries to reach out to the domain to check whether it is active, and if it is, the ransomware assumes it is being inspected, and becomes inactive.
It's still unclear whether including the kill switch was a sloppy mistake by those behind the ransomware attack, or whether it was an intentional move to check that the malware is not running in a "sandbox," set up by security researchers to test malware samples securely.
Whatever the motive, a security researcher did spot the kill switch (albeit accidentally), and later registered the domain to dramatically slow the worm down.
Since then, hackers are in retaliation, by launching nonstop distributed denial of service (DDoS) attacks from Internet of Things devices infected by the Mirai botnet. The attacks have peaked at 20 gigabits per second, and are trending up.
The latest unique IPs count from the WannaCry sinkhole is 416,989 (not including the 604,102 unique IPs from manual visits to the domain).
— MalwareTech (@MalwareTechBlog) May 20, 2017
Today's Sinkhole DDoS Attack pic.twitter.com/wxT2YUrdOF
— MalwareTech (@MalwareTechBlog) May 18, 2017
The reason behind the DDoS attack is apparently to reactivate WannaCry's dormant infections and fire up the epidemic anew.
"The ones that were successfully encrypted are in this zombie state, where they're waiting to be reactivated if that domain goes away," Matt Olney, a security researcher with Cisco's Talos team, told Wired.
According to Marcus Hutchins, the 22-year-old cyber-security researcher who discovered the WannaCry kill switch domain, attackers behind the botnet assault are not the ones who created the ransomware, but other group of hackers trying to reignite the virus just for fun.
"They've obviously got no financial incentive. They're not the ransomware developers," Hutchins said. "They're just doing it to cause pain."