The virulent ransomware worm has been stopped (for now) by a hidden killswitch

Originally published at:


The guy who accidentally discovered how to turn off the ransomware wins the Internets for the day.


Isn’t that fascinating?

This one simple trick that ransomware writers don’t want you to know!


This man looked inside his ransomware and was shocked by what he found!


Just a simple kill-switch, huh?

Sounds like one of those lazy plot-line “Deus ex machina” endings… literally.


The running theory is that it is not so much a kill switch, but a poorly designed way to test to see if the malware is running in a sandbox.

From the guy himself:

The reason which was suggested is that the domain is a “kill switch” in case something goes wrong, but I now believe it to be a badly thought out anti-analysis.

In certain sandbox environments traffic is intercepted by replying to all URL lookups with an IP address belonging to the sandbox rather than the real IP address the URL points to, a side effect of this is if an unregistered domain is queried it will respond as it it were registered (which should never happen).

I believe they were trying to query an intentionally unregistered domain which would appear registered in certain sandbox environments, then once they see the domain responding, they know they’re in a sandbox the malware exits to prevent further analysis. This technique isn’t unprecedented and is actually used by the Necurs trojan (they will query 5 totally random domains and if they all return the same IP, it will exit); however, because WannaCrypt used a single hardcoded domain, my registartion of it caused all infections globally to believe they were inside a sandbox and exit…thus we initially unintentionally prevented the spread and and further ransoming of computers infected with this malware. Of course now that we are aware of this, we will continue to host the domain to prevent any further infections from this sample.

One thing that is very important to note is our sinkholing only stops this sample and there is nothing stopping them removing the domain check and trying again, so it’s incredibly importiant that any unpatched systems are patched as quickly as possible.


Looks like Game Theory needs an update… still lots of papers in this.
I wonder what John von Neumann would have made of this. His theories of deterrence worked quite well during the cold war. Among other factors because the adversaries were professionals whose reactions were by and large computable.
Now, still using machines based on von Neumann’s proposals, we have to deal with actors who are quite unpredictable because conventional rules of cost/risk/gains no longer apply.

1 Like

The Keyser Söze patch


It looks like these ‘unpredictable’ people are still farming out the job to the lowest bidder, who makes a key by mashing on the keyboard (that is not a random key sequence). They will fix it by implementing the fix mentioned in an earlier post. Oh, apparently, they have, and it is back.

But, snark aside, FGD135 is right: in the long term there are smarter people behind these dumb ones, and we should be prepared.

wow, people - this is not the work of a dumb hacker, it’s a test run

low ransom, easy killswitch - omg, it’s a probe

we are so screwed

1 Like

If you control the vertical, you should be mildly clever about it.

Crikey, I’d toss in a traceroute or five, and look at the lagtime inside fakenet.

1 Like

The take is up to $50k as of Monday morning.

Barely buys a decent tombstone.

This topic was automatically closed after 5 days. New replies are no longer allowed.