Cyber attack: Hackers in China try to seize control of WannaCry ransomware's 'kill switch'

The attempt fails but could have allowed the kill switch to be disabled, expert says

Ian Johnston
Sunday 14 May 2017 17:22 BST
Comments
The instruction file that Nurse Helen Barrow, of Littleborough, Lancashire, found on her desktop after becoming the first known UK victim
The instruction file that Nurse Helen Barrow, of Littleborough, Lancashire, found on her desktop after becoming the first known UK victim (PA)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Hackers in China tried to seize control of the ‘kill switch’ used to prevent many of the WannaCry ransomware attacks that have been causing chaos across the world.

A 22-year-old British cyber security analyst discovered a website domain name in the code of a ‘worm’ used to infect computers with ransomware, which took over PCs and demanded money to return control.

When he registered the domain name, it activated a ‘kill switch’ in the coding. Every time the malware first infected a computer, it would try to find the website. If it could not, it would carry out the attack but if it did, it would shut down.

This is believed to have prevented thousands of attacks, but experts have warned the code could easily be rewritten by those responsible.

There are fears of a new wave of problems when people return to work if they have not installed a new security patch issued by Microsoft.

The security analyst, who has asked to remain anonymous but uses the name MalwareTech on social media, said he had been notified of an apparent attempt by someone else to take control of the website.

“Looks like someone in China attempted to steal the domain,” he wrote on Twitter.

Costin Raiu, director of global research and analysis at cyber security company Kaspersky Lab, told The Independent that hackers would sometimes try to take control of a website by pretending to be the owner and getting it transferred to a different register.

In this case, he said: “In theory, they could do two things. One is just count how many victims there are around the world.

“The other thing is they could just disable the kill switch that MalwareTech enabled … but the transfer attempt failed.”

He said it was “unlikely" that the hackers themselves would have done this as it would be simpler just to change the program slightly.

“They can very easily create another variant of this worm which doesn’t have this kill switch or checks for a different domain and they will achieve the same effect [as seizing control of the original domain],” Mr Raiu said.

Instead he suggested hackers unnconnected to the ransomware attacks may have been trying to pull off a feat that would give them a degree of "fame".

He suggested the best way to catch the people responsible for the WannaCry attacks would be to trace the ransom payments, which were to be made in Bitcoins.

“What you can follow is the money,” Mr Raiu said. “You can follow the Bitcoins [although] following the Bitcoins is kind of an art in itself.”

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in