WannaCry’s Accidental Hero

WannaCry’s Accidental Hero

Quick update on the massive #WannaCry cyber attack. Before I begin, this is going to SOUND like good news, and it is, but please realize that the propagation of this malware can be restarted VERY easily, so please follow the instructions we laid out here to patch.

Apparently there was a kill switch built into the malware. It attempts a HTTP GET on iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com. If the request succeeds, it stops propagating, as noted by Talos Intellgience:

Earlier today, @MalwareTechBlog observed the traffic to the fake domain, registered it, and sinkholed it, thus stopping the bleeding in a major way. Funny enough, he didn’t realize the domain check kill switch existed. It was sort of dumb luck:

There you have it. @MalwareTechBlog: #WannaCry’s accidental hero.

UPDATE: As Didier Stevens points out, the kill switch is NOT proxy aware. Won’t work for companies that have a proxy.

Get the latest security news in your inbox.