Ransomware that ripped through hundreds of thousands of Windows PCs worldwide on Friday was hobbled over the weekend, but could see a resurgence this week if patches are not deployed.
A UK-based researcher known as MalwareTech managed to stop the spread of ransomware, dubbed WannaCry or WannaCrypt, quite by accident. As he explained in a blog post, MalwareTech acquired a sample of the malware on Friday and ran it a virtual environment.
"I instantly noticed it queried an unregistered domain, which I promptly registered," MalwareTech writes.
This was not uncommon for him. "My job is to look for ways we can track and potentially stop botnets (and other kinds of malware), so I'm always on the lookout to pick up unregistered malware control server (C2) domains. In fact I registered several thousand of such domains in the past year."
This time, however, the move—known as sinkholing—thwarted WannaCry.
WannaCry looks to connect to the domain mentioned in the code. If it can't connect, "it ransoms the system," MalwareTech explains. If it connects to the domain, though, "the malware exits" and the system is not compromised.
"This technique isn't unprecedented and is actually used by the Necurs trojan," according to MalwareTech. "However, because WannaCrypt used a single hardcoded domain, my registartion [sic] of it caused all infections globally to believe they were inside a sandbox and exit.
"Thus we initially unintentionally prevented the spread and and further ransoming of computers infected with this malware," he writes.
That's good news for those unfortunate enough to encounter WannaCry, but MalwareTech warns that his sinkhole "only stops this sample and there is nothing stopping them removing the domain check and trying again, so it's incredibly importiant [sic] that any unpatched systems are patched as quickly as possible."
Microsoft released a patch for the vulnerability being targeted by WannaCry in March. On Friday, it extended that support to aging versions of Windows that Microsoft no longer supports but many businesses still use.
"Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download," Redmond said in a blog post.
As the Wall Street Journal reports, any lag time on organizations installing these updates could result in more infections come Monday morning.
"It is important to understand that the way these attacks work means that compromises of machines and networks that have already occurred may not yet have been detected, and that existing infections from the malware can spread within networks," the UK's National Cyber Security Centre said in a statement. "This means that as a new working week begins it is likely, in the UK and elsewhere, that further cases of ransomware may come to light, possibly at a significant scale."
While WannaCry infected targets in at least 150 countries, the UK was particularly hard hit. The country's health system, the NHS, was crippled, preventing staff from looking up patient records, dispensing medicine, and even performing surgeries.
"The NHS is working hard to ensure that as few patients as possible are affected," the agency said in a Sunday statement that outlined how patients should proceed.