Drudge Retort: The Other Side of the News
Monday, May 15, 2017

Rick Noack, Washington Post: As the world began Friday to understand the dimensions of Wanna Decryptor 2.0, the ransomware that has crippled computers worldwide, a vacationing British cybersecurity researcher was already several steps ahead. About 3 p.m. Eastern time, the specialist with U.S. cybersecurity enterprise Kryptos Logic bought an unusually long and nonsensical domain name ending with "gwea.com." The 22-year-old says he paid $10.69, but his purchase might have saved companies and governmental institutions around the world billions of dollars. By purchasing the domain name and registering a website, the cybersecurity researcher claims that he activated a kill switch. It immediately slowed the spread of the malware and could ultimately stop its current version, cybersecurity experts said Saturday.

Advertisement

Advertisement

More

Comments

Admin's note: Participants in this discussion must follow the site's moderation policy. Profanity will be filtered. Abusive conduct is not allowed.

They owe him bigly.

#1 | Posted by 726 at 2017-05-15 12:43 PM | Reply

Good bang for the buck. I had something similar happen to me back in 2015. I got really tipsy and I struck up a conversation with a 300+ lb middle-aged woman at Paradise Bar in Catonsville. I was all set to let her take me home when, as we left, I spotted a coin-operated vending machine with tropical Skittles in it. I quickly shoved in 2 quarters, turned the crank, took three handfuls of Skittles and shoved them all into my mouth. As we were walking across the street to her pickup truck I suddenly became quite nauseous, and ended up falling into a raised garden bed and puked up a rainbow. After finishing, I got up, brushed myself off, and told her I'd better take it easy and call it a night. So she left by herself and I went back over to the bar, puked another rainbow all over a tree right outside, came to my senses, pulled out my phone, and called a cab. I think I slept for about 15 hours after that one.

Who knows what sort of disaster I averted with that 50 cent purchase? I could have been smothered or worse.

#2 | Posted by pumpkinhead at 2017-05-15 12:44 PM | Reply | Newsworthy 1

Reading the story, it sounds like he did what he did not knowing how registering the domain would affect the program and whether the outcome would be good or bad.

#3 | Posted by Sully at 2017-05-15 01:13 PM | Reply

Not just they. This was a pretty massive infection. I have to believe that the developers did not anticipate the effectiveness of this encryptor. The last I heard they had only a handful of wallets for bitcoins and all were being watched. Only something like $48k deposited. Reports this morning were that thousands of companies in China alone were impacted. China and Russia were the most impacted due to their reliance on outdated (Windows XP) and pirated software.

#4 | Posted by GalaxiePete at 2017-05-15 01:22 PM | Reply

#3 | Posted by Sully

Exactly. He didn't know - he just registered it. For all he knew it could have been a "destroy switch" which triggered the malware to blow out all the data encrypted. He was lucky.

#5 | Posted by GalaxiePete at 2017-05-15 01:23 PM | Reply

He was lucky.

#5 | POSTED BY GALAXIEPETE

Actually it sounds like BS to me.

If you can't dazzle them with your brilliance then baffle them with your BS.

#6 | Posted by donnerboy at 2017-05-15 02:22 PM | Reply

Why didn't the people that created "wannacry" have knowledge of the killswitch, and buy the domain, just don't "advertise" the domain address or "website". IOW The creators didn't need to populate DNS tables until they wanted to kill it. Even then I would have imagined the "GET" would be to retrieve something like a SSH/PGP private key to decrypt some "string" in the virus that killed it.

If the code was left from the NSA as I have seen and read, why didn't the NSA kill it with TheSwitch. They might not know the name, but understood the mechanism to kill it and just look at the requests via wireshark or something simple as that.

Too bad Microsoft can't sue the NSA, they look really bad here.

#7 | Posted by AndreaMackris at 2017-05-15 02:44 PM | Reply

"Too bad Microsoft can't sue the NSA"

Makris is eager the taxpayer gets to pay for Trumps NSA incompetence.

Next up, whining about the "Obama" deficit

#8 | Posted by ChiefTutMoses at 2017-05-15 03:00 PM | Reply | Newsworthy 1

Exactly. He didn't know - he just registered it. For all he knew it could have been a "destroy switch" which triggered the malware to blow out all the data encrypted. He was lucky.

#5 | POSTED BY GALAXIEPETE

That is not accurate. He did not know that registering the address would kill it but he did know that multiple researchers had already confirmed that if you setup that domain in sandboxed environment then the malware failed to execute after connecting to it. What he didn't know was whether that would work on an open network. It was more of an educated guess on his part than it was luck.

#9 | Posted by johnny_hotsauce at 2017-05-15 03:31 PM | Reply

FYI...WannaCry 2.0 and other variants are now "in the wild". If you have not already patched your Windows systems, do so immediately.

Patches for Windows XP and newer are available by running Windows Updates or can be dl'ed and manually installed from MS from here:
www.catalog.update.microsoft.com

And if you have been a victim of this malware, do not pay to have your files restored. Many people have reported paying and have not received the codes needed to decrypt their files.

You can also disable the vulnerable protocol via one of the various methods detailed here:
www.saotn.org

#10 | Posted by johnny_hotsauce at 2017-05-15 03:49 PM | Reply

Advertisement

Advertisement

#7 | Posted by AndreaMackris

Someone had knowledge of the kill switch - the creator. That person may or may not be the person/people that deployed it. It could have been the creator's method of ensuring payment if they are not one and the same as the deployers. Think about it, this is organized crime today. It isn't a kid in the basement screwing around.

I don't believe you can register a domain without DNS resolution. When you buy a domain it becomes registered and it then resolves to an IP somewhere even if it is simply parked. It's just how the system works I don't actually know a way to register and not have an IP associated. I just looked at my parked list they all have DNS entries from my Registrar.

#11 | Posted by GalaxiePete at 2017-05-15 04:50 PM | Reply

#9 | Posted by johnny_hotsauce

While your observation is true it was an educated guess - it was still a guess because he did not know. The actual researchers didn't take the route of registering the domain to stop it. Why not? I can't answer for sure but I will lean toward they were not sure of the actual affect because I am pretty sure they would want to be the hero on this one.

#12 | Posted by GalaxiePete at 2017-05-15 04:57 PM | Reply

If you got this virus you are obviously not living your life right and so thereby deserve it.

--Conservoids

#13 | Posted by donnerboy at 2017-05-15 06:49 PM | Reply | Funny: 1

Too bad Microsoft can't sue the NSA, they look really bad here.
#7 | POSTED BY ANDREAMACKRIS AT 2017-05-15 02:44 PM | REPLY

It seems that every single year there is some unforseen vulnerability in Windows. Could it be that Microsquash is putting out crap? Nah.

#14 | Posted by 726 at 2017-05-15 08:07 PM | Reply

It was more of an educated guess on his part than it was luck.

#9 | POSTED BY JOHNNY_HOTSAUCE AT 2017-05-15 03:31 PM | FLAG:

People are eager to ---- all over his accomplishment. Are we really so pissed at our own lives that we have to piss all over a guy doing something good? An educated guess sounds about right. Most great discoveries are nothing more.

#15 | Posted by 726 at 2017-05-15 08:11 PM | Reply | Newsworthy 1

While your observation is true it was an educated guess - it was still a guess because he did not know. The actual researchers didn't take the route of registering the domain to stop it. Why not? I can't answer for sure but I will lean toward they were not sure of the actual affect because I am pretty sure they would want to be the hero on this one.

#12 | POSTED BY GALAXIEPETE

Yeah, that's what educated guess means. They had a pretty good idea what the result would be. He didn't just register the domain name. He also took the step of setting up a dns sinkhole because in sandbox testing they discovered that the malware stopped executing if it detected it was in a sandbox. This is a method that malware writers use to make it more difficult for researchers to study behavior of the code. The part that he did not know was would this prove effective in the real world where it would still be able to connect to other url's listed in the code.

There is no evidence that any of them wanted to be the hero. The person in question used an alias in registering the domain. The only reason his identity is known is because British tabloids doxed him.

#16 | Posted by johnny_hotsauce at 2017-05-16 11:12 AM | Reply

Why didn't the people that created "wannacry" have knowledge of the killswitch, and buy the domain, just don't "advertise" the domain address or "website". IOW The creators didn't need to populate DNS tables until they wanted to kill it. Even then I would have imagined the "GET" would be to retrieve something like a SSH/PGP private key to decrypt some "string" in the virus that killed it.
If the code was left from the NSA as I have seen and read, why didn't the NSA kill it with TheSwitch. They might not know the name, but understood the mechanism to kill it and just look at the requests via wireshark or something simple as that.
Too bad Microsoft can't sue the NSA, they look really bad here.
#7 | POSTED BY ANDREAMACKRIS

I suspect that the creators used the non-existent URL in their code for their test environment and then forgot to remove it before launching the attack or just didn't care because it was non-existent and it didn't occur to them that someone would discover this method.

#17 | Posted by johnny_hotsauce at 2017-05-16 11:30 AM | Reply

Comments are closed for this entry.

Home | Breaking News | Comments | User Blogs | Stats | Back Page | RSS Feed | RSS Spec | DMCA Compliance | Privacy | Copyright 2017 World Readable

Drudge Retort