HACKERS ARE TRYING TO REIGNITE WANNACRY WITH NONSTOP BOTNET ATTACKS
February 20, 2018
Seid Yassin (557 articles)
Share

HACKERS ARE TRYING TO REIGNITE WANNACRY WITH NONSTOP BOTNET ATTACKS

OVER THE PAST year, two digital disasters have rocked the internet. The botnet known as Mirai knocked a swath of major sites off the web last September, including Spotify, Reddit, and The New York Times. And over the past week, the WannaCry ransomware outbreak crippled systems ranging from health care to transportation in 150 countries before an unlikely “kill-switch” in its code shut it down.

Now a few devious hackers appear to be trying to combine those two internet plagues: They’re using their own copycats of the Mirai botnet to attack WannaCry’s kill-switch. So far, researchers have managed to fight off the attacks. But in the unlikely event that the hackers succeed, the ransomware could once again start spreading unabated.

Under Siege
Since the WannaCry ransomware worm began to fan out through the internet Friday, security researchers noticed a curious feature. When it infects a computer, it first reaches out to a certain random-looking web address, apparently as part of a check that it’s not running in a “sandbox” environment, which security researchers use to test malware samples safely. If WannaCry connects to a valid server at that specified domain, the ransomware assumes it’s under scrutiny, and goes dormant.

Marcus Hutchins, a 22-year-old cybersecurity analyst for the security firm Kryptos Logic, spotted that trait last week, and immediately registered the web domain in WannaCry’s code. In doing so, he effectively neutered the malware, cutting short what would have otherwise been a far worse epidemic, and instantly becoming a minor celebrity in cybersecurity circles.

Since then, hackers have directed armies of zombie devices—webcams, modems, and other gadgets caught up in the expansive Mirai botnet—to funnel junk traffic to the kill-switch web address, also called a “sinkhole,” a site security researchers direct malware to in order to contain it. The presumed intention? Knock the domain offline, trigger some of WannaCry’s dormant infections to reactivate, and end the epidemic’s nearly week-long lull.

Source | wired

Related articles

Tokopedia Breach: 91 Million Records for Sale on Dark Web

Tokopedia Breach: 91 Million Records for Sale on Dark Web

RANSOMWARE ATTACK CRIPPLES SEVERAL ATLANTA CITY SYSTEMS

RANSOMWARE ATTACK CRIPPLES SEVERAL ATLANTA CITY SYSTEMS

TA505 APT Hackers Drop ServHelper and FlawedAmmyy through ISO files to Gain Remote Access

TA505 APT Hackers Drop ServHelper and FlawedAmmyy through ISO files to Gain Remote Access