A message demanding fund on a computer hacked by a virus known as Petya in June 2017. Photograph: Donat Sorokin/ TASS
Ultimately, WannaCry was too successful for its own good, spreading so fast that safety researchers were tearing it apart within hours of it appearing in the wild. One of them, a young Briton called Marcus Hutchins, discovered that affected computers tried to access a particular web address after infection. Curiously, the address wasn't registered to anyone, so he bought the domain- and just like that, the malware stopped spreading.
It's still unclear why WannaCry included this kill switch. Some researchers think it was because the authors had watched the progression of Conficker, which attracted undue attention. Others speculate the version of WannaCry ” accidentally” escaped the network it was being tested on.
Even with the kill switch active, the outbreak caused enormous injury. A report released in October focusing only on the effects on the NHS concluded that” the WannaCry cyber-attack had potentially serious implications for the NHS and its ability to provide care to patients “.
It said that WannaCry” was a relatively unsophisticated assault and could have been prevented by the NHS following basic IT security best practise” such as installing the fixings that had been released in March.
” There are more sophisticated cyber-threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future assaults .”
A month later, one of those attacks arrived dubbed NotPetya, due to an initial, erroneous, belief that it was an earlier variant of ransomware called Petyna. The malware was clearly built on the lessons of WannaCry, using the same EternalBlue weakness to spread within corporate networks, but without being able to leap from one network to another.
Instead, NotPetya was seeded to victims through a hacked version of a major accounting program widely used in Ukraine. It still took out companies far and wide, from shipping firm Maersk to pharmaceutical company Merck- multinationals whose internal networks were large enough that the infection could travel quite far from Ukraine.
NotPetya had another oddity: it didn't actually seem established in order to make money. The “ransomware” was coded in such a way that, even if users did pay up, their data could never be recovered.” I'm willing to say with at the least moderate confidence that this was a deliberate, malicious, destructive assault or perhaps a test disguised as ransomware ,” UC Berkley academic Nicholas Weaver told the infosec blog Krebs on Security.
That realisation meant the focus on Ukraine took on a new lighting. The country has long been at the vanguard of cyberwarfare, constantly trading digital blows with its neighbour Russia even while the two countries trade actual blows over the Crimea. If a nation nation were to write malware with the aim of crippling the economy of its target, it might seem a lot like NotPetya.
More to come
With Eternalblue slowly being patched, the age of the ransomworm might be over until a new, equally damaging vulnerability is observed. Instead, it looks like old-school ransomware will start to take back the spotlight- with a spin.
” People have become desensitised to common ransomware, where it merely encrypts your files ,” says Marcin Kleczynski, the chief executive of information security firm Malwarebytes.
Widespread backing up of data entails fewer are willing to pay up. So instead of merely locking data away, attackers are threatening the exact opposite: publish it for all the world to watch. Such attacks, known as “doxware”, have already been seen in the wild, but currently merely at a small scale or carried out manually, as when a Lithuanian plastic surgery clinic saw its files published for ransoms of up to EUR2, 000( PS1762 ).
To stay safe in 2018, though, the advice remains much the same as it always has been. Don't click on unknown attachments, always use strong and unique passwords, and maintain an up-to-date backup. Even if ransomware's no longer cool, it's still around, and it looks like it's here to stay.