It was a black Friday for many organizations all over the world, a new ransomware called ‘WannaCry’ started to encrypt files across the globe. At this time it’s not possible to recover the files encrypted by the WannaCry, but you can read the following steps to protect yourself against such attacks.
Didier Stevens (a security researcher) has discovered a kill switch in the executable file of WannaCry ransomware.
The WannaCry executable file check for “www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com” domain, It doesn’t download anything, just attempts to connect. If the connection succeeds, the binary exits. It seems that the programmer of the ransomware tried some anti-sandbox techniques, but it ended with negative results.
The domain has been registered to a well-known sinkhole to terminate the WannaCry malicious activity. By communicating to this domain, a kill switch will be activated due to the domain (www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com) role in the overall execution of the malware.
Note: the kill switch only applies to the binary with the hash listed below. The worm will still work on any system that requires a proxy to access the Internet.
SHA256: 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
If you think that this is end by activating the kill switch then you are wrong, once the author of the WannCry realises, the attack will come back.