Thousands of institutions around the world were subject to a series of "WannaCry" ransom attacks over the weekend (starting Friday, May 12), causing data to be encrypted with a claim for payment. The virus was a malicious program that affects smartphones and computers, encrypts and locks their data so that it cannot be accessed until payment is made.
The virus swept across Europe and Asia, locking up critical systems like the UK's National Health Service (NHS), Spain's Telefónica telecommunications company, and other business and institutions around the world. Russia was hit particularly hard by the virus. Victim's computers, once infected, displayed a message demanding the equivalent of around $300 in bitcoin, according to reports.
Telefónica faced an 85 percent computer shutdown after the hackers infiltrated its systems demanding $550,000 in bitcoin. The hack resulted in most staff reportedly abandoning their positions as nine out of ten company machines were infected. The hackers demanded a payment of $300 per machine, roughly equal to 300 bitcoins currently worth around 510,000 euros.
Russia's Interior Ministry announced that its computers had been infected with the malware on Friday. Some 1,000 Windows-operated computers were affected, which is less than one percent of the total number of such computers in the ministry, said spokesperson Irina Volk in a statement. The servers of the ministry haven't been affected, the spokesperson added, saying it's operated by different systems for Russia-developed data processing machines.
Russian telecoms giant Megafon was also affected by the virus. The company's spokesperson Pytor Lidov said Megafon's internal network had been affected, adding that in terms of the company's customer services, the work of the support team had been temporarily hindered, "as operators use computers" to provide their services. Lidov said the company took immediate appropriate measures, and said the virus didn't affect subscribers' devices or Megafon signal capabilities.
The attack was eventually thwarted by a malware analysis expert who calls himself MalwareTech who stumbled across a way to stop it by locking computers and slowing its spread. One of the first things that slowed the virus was a rare emergency patch released by Microsoft to help protect Windows XP devices from the virus' reach (even though the company hasn't officially supported XP since 2014).
The other strike of hope came from MalwareTech, who was working to reverse-engineer samples of the WannaCry virus on Friday, when he discovered that the ransonware's programmers had built it to check whether a certain gibberish URL led to a live web page, WIRED reported. MalwareTech wondered why the ransomware would look for that domain, so he registered it himself. Luckily that $10.69 investment was enough to shut down the entire operation.
As long as the domain was unregistered and inactive, the query had no effect on the ransomware's spread, the report explains. But once the ransomware checked the URL and found it active, it stopped. Analysts such as Darian Huss, senior security research engineer at the security intelligence firm Proofpoint, believe that the functionality was put in place as an intentional kill-switch, in case the hackers wanted to halt their virus spread.
Based on the behavior implemented in the code, the kill-switch was most likely intentional," he said. MalwareTech believes that the hackers might have included the feature to shield the ransomware from analysis by security professionals.