
Accidentally Stopping a Global Cyber Attack - pradeepchhetri
https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html
======
dis-sys
Lessons learnt by ransomware developers - rather than using a single pretty
arbitrary test, always rely on a more robust statistical model to detect
whether your code is running inside a sandbox.

Lessons learnt by NSA - never over estimate the skill level of your network
admins.

Lessons learnt by Microsoft - never under estimate the loyalty of your Chinese
Windows XP users, both XP and Win10 have 18% of the Chinese market [1].

Lessons learnt by the Chinese central government - NSA is a partner not a
threat, they build tools which can make the coming annual China-US cyber
security talk smooth.

[1] [http://gs.statcounter.com/os-version-market-
share/windows/de...](http://gs.statcounter.com/os-version-market-
share/windows/desktop/china)

~~~
jahabrewer
> Lessons learnt by ransomware developers - rather than using a single pretty
> arbitrary test, always rely on a more robust statistical model to detect
> whether your code is running inside a sandbox.

I like to imagine that one of the developers on that team filed a tech debt
item to do exactly this, was never able to get their manager to prioritize it,
and is now pulling out their hair saying, "I told you so!"

~~~
BrainInAJar
> I like to imagine that one of the developers on that team filed a tech debt
> item to do exactly this, was never able to get their manager to prioritize
> it, and is now pulling out their hair saying, "I told you so!"

Malware authors have budgets and schedules too. It's a business, probably more
profitable than 90% of the startups in SV

~~~
794CD01
That's not exactly high praise. A tuft of grass is more profitable than 90% of
the startups in SV.

~~~
secondhandvape
Especially if that tuft of grass is on piece of real estate in the bay area.

~~~
EGreg
I wonder if Levi's jeans were more profitable than the average goldbug

------
nneonneo
Sadly, the malware author(s) have updated their code and are now spreading a
variant without the "kill-switch" domain check:
[https://motherboard.vice.com/en_us/article/round-two-
wannacr...](https://motherboard.vice.com/en_us/article/round-two-wannacry-
ransomware-that-struck-the-globe-is-back)

However, MalwareTech's sinkhole intervention has bought enough time for
patches to be pushed out, so at this point it is absolutely imperative that
everyone apply these patches as soon as possible.

~~~
lucio
Kudos to MalwareTech, but they could have delayed a month or so this
publication.

~~~
tonmoy
The hackers would have easily figured out the kill-switch site is up when
trying to debug in their own environment

------
dperfect
> the employee came back with the news that the registration of the domain had
> triggered the ransomware meaning we’d encrypted everyone’s files...

Even though this fortunately turned out to be false, what if it _had_ been
true? Would the security researcher be held in any way accountable for
activating the ransomware? If I were the author, I might be a bit more careful
in the future before changing factors in the global environment[1] that have
the potential to adversely affect the malware's behavior, but of course I'm
not a security researcher, so I really don't know.

[1] I suppose a domain could probably be made to _appear_ unregistered after
being registered - depending on the actual check performed - but there are
other binary signals (e.g., the existence of a certain address or value in the
bitcoin blockchain) that might not be so easy to reverse.

~~~
ufmace
I would think not. For something bad to happen from registering the domain,
there would have to be some kind of weird booby-trap in the malware. What's
the motivation for a malware author to do that? If they can do something
worse, the incentive is to just do it, rather than wait for a security
researcher to do something first that they may or may not ever do. It's not
impossible, but it's a little ridiculous and wildly unprecedented in the field
of malware analysis.

When there's a global infection spreading wildly and crippling essential
organizations, you want everyone to act fast, not spend weeks making sure
everything is perfect. If you see the malware connecting out to an
unregistered domain, you just register it now. Whoever is first gets it, and
the attacker could realize their mistake at any time. Even without knowing
what this malware does with the connection, odds are 99.9% that the situation
is better with the domain controlled by a security researcher than by a
malware author. Punishing researchers if something done in good faith turned
out badly would incentivize them to overanalyze everything and delay taking
any potential beneficial action until it's too late.

~~~
eterm
Under that same assumption of assuming maximum damage, what was the motivation
for the malware author to put in a killswitch?

~~~
jldugger
Probably to prevent it from fucking their own computer network up. Just change
your local resolver to be authoritative for the domain(s) in question, and
bob's your uncle.

But next they'll likely use more domains, and more expensive ones, so that
random security researchers can't just expense the registration on the
corporate credit card. I know .ng costs 50k, but .np might be pretty comical
to deploy if you're not really worried about a global off switch.

~~~
mseebach
If that's the motivation, just use a non-existant TLD, or, even better, .local

If the motivation is to have a killswitch, you don't want something expensive,
because the attackers would then have to pay for it if they want to activate
it for whatever reason.

------
jedisct1
Ironically, lying DNS resolvers redirecting nonexistent domains to ads were
also helpful in order to mitigate the attack.

~~~
raverbashing
DNS being one of the most fragile aspects of the net, a lot of issues can be
solving by a local DNS resolver that does a lot of caching and blocking

~~~
jedisct1
Sure, and something like dnscrypt-proxy can do that, but in what is being
discussed here, blocking the domain would do the opposite of what you are
trying to achieve.

The ransomware prematurely quits if the domain _resolves_ to an IP, and a
webserver listens to that IP.

~~~
theoh
Remember that time when VeriSign did this (wildcarding) on a global basis for
.com and .net in 2003, briefly causing outrage?

"As of a little while ago (it is around 7:45 PM US Eastern on Mon 15 Sep 2003
as I write this), VeriSign added a wildcard A record to the .COM and .NET TLD
DNS zones. The IP address returned is 64.94.110.11, which reverses to
sitefinder.verisign.com. What that means in plain English is that most mis-
typed domain names that would formerly have resulted in a helpful error
message now results in a VeriSign advertising opportunity. For example, if my
domain name was 'somecompany.com,' and somebody typed 'soemcompany.com' by
mistake, they would get VeriSign's advertising."

[https://m.slashdot.org/story/38665](https://m.slashdot.org/story/38665)

~~~
kuschku
Even today, T-Mobile still does that – any domains that can not be resolved
are redirected to their ads.

~~~
mikeash
Verizon does it too, although they just show search results and don't show
ads. It's possible to opt out, but it hasn't bothered me enough to do that
yet.

~~~
theoh
But VeriSign is not an ISP -- they were the ones running the authoritative
root name servers and doing this to literally everyone.

------
ufmace
What really amazes me about this attack is that the main attack vector seems
to be exploiting a SMB vulnerability. Reasonable enough of a way to spread
within an organization, but it's amazing that so many organizations seem to
have this port and service open to the world for this worm to exploit.

I'm not the most diligent follower of security news, but I'm pretty sure that
SMB network sharing is riddled with security vulnerabilities, latency issues,
etc, and is generally wildly unsuitable for being left wide open to the entire
internet. How could any institution with a competent IT department not have
had this service firewalled off from the net for years?

~~~
dhd415
The attack was usually introduced via a phishing attack and then spread
through SMB vulnerabilities. It generally wasn't that SMB endpoints were open
to the internet.

~~~
ufmace
Certainly possible, but if it was spread with an ordinary phishing attack, I
gotta wonder why all of these organizations got hit so hard in such a short
timeframe. We've had lots and lots of conventionally spread ransomware attacks
go out, but I don't know of any that have had this kind of effect in this
timeframe.

------
johnchristopher
> After about 5 minutes the employee came back with the news that the
> registration of the domain had triggered the ransomware meaning we’d
> encrypted everyone’s files (don’t worry, this was later proven to not be the
> case), but it still caused quite a bit of panic. I contacted Kafeine about
> this and he linked me to the following freshly posted tweet made by
> ProofPoint researcher Darien Huss, who stated the opposite (that our
> registration of the domain had actually stopped the ransomware and prevent
> the spread).

That's quite an high abstraction level programming thing to do to use a domain
name registration state as a boolean. Is that a regular thing ?

~~~
stefanpie
I believe the malware was designed to do that as part of a way to test and see
if it's in a sandboxed environment if someone was trying to analyze it. If I
understood this correctly, checking the domain was a way to do that (although
I might be completely wrong).

~~~
Laforet
Can somebody explain how this will work? AFAIK it does not even check for
obvious things such as vmware processes running in the background.

~~~
mynameisvlad
It was explained quite clearly in the article. Sandboxed environments will
generally have a catch all that replies to any IP requests with a sinkhole
server. To prevent analysis, it'd do a lookup to a known unregistered domain
and if it got back an IP address (which should not happen except in the
sandbox with an unregistered domain) then it quits because it assumes it's
sandboxed and being analyzed.

~~~
meowface
I still can't understand how the malware authors could be so smart (or, if not
smart, at least competent enough to build ransomware from scratch, make it
wormable with ETERNALBLUE, and launch a massive and effective spam campaign)
and yet so stupid.

They could've achieved the same sandbox detection effect by just registering
the domain and pointing it at 1.1.1.1 or whatever. The non-sandboxed
connections would still fail, and no one else could take the domain.

~~~
BoorishBears
I don't think the creator would be too keen to create anything unnecessary
that could be linked back to them through a paper trail.

~~~
Avalyst
I find it interesting that they didn't randomize a couple of long strings and
tried to resolve those instead like the article mentioned has been done in the
past

------
taspeotis
I think it's great that this was used to stop the malware, but pre-emptively
registering the domain without understanding what it did seems dangerous.

The malware could have just as easily used the registration of that domain as
a flag to start deleting data, no?

~~~
sinaa
This may indeed be exactly what the authors of the next ransomware will do.

Two domains, one defuses the ransomware, the other detonates it.

~~~
cesarb
> Two domains, one defuses the ransomware, the other detonates it.

And one of the domains will be called redwire[randomchars].com, and the other
bluewire[randomchars].com. Which one do you sinkhole, the red wire or the blue
wire?

~~~
snowwrestler
You just test both in a disposable environment, and then you know which one to
sinkhole publicly.

The researcher in this case registered the domain right away because he had
experience that that creates a positive result. Once that sort of thing starts
creating bad results, then researchers will start testing more carefully
before grabbing domains.

------
problems
Honestly, how stupid were the malware authors to use standard DNS for a domain
that could take down their shit when they use Tor for the actual key and
address communication and everything... it's like they half understood what
they were doing.

Well, I guess maybe they didn't want things to get too out of hand and now if
they want they can be back up soon with that fixed.

~~~
jacquesm
> it's like they half understood what they were doing.

And that's exactly what is so wrong about the NSA and others not being good
stewards of their own bloody malware. A lot of these criminals would not be
able to get their act together at this level without being partially funded by
the three letter agencies. Think of it as an advanced form of script kiddies,
they can use the tools and wrap them but they could not come up with those
tools of their own accord.

------
tripzilch
One of the comments (under the article) is very apt: better wording would have
been to say "serendipitous" instead of "accidental".

This guy is sort of a hero, IMO. Given that this is affecting healthcare
systems, he might very well have actually saved a bunch of lives! I hope he
slept well, totally deserved it :)

------
jwilk
"Please turn JavaScript on and reload the page."

Uh, no. Here's an archived copy:

[https://archive.fo/BhLZn](https://archive.fo/BhLZn)

------
jstoja
Does someone know what this domain actually is?

EDIT: After looking explicitly for it I found
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com.

~~~
adolph
Is that a Welsh company?

~~~
unit91
...says adolph. The Germans, however, use much shorter terms like
"Rechtsschutzversicherungsgesellschaften". :-)

~~~
lionyo
Rechtsschutzversicherungsgesellschaften German Noun

\- insurance company which provides legal protection

~~~
Scoundreller
My guess was going to be left-handed bricklayers that wear blue hats. Close.

------
noamhacker
> "One thing that is very important to note is our sinkholing only stops this
> sample and there is nothing stopping them removing the domain check and
> trying again, so it’s incredibly importiant that any unpatched systems are
> patched as quickly as possible."

(A very important point at the bottom of the article)

------
lordnacho
Pretty interesting, if I'm reading it correctly the existence of the domain is
checked, and if is there, the program is aborted, in order to stop sandbox
analysis.

I was wondering why they didn't just do a simple variant:

1) Instead of relying on DNS, which anyone can create, why not make a user
account on some well known forum site. Like HN or Reddit.

2) Open the site, look for the user's page, and check his message titles by
hashing them against some hash that can be in your code.

3) Detonate if you don't see the code, or the user account doesn't exist.

This would have the useful characteristic that you could start/stop the attack
using just an internet browser, anywhere. And the code word that you are after
would be crypto hashed, so the defenders would have to find your keyword
somehow from the hash. Heck, you could confound everyone by turning the thing
on or off according to location, time of day, and so on.

For extra points make it a blockchain thing. They're already using that for
payment, right?

~~~
space_fountain
My understanding is the idea is more to check if a non registered domain
behaves as if it was registered. Some sandboxing methods apparently lead to
this for some reason.

------
m-j-fox
I'm curious, does anyone know what tool he uses to disassemble the program
into C? It looks neat.

~~~
mschuster91
That's HexRays in IDA. Pretty nice but damn expensive.

------
dorfsmay
The author says they are doing this for a living. Who are they working for?

~~~
icpmacdo
He's a great follow on Twitter, he works for some cyber security company in LA
I think but lives in England. Got offered the job after he created a Mira bot
tracker IIRC.

~~~
Cyph0n
Agreed. I've been following him for a few years now, very interesting account.

~~~
imsodrunklol
Handle?

~~~
icpmacdo
[https://mobile.twitter.com/MalwareTechBlog](https://mobile.twitter.com/MalwareTechBlog)

------
wand3r
Great write-up. It's funny; a mistake/exploit allowed the malware; a
mistake/bug allowed it to be mitigated...by the researchers mistaken intent
that registering the domain would simply provide him with sample data.

------
aqsheehy
So will companies start holding bitcoin as insurance on these kinds of
attacks?

~~~
21
Yes:

Several of London’s largest banks are looking to stockpile bitcoins in order
to pay off cyber criminals who threaten to bring down their critical IT
systems.

[https://www.theguardian.com/technology/2016/oct/22/city-
bank...](https://www.theguardian.com/technology/2016/oct/22/city-banks-plan-
to-hoard-bitcoins-to-help-them-pay-cyber-ransoms)

~~~
viraptor
Keep in mind this article makes... Little sense the way it was written. The
DDoS attack at the time was done in a way that could be replicated by anybody.
Multiple control networks gave jobs to IoT devices without real
authentication. That means anybody known to pay off attackers would
immediately get attacked by another group using the same sources. Maybe
there's some stockpile of Bitcoin "just in case", but it would require a very
special situation - not a common DDoS they talk about.

~~~
21
I was just pointing out that according to the article some London banks ARE
buying bitcoin so that the ransom payment option is on the table in case of an
emergency, and in fact they notified senior police officers about this
activity (to get their blessing? to avoid the bitcoin buying look suspicious
if they stumbled upon it?)

~~~
viraptor
I understand. I'm just pointing out why the article smells like bs and is
technically invalid in many ways. Including the fact that police will not help
you with a DDoS and is largely irrelevant in the discussion (apart from post
mortem / following up after the attack). Also banks are playing with
cryptocurrencies for quite a while now. London banks have ideas of private
blockchains as well. Nobody would think it's suspicious that they buy some.

The may be some truth in there, but this is a popular tech post. I'd look for
more details than the guardian provides.

~~~
mannykannot
> The may be some truth in there, but this is a popular tech post. I'd look
> for more details than the guardian provides.

Can you provide some references for the positions you have stated in this
discussion?

~~~
viraptor
Mirai (not named that yet in the original article) source released -> anyone
can take control. DDoS as a service was sold. Paying off one attacker doesn't
stop others.
[https://www.forbes.com/sites/thomasbrewster/2016/10/23/massi...](https://www.forbes.com/sites/thomasbrewster/2016/10/23/massive-
ddos-iot-botnet-for-hire-twitter-dyn-amazon/#34c3ff95c1f0)

Police will not help you with ongoing DDoS - I don't think you need a source
for that one.

Canary Wharf playing with bitcoin / blockchain in 2015:
[https://www.ft.com/content/eb1f8256-7b4b-11e5-a1fe-567b37f80...](https://www.ft.com/content/eb1f8256-7b4b-11e5-a1fe-567b37f80b64)

Ransomware can happen again, getting data back not guaranteed (FBI
recommendation): [https://www.fbi.gov/news/stories/incidents-of-ransomware-
on-...](https://www.fbi.gov/news/stories/incidents-of-ransomware-on-the-rise)

------
amelius
It seems a bit scary that security researchers are relying on _bugs_ in
malware to get their job done.

~~~
alex_duf
Yet malware creators rely on bugs to spread their work, so why not. Fighting
fire with fire...

~~~
amelius
Right. But the problem is that malware creators can choose from many more
attack vectors than security researchers typically can.

------
a-dub
Imagine how bad it would have been if someone actually competent had chosen to
weaponize one of the NSA exploits? This seems to have script kiddie written
all over it.

------
remx
To mitigate, I am running Debian as the host and jailing Windows 10 in a
Virtual Machine, and have uninstalled SMB1.0 on the machine by going into >
Programs and Features > Add or Remove Windows Components. I have also blocked
port 445 (SMB) with ufw (On Debian)

    
    
        sudo ufw deny out to any port 445
    

Aswell as this I am not deferring updates in any way and dutifully patching.
I've always hardened Windows in this way and I've never had issues with
malware, and if I did, the impact would be minimal because I've
compartmentalized my files in such a way that even the worst malware would
only encrypt _some_ of my files and not all of them.

I store all my critical files in an offline environment (sandbox) so the only
files that are going to be encrypted are replaceable (non important) and
disposable. For example, I wouldn't cry if my C.V got encrypted because a copy
of it exists in about 50 locations either offline and online.

Unfortunately I need Windows because my colleagues like to send Windows-only
.DOCX files which work best in MS Word, and I don't have a Google account, so
I can't open them in Docs. This is a conscious decision to permaban Google
from my life, but Windows _is_ staying.

~~~
julianh95
Why not just use Apache open office?

~~~
remx
Thanks for the tip, and I will try this. As I said, .DOCX files work best in
their native Win Office environment as I've had problems with them in open
source solutions (formatting issues), whitespace injection ruining the layout,
etc

~~~
edwintorok
Installing the crosextra fonts have improved the viewing of some .pptx for me:
[https://wiki.debian.org/SubstitutingCalibriAndCambriaFonts](https://wiki.debian.org/SubstitutingCalibriAndCambriaFonts)

------
corford
Happy outcome but could have so easily gone the other way. Surely it would
have been been more responsible to locally fake the registration of the domain
first (apparently as easy as modifying /etc/hosts in this case) given he had
no idea how the payload would respond? o_O

Not sure I'd be singing his praises if his rash decision had triggered the
deletion of the encrypted files.

------
techbubble
Wonder how much longer it would have taken to understand the impact if he had
just modified the hosts file instead of registering the domain?

------
jondubois
It sounds like the mere existence of a specific DNS A record was the kill
switch for the ransomware. That seems like a pretty bad kill switch, surely
the attacker should have required some sort of password to deactivate the
ransomware.

------
rochak
Does this mean that I can safely connect my outdated Windows 7 back to the
internet?

~~~
Retr0spectrum
No! All it takes is a single byte to be patched and the "killswitch" can be
disabled. There are almost certainly other variants already in circulation.

Use an offline security update.

~~~
rochak
Yep, tried doing that. But unfortunately I could get it to install. Keep
getting "This update is not applicable to your computer" even though I'm doing
everything right.

------
jayflux
> In certain sandbox environments traffic is intercepted by replying to all
> URL lookups with an IP address belonging to the sandbox rather than the real
> IP address the URL points to, a side effect of this is if an unregistered
> domain is queried it will respond as it it were registered (which should
> never happen).

Is this something VMs do? Does anyone have more info on this?

------
shimon_e
Now is the time to write a virus that uses the same exploit and automatically
patches the vulnerable before a new version of the ransomware is released.

~~~
viraptor
You may want to read CFAA rules
([https://en.m.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act](https://en.m.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act))
first. Breaking into someone's computer to fix it is still breaking into
someone's computer and very illegal.

~~~
daddyo
Not in all jurisdictions, per
[https://en.wikipedia.org/wiki/Negotiorum_gestio](https://en.wikipedia.org/wiki/Negotiorum_gestio)

> Negotiorum gestio (Latin for "management of business") is a form of
> spontaneous voluntary agency in which an intervenor or intermeddler, the
> gestor, acts on behalf and for the benefit of a principal (dominus negotii),
> but without the latter's prior consent. The gestor is only entitled to
> reimbursement for expenses and not to remuneration, the underlying principle
> being that negotiorum gestio is intended as an act of generosity and
> friendship and not to allow the gestor to profit from his intermeddling.
> This form of intervention is classified as a quasi-contract and found in
> civil-law jurisdictions and in mixed systems (e.g. Scots, South African, and
> Philippine laws).

> For example, while you are traveling abroad, a typhoon hits your home town
> and the roofing of your house is in danger. To avoid the catastrophic
> situation, your neighbour does something urgently necessary. You are the
> 'principal' and your neighbour here is the 'gestor', the act of which saved
> your house is the negotiorum gestio.

~~~
viraptor
I'd be happy to be proven wrong, but I don't think it applies here.
Specifically, nothing in this summary indicates that you can break other laws
to fulfill this one. IANAL, etc.

~~~
daddyo
IANAL either.

The summary gives the example of securing your neighbors roof when a tornado
is about to hit. Possible laws to break to do this, are "breaking and
entering" or "trespassing".

Note that a lot of these laws state that care must be taken not to break laws
unnecessarily. Bricking IOT devices that can be used for DDOS-attacks may be a
step too far.

And strictly, in the case of patching a server under negotiorum gestio, you
have not broken any laws: It is not unlawful computer intrusion when you have
implicit permission of the owner of a device (the same goes for entering your
neighbors house when they are on vacation, and have accidentally left a pot of
milk to boil on the stove).

But I guess such far-reaching Good Samaritan laws are very foreign to the US,
since there, off-duty doctors are sued for performing a painful Heimlich
maneuver.

------
yjgyhj
Why do operating systems allow users to run any executable?

For programmers it's important to be able to - but when you're not coding,
running any executable is not required.

It should be that all programs are in /usr/bin & the others. Only root can
write there. Users shouldn't be able to run any program that is located
anywhere else.

And this would be no problem. Am I wrong?

~~~
ddalex
Most of the machines out there are single user, and managed by that user, not
by a professional sysadmin. As such, the user has the needed access (root) to
install any programs that they want, and all modern OSes allow only the admins
to install programs.

We already put multiple warning messages when a user decides to execute a
suspicious binary, and yet everyone still clicks through any prompt without
the second thought ?

What's your suggestion that a). allows any user to have the machine installed
and configured as he wants? and b). do not allow random programs from
executing ?

------
trendoid
>In certain sandbox environments traffic is intercepted by replying to all URL
lookups with an IP address belonging to the sandbox rather than the real IP
address the URL points to, a side effect of this is if an unregistered domain
is queried it will respond as it it were registered (which should never
happen).

Can someone please explain this? I have no idea what was said there.

~~~
mmalone
In a sandbox environment (e.g., in a lab trying to deconstruct malware)
they'll have a private DNS infrastructure setup to resolve all domains to some
local IP address. That way they can intercept and reverse engineer the command
& control traffic. The author of this malware tried to slow down security
analysts by trying to resolve a "fake" (unregistered) domain. Probably just
pounded on the keyboard and added a .com. The idea is that the domain should
not resolve. If it does, it's an indication that they're in a sandbox / lab
environment so the malware doesn't trigger. Again, this is an attempt to slow
down analysis. Of course this was a stupid tactic because registering the
domain and setting up DNS stopped the malware from triggering globally.

------
emiliobumachar
Off-topic: what is the site doing "checking your browser" for five seconds
before showing the content?

I know that this sort of data can be valuable - what browser I use, which
plugins are there - but I just assumed everyone was doing this in negligible
time frames. What more is there to check in a browser?

~~~
asperous
[https://blog.cloudflare.com/when-the-bad-guys-name-
malware-a...](https://blog.cloudflare.com/when-the-bad-guys-name-malware-
after-you-you/)

------
jecjec
This is not accidental. Not even close!

This story, if true, details a person who profiled this malware and correctly
logged the network requests it was making and then correctly identified a
fundamental vulnerability in the software. This is not an accident at all - it
is rather a profile in supreme competence. We should recognize it as such.

~~~
jeroenhd
Although the domain name registration was intentional, activating the kill
switch wasn't.

The author registered the domain name without knowing what would happen (the
virus might as well have wiped the entire disk) and was surprised to see that
he had activated a kill switch. That's the accidental part.

------
patrickaljord
Not surprising to see 14 year old unpatched software connected to the internet
being hacked like that. At least, the ones in charge of budgeting these
upgrades should pay a price for failing at doing so, the users are obviously
innocent victims.

------
rixtox
Can someone write a patch worm that spread and fix the bug by exploiting the
bug itself?

------
DrNuke
So from a practical point of view how to disentangle infrastructures from this
sort of attack?

~~~
z3t4
install security updates and do security hardering by whitelisting only what
you need.

------
dejawu
How reasonable is it to say that NSA are at least in part responsible for
deaths resulting from the NHS crisis, since the ransomware is using their
exploit?

~~~
sdfhbdf
Somewhat reasonable.

NSA can be held accountable for not disclosing a vulnerability responsibly but
this exploit may have been found anyway by the creators of this ransomware.
There is no one person/group/institution to blame here. It's multiple vectors
that failed. Are there any reports that connect deaths of patients directly to
this ransomware attack?

------
SimeVidas
Can a Windows laptop that doesn’t have the Windows Update patch get infected
just by being connected to the Internet via a home Wi-Fi network?

~~~
ufmace
That would be fine, as all commercial home routers firewall off access to the
SMB service that is being exploited.

------
Myrmornis
On Monday, are some governments going to have to make a statement on what they
advise owners of infected computers to do?

------
Safety1stClyde
All I see here is "Please turn on Javascript and reload the page".

------
homero
Was the domain ever named?

Found it www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

------
Cole_Jontrane
Well, it didn't really stop it. It slowed it for a little bit, and then it was
modified and spread again.

I also wonder if now ransomware developers will leave red-herrings in the code
where if the wrong domain is registered, it will do something more
destructive.

It's like knowing which wire to cut when you're defusing a bomb!

------
CombinatorWhy
Interesting timing for this cyber attack given the recent news. Are Robert
Mercer and Cambridge Analytica also being investigated?

