How a domain registration suspended infection — but why it is probably not over yet

Interestingly enough, a researcher going by name Malwaretech managed to suspend infection by registering a domain with a long and nonsensical name.

It turned out that some versions of WannaCry addressed that very domain, and if they did not receive a positive reply, then they would install the encryptor and start their dirty work. If there was a reply (that is, if the domain had been registered), then the malware would stop all of its activities.

After finding the reference to this domain in the Trojan’s code, the researcher registered the domain, thus suspending the attack. In the remainder of the day, the domain was addressed tens of thousands of times, which means that tens of thousands of computers were spared.

There is a theory that this functionality was built into WannaCry — like a circuit breaker — in case something went wrong. Another theory, embraced by the researcher himself, is that it is a way to complicate the analysis of the malware’s behavior. Testing environments used in research are often designed such that any domain returns a positive response; in such cases, the Trojan would do nothing in the testing environment.

Regrettably, for new versions of the Trojan, all the criminals have to do is change the domain name indicated as the “circuit breaker” and infections will resume. Therefore, it is very likely that the WannaCry outbreak will continue.