NHS cyber-attack: GPs and hospitals hit by ransomware

Let's have a look:

Whois malwaretech.co.uk

Registration Date:
2017-05-13

Expiration Date:
2018-05-13

Updated Date:
2017-05-13



Whois malwaretech.com

Registration Date:
2013-11-14

Expiration Date:
2017-11-14

Updated Date:
2017-03-06



Why did the .co.uk address stop the malware?

I'm curious about the propagation speed of his domain, it seemed very quick.
 
block with firewall

for WannaCry, you should block TCP port 137 and UDP ports 137 and 138.
 
Spectre said:
I've seen news articles saying patient records might have been encrypted (not mine, I didn't let them upload it) but are these not in databases on servers, as oppose to local machines? I thought most of the PCs were pretty much acting as thin clients and smartcard access is needed for anything important. How would the malware have gotten to the databases?
Click to expand...
I would have thought the main nhs data is held on backend servers (with backups) so worst case all this would do is stop the local PC from working unless it had got itself onto backend server as well?

If it wasn't on the backend server then it's just client PCs that would need to be re-imaged and that will take time. Actual thin clients, I'd have thought, would be unlikely hit by this themselves unless backend server has been infected.
 
Spectre said:
Let's have a look:

Whois malwaretech.co.uk

Registration Date:
2017-05-13

Expiration Date:
2018-05-13

Updated Date:
2017-05-13



Whois malwaretech.com

Registration Date:
2013-11-14

Expiration Date:
2017-11-14

Updated Date:
2017-03-06



Why did the .co.uk address stop the malware?

I'm curious about the propagation speed of his domain, it seemed very quick.
Click to expand...


So has poacher turned gamekeeper do you think? ;)
 
IANB said:
So has poacher turned gamekeeper do you think? ;)
Click to expand...
I don't know @IANB but there are a few iffy things.

I'm not a conspiracy theorist but I have some questions. I'm sure there are knowledgeable people on here that could help with some :).


  • He registered a domain name which seemed to propagate in a very short space of time through DNS in order to stop the malware. It was visible in many countries in a matter of hours?
  • Was the executable not encrypted? How could he recover the URL?
  • Was the memory image not encrypted?
  • It is possible that the malware used an encrypted tunnel (I use one for some of my browsing when not at home) but that traffic should have been noticed.
  • Why did the proxy servers not see unsolicited traffic?


I'm not an IT person, I just like to dabble :).
 
Last edited by a moderator:
Spectre said:
He registered a domain name which seemed to propagate in a very short space of time through DNS in order to stop the malware. It was visible in many countries in a matter of hours?
Click to expand...
I always thought propagating DNS servers throughout the world with all the ISPs can take days, depending on how long an ISP syncs their DNS servers.

Was the executable not encrypted? How could he recover the URL?
Click to expand...
Not likely as would need to be executed in a wide variety of OSs. You can recover URL from code via reverse engineering.

Was the memory image not encrypted?
Click to expand...
Not sure what you mean?

It is possible that the malware used an encrypted tunnel (I use one for some of my browsing when not at home) but that traffic should have been noticed.
Click to expand...
The idea behind the encrypted tunnel is it can't be read from anyone on outside. Likes of NHS networks may pick up an abnormal amount of traffic and flag this but I can imagine this was coded using very little traffic so as not to be immediately obvious until it's too late.

Why did the proxy servers not see unsolicited traffic?
Click to expand...
I can imagine this is because they work from a list of known dodgy websites and apply filtering for non known dodgy websites (similar to antivirus) to determine if website is potentially dodgy. As mentioned above, if traffic is very little then this may not immediately be alerted to network administrators.

If I have read the news correctly, what I fail to see is why was this ransomware coded in a way that it would stop working once a website has been setup?

If this website was to be setup and used for so called payments then why wasn't this done quietly beforehand!

Definitely something amiss here I believe.
 
Spectre said:
Let's have a look:

Whois malwaretech.co.uk

Registration Date:
2017-05-13

Expiration Date:
2018-05-13

Updated Date:
2017-05-13



Whois malwaretech.com

Registration Date:
2013-11-14

Expiration Date:
2017-11-14

Updated Date:
2017-03-06



Why did the .co.uk address stop the malware?

I'm curious about the propagation speed of his domain, it seemed very quick.
Click to expand...
That's not the killswitch URL that the ransomware was checking for; it was using an unchanging alphanumeric string:
http://blog.talosintelligence.com/2017/05/wannacry.html said:
Code: 
You don't have permission to view the code content. Log in or register now.
Click to expand...

The security expect that is going by MalwareTech wants to stay anonymous. Whilst MalwareTech owns the .com URL; the .co.uk address was not registered by him. It is being made available to him by the person that bought it, though. A cynical me wondered if it was a journalist trying to find out his real name. But a brief search on Google of the registrant's name, plus a few other keywords, didn't bring anything up.

This is an interesting read from the horses mouth: Just a moment...
 
You must log in or register to reply here.

Similar threads

joe516
  • Locked
Apple Macs hit by ransomware 'for first time'
Replies
5
Views
2K
janobi
janobi
F
Cyber Attack 'To Hit In Next Two Weeks'
Replies
8
Views
1K
daveleebond
daveleebond
roachieuk
Atos awarded contract for NHS records
Replies
13
Views
2K
pwillo1982
pwillo1982
totalgenius
The engineer who fixed his own heart and others too
Replies
1
Views
952
miggy
miggy
Mick
Oklahoma tornado: 91 Killed so far
Replies
3
Views
1K
snp-g
snp-g
Back
Top