Who would register iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com for $9 ? (WannaCry)

I’ve just happened to watch Mikko Hypponen talking about the Ransomware called WannaCry shortly after the outbreak . Wanted to list the interesting facts

• Ransomwares are on the rise in popularity(last 6 years) , thanks to bitcoin & getting paid easily and conveniently
• UK (NHS) made the headlines about the infection but surprisingly Russia and Ukraine were the most infected countries, followed by China,India and even Taiwan (Russia leaded by a great margin). Why interesting? because most Russian-made malware tries to avoid infecting Russian systems e.g. by checking the country code or by checking the keyboard layout and just quitting on Cyrillic .Thus suggesting this wasn’t made in Russia , unlike the majority of what’s dealt with nowadays.
• One Reason Behind the success — Horde of UNPATCHED WINDOWS XP machines , not even receiving Security Updates. WannaCry exploits a vulnerability in the SMB file sharing protocol .(Microsoft did patch it on the other OSs in March, 2 months before the outbreak)
• Another Reason Behind the success — The exploit utilized by WannaCry is Weapons-Grade. Developed by NSA ,working reliably on all versions of Microsoft Windows. It’s one of the many Attack Tools that were stolen and dumped to internet by the group called Shadow brokers

How / Why did it stop ?

This Ransomware was trying to avoid detection by testing its environment. If it concluded that it was being run on some test or sandbox environment , it would exit without doing anything suspicious.

How did it decide that ?

by trying to connect to iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

If the system DNS resolves this domain to an IP , any IP , WannaCry knows that it’s run in some fishy setup and being fed fake resolutions , Thus quitting without doing any harm.

When an interested Blogger (MalwareTech) (@MalwareTechBlog) checking the Ransomware Code notices this domain , he wants to see what’s going on and goes ahead and registers iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com for 9 Bucks . And Viola , the whole spreading stops ! Because WannaCry mistakes every computer for a Sandbox !

extra trivia

• Early examples of WannaCry share some Segments Of Code with the
  a) Attack on SWIFT (international money transfer between Banks) in late 2015 , which was trying to steal 1 Billion USD , and managed to steal 100m USD nonetheless. And shares the same Segments of Code with the b) Attack on SONY Pictures when they were about the Publish the movie The Interview - roughly speaking- “making fun of” North Korea’s leader .
  So… North Korea ? plausable
• For more than a decade , North Korea is known to be printing USD Banknotes , in their official Presses , calling it “Super Dollar” (WTF)
• WannaCry didn’t seem to monetize well . As of 16th May 5.30pm , out of 200k infected machines , only 261 victims paid a total of 40.5 BTC
• 12 weeks after the outbreak , the attackers emptied the 3 wallets , cashing out 140.000 USD , totalling around 50 BTC . They would have 1.000.000 , if only they waited till December.
• Turns out that the kill switch is not working if the system is behind a Proxy , explained in detail here .
• Microsoft Explaining how the vulnerability here , telling there are 2 more domains
  * ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com
  * iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.test