I will confess that I was unaware registering the domain would stop the malware until after i registered it, so initially it was accidental.
— MalwareTech (@MalwareTechBlog) May 13, 2017
Security companies including Cisco's Talos division confirmed WannaCry had stopped spreading thanks to MalwareTech's work. Talos also confirmed the malware's use of exploits leaked by a crew called the Shadow Brokers, who're widely believed to have dumped hacker tools belonging to the NSA. The company, in a blog post, said WannaCry (also known as WannaCrypt) would attempt to install via a backdoor leaked by the Shadow Brokers called DoublePulsar. If the backdoor wasn't resident on a target Windows PC, it would then attempt to abuse a flaw in the Microsoft operating system's Server Message Block (SMB), a network file sharing protocol. 'This is the cause of the worm-like activity that has been widely observed across the internet.'
The attackers remain unknown. Looking at the attackers' Bitcoin wallets - the addresses of which were hardcoded into the malware - they've made as much as $17,500 and rising in the form of 10.4 Bitcoin from 52 transactions, with payments continuing to trickle in today. But victims have been advised not to pay the $300 ransom requested by the hackers, who've threatened to wipe PCs of those who don't cough up in a given timeframe.
WannaCry will return -- so patch
For those already infected, it's a little too late for MalwareTech's efforts to save them. As with multiple NHS organizations, many will have to rely on whatever contingency plans and backups they have in place.
Windows Wanna Cry Patch
And while MalwareTech confirmed the malware was still out of action Saturday, he warned the attackers will likely alter their code to remove the somewhat bizarre error and restart their ransomware campaign imminently. 'This sample may have been stopped, but I'm 100 per cent sure they will learn from the mistake and try again monday. people need to be prepared,' he added.
'They might start a new campaign today.'
The advice, then, is to patch all Windows PCs with the latest update, as it prevents attacks using the NSA's exploits following a Microsoft update in mid-March. In the meantime, Microsoft and anti-virus companies have added detections for WannaCry, so users should update those systems too.
Wanna Cry Patch Microsoft
The tech giant has also issued an advisory for concerned users, in which it confirmed it's releasing a patch for the out-of-support Windows XP. It's also recommending businesses disable the SMBv1 protocol, while ensuring the SMB protocol cannot be directly accessed from the internet will go some way to preventing this worm from causing havoc again.