Anonymous hackers from China attempted to take control of a kill switch that was created to prevent the WannaCry ransomware attacks. The attacks that have been wreaking havoc on Windows systems across the world lock users' data until they pay up a specified sum of money.
A security researcher going by the handle malwaretechblog on Twitter registered a domain used by the malware on 13 May. This allowed a kill switch to take effect, stopping the spread of the attacks. Two days after thwarting the attacks, he says some hackers from China are trying to get hold of the kill switch.
"Looks like someone in China attempted to steal the domain," he wrote on Twitter.
It is not known why the hackers wanted to control the domain. It could be to exploit the domain and launch further attacks, but nothing is known as of now.
"In theory, they could do two things. One is just count how many victims there are around the world or just easily create another variant of this worm which doesn't have this kill switch or checks for a different domain and they will achieve the same effect," Costin Raiu, director of global research and analysis at cyber security company Kaspersky Lab, told the Independent.
Raiu said it is not necessary that the hackers are connected with the ransomware attacks. They may have been trying to just get 'fame' by doing this, according to him.
The WannaCry ransomware hit vulnerable Windows systems across the world with security experts estimating the affected systems could range between 100,000 and 200,000. The kill switch is said to have prevented the attacks from spreading, saving millions of computers from being affected.
Cyber experts including the researcher who activated the kill switch have, however, warned that more such attacks could take place with different versions of the ransomware. Some researchers have already uncovered two new variants of the ransomware, which hint at the possibility of further attacks.
"New variants today are now spreading with a modified kill-switch domain," Chris Doman, security researcher at AlienVault, told IBTimes UK. "Someone, likely different to the original attackers, made a very small change to the malware so it connects to a slightly different domain. That allowed it to continue propagating again."
There is no decrypting tool for the systems already affected but others who have not been subject to the ransomware attack can take preventive measures. Read Microsoft's advisory on how to stay safe from WannaCry attacks here.