'Accidental hero' finds kill switch to stop spread of ransomware cyber-attack

Spread of malware curtailed by expert who simply registered a domain name for a few dollars, giving many across world time to protect against attack

An “accidental hero” has halted the global spread of the WannaCry ransomware, reportedly by spending a few dollars on registering a domain name hidden in the malware.

The ransomware has wreaked havoc on organizations including FedEx and Telefonica, as well as the UK’s National Health Service (NHS), where operations were cancelled, x-rays, test results and patient records became unavailable and phones did not work.

Massive ransomware cyber-attack hits 74 countries around the world Read more

However, a UK cybersecurity researcher tweeting as @malwaretechblog, with the help of Darien Huss from security firm Proofpoint, found and activated a “kill switch” in the malicious software.

The switch was hardcoded into the malware in case the creator wanted to stop it spreading. This involved a very long nonsensical domain name that the malware makes a request to – just as if it was looking up any website – and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading.

“I saw it wasn’t registered and thought, ‘I think I’ll have that’,” he is reported as saying. The purchase cost him $10.69. Immediately, the domain name was registering thousands of connections every second.

“They get the accidental hero award of the day,” said Proofpoint’s Ryan Kalember. “They didn’t realize how much it probably slowed down the spread of this ransomware.”

The time that @malwaretechblog registered the domain was too late to help Europe and Asia, where many organizations were affected. But it gave people in the US more time to develop immunity to the attack by patching their systems before they were infected, said Kalember.

Cyber-attack hits 74 countries with UK hospitals among targets – live updates Read more

The kill switch won’t help anyone whose computer is already infected with the ransomware, and and it’s possible that there are other variances of the malware with different kill switches that will continue to spread.

The malware was made available online on 14 April through a dump by a group called Shadow Brokers, which claimed last year to have stolen a cache of “cyber weapons” from the National Security Agency (NSA).

Ransomware is a type of malware that encrypts a user’s data, then demands payment in exchange for unlocking the data. This attack was caused by a bug called “WanaCrypt0r 2.0” or WannaCry, that exploits a vulnerability in Windows. Microsoft released a patch (a software update that fixes the problem) for the flaw in March, but computers that have not installed the security update remain vulnerable.

MalwareTech (@MalwareTechBlog) I will confess that I was unaware registering the domain would stop the malware until after i registered it, so initially it was accidental.

The ransomware demands users pay $300 worth of cryptocurrency Bitcoin to retrieve their files, though it warns that the “payment will be raised” after a certain amount of time. Translations of the ransom message in 28 languages are included. The malware spreads through email.

“This was eminently predictable in lots of ways,” said Ryan Kalember from cybersecurity firm Proofpoint. “As soon as the Shadow Brokers dump came out everyone [in the security industry] realized that a lot of people wouldn’t be able to install a patch, especially if they used an operating system like Windows XP [which many NHS computers still use], for which there is no patch.”

Security researchers with Kaspersky Lab have recorded more than 45,000 attacks in 74 countries, including the UK, Russia, Ukraine, India, China, Italy, and Egypt. In Spain, major companies including telecommunications firm Telefónica were infected.

By Friday evening, the ransomware had spread to the United States and South America, though Europe and Russia remained the hardest hit, according to security researchers Malware Hunter Team. The Russian interior ministry says about 1,000 computers have been affected.