It is not often that you can halt a global hacking attack for a tenner. But when you do, you spend your money fast.
Although Friday’s attack infected computers in almost 100 countries, it did not go on to spread further, thanks to an eagle-eyed UK security researcher who spotted a “kill switch” in the malware code and used it to stop the virus and collect data on infections in real time.
The switch was included in the malicious software probably as an “emergency brake” in case the creator wanted to prevent its further spread if it malfunctioned.
The mechanism works as follows: when WannaCry infects a computer, it makes a server request to a particular dotcom address, in this case a long, nonsensical string of characters. If it is not able to reach the domain, it locks files in and spreads; if it connects — it shuts itself down.
The 22-year-old tweeting as @malwaretechblog was reading through the malicious software when he spotted the brake and went on to check it online. He realised that the person behind the hack had not purchased the domain before launching the attack.
“I saw it wasn’t registered and thought, ‘I think I’ll have that,’” he is reported to have said. He bought the domain for $10.69 and used it to collect real-time data about the attacks happening across the globe. He was helped by Darien Huss, a researcher at Proofpoint, a cyber security firm.
The registration came too late to spare Europe and Asia, but it delayed the spread of the malware in the US, where many organisations managed to patch their systems before being hit. It is the only effective way to prevent the spread of the bug.
Once ransomware such as WannaCry infects a device, it is too late to prevent the lockdown.
Although the attack has been stifled, security experts say the hackers are likely to hit again, as many computers remain at risk. Devices remain vulnerable if they lack a security update issued in March by Microsoft. The patch labelled “critical” fixes a vulnerability in Windows operating system.
The unprecedented scale of the attack, believed to be the biggest of its kind, prompted Microsoft to swiftly change its policy and offer the fix free of charge for older Windows systems such as 2001’s Windows XP, which are still used by small businesses and millions of individuals.