The Internet community was able to breathe a temporary sigh of relief after a 22-year-old security researcher accidentally discovered a way to thwart WannaCrypt, a fast-spreading strain of malware that was stolen from the National Security Agency. After reaching tens of thousands of systems in over 70 countries within the first few hours, WannaCrypt was stopped dead in its tracks.
Also known as WannaCry, WCry, and by a handful of other designations, the unprecedented ransomware attack was particularly bothersome for hospitals in the UK. Many of them shut down and turned patients away. In some cases, operations had to be cancelled. Doctors and staff were locked out of viewing patent records because all the information on their systems had become encrypted, with a ransom demand to pay $300 in Bitcoin. It was so bad that Microsoft took the unusual step of issuing a patch for legacy operating systems it no longer supports, including Windows XP.
The young security researcher-turned-Internet-hero known as MalwareTech decided to investigate and found WannaCrypt was pinging a specific domain, one that was not registered. He then registered the domain in question with the intent of tracking the ransomware's spread, as his company is known to do.
"The intent was to just monitor the spread and see if we could do anything about it later on. But we actually stopped the spread just by registering the domain," he said.
It stopped spreading because the malware's author hardcoded what is essentially a kill switch into the ransomware, just in case he ever wanted to stop it from spreading. The way it works is WannaCrypt pings the domain to see if it's live. If it is, the kill switch gets engaged, stopping the ransomware from encrypting files and spreading across networks. So by registering the domain and making it active, MalwareTech basically tripped over the power cord.
This was not discovered until much later, so it was assumed that WannaCrypt was still spreading at an incredible rate. However, MalwareTech warned that even though he was able to stop the ransomware, it would only be a temporary fix.
"The attackers will realize how we stopped it, they'll change the code and then they'll start again," MalwareTech said. "Enable Windows Update, update, and then reboot."
Just as he warned, there are reports of a new version making the rounds, one that sidesteps the fix. It is not clear how fast it is now spreading, though it has the attention of multiple government agencies. The Europol chief said his agency was working with the U.S. Federal Bureau of Investigation (FBI) to find the person or people responsible, and that more than one person was likely involved, BBC reports.
For as much attention as WannaCrypt has received, it has not been all that lucrative. It's estimated that less than $25,000 has been paid out so far.