London: As the world began to understand the dimensions of 'Wanna Decrypt0r 2.0', the ransomware that started crippling computers worldwide on Friday, a British cybersecurity researcher was already several steps ahead.
About 7pm London time on Friday night, the specialist with US cybersecurity enterprise Kryptos Logic bought an unusually long and nonsensical domain name ending with "gwea.com."
Global cyber attack cripples British health service
There has been a major cyber attack on a number of organisations across the globe with Russia and Britain's health system appearing to be the worst affected. Vision courtesy ABC
The 22-year-old says he paid just $15.50, but his purchase might have saved companies and governmental institutions around the world billions of dollars.
By purchasing the domain name and registering a website, the researcher claims he activated a kill switch. It immediately slowed the spread of the malware and could ultimately stop its current version, cybersecurity experts said on Saturday.
Hidden in the malware, the kill switch was probably not supposed to be activated anytime soon. Perhaps, it was never supposed to be there in the first place.
When Darien Huss, a researcher with US cybersecurity company Proofpoint, came across the strange domain in the code on Friday evening, he immediately flagged his discovery on social media.
Alerted by the finding, a 22-year-old unidentified researcher who tweets using the handle @MalwareTechBlog decided to take action, without knowing what impact registering the domain would have.
While spreading to computers, the malware made requests to the unregistered website ending with "gwea.com." Until around 7pm Friday London time, all of those requests went unanswered – likely triggering the activation of the malware.
For hours, a non-existent website helped cripple computers worldwide, but as soon as the researcher registered the website, automatic requests immediately skyrocketed, according to screenshots published on his Twitter account.
It was only then cyber researchers realised that they might have accidentally activated a kill switch in the ransomware.
"If the domain successfully resolves to an IP address, the malware will stop running," explained Robert McArdle, a research director with Tokyo-based cybersecurity company Trend Micro.
Speaking to The Washington Post on Saturday, the 22-year-old, who spoke on the condition of anonymity, said using a domain name as a kill switch appeared unprecedented.
"Previous malware has used such a check to detect analysis environments but not in a way which can be used to stop the malware," he said.
It remains unknown, however, whether the website domain really was supposed to be a deliberate kill switch.
Mr McArdle said an accidental flaw in the ransomware is more likely.
"At first glance, this may appear to be a deliberate kill switch in the malware for the authors' use," he said, referring to the possibility the malware's creators included the domain to be able to stop its spread if their operation got out of control.
But "in reality it's a flaw that actually allowed for the spread of the malware to be greatly slowed down, albeit accidentally, by the researcher who registered it early during the outbreak," he said.
Friday's discovery may have slowed the malware's spread, but it is unlikely to stop it because the malware's creators could release a different version without a kill switch.
As of Saturday afternoon, the money raised by the attackers, who demanded payment using the virtual currency bitcoin, was much lower. Funds totaling about $US33,000 were deposited into several bitcoin accounts associated with the ransomware, according to Elliptic, a company that tracks online financial transactions involving virtual currencies.
That figure is likely to increase as deadlines approach for payment, security researchers said. Victims may also start digging into their wallets as others publicly confirm that paying the ransom actually unlocks their files.
Brian Lord, a former deputy director for intelligence and cyberoperations at Britain's Government Communications Headquarters (GCHQ), said that any investigation, which would include the FBI and the National Crime Agency of Britain, would take months to identify the attackers, if it ever does.
Given the international disruption the ransomware caused within a few hours, however, the current slowing of the malware could give companies crucial time to update their security softwares or to conduct backups.
Washington Post, New York Times