An inquisitive UK-based info-security research helped to slow the global spread of the WannaCry ransomware over the weekend by buying a domain name referenced in the malware's code for a little over £8.
The 22-year-old cyber security researcher who tweets as '@MalwareTechBlog', stumbled upon a kill switch in the code of the ransomware that struck NHS hospitals across the UK on Friday.
The kill switch detects that a particular web domain exists, and when it does, stops spreading the infection. MalwareTechBlog registered the domain name - iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com - for $10.69, and found that it immediately halted the global spread of the ransomware
"IP addresses from our sinkhole have been sent to FBI and ShadowServer so affected organisations should get a notification soon," said the researcher.
Later, he admitted that he wasn't aware registering the domain would halt the spread of the attack, which has seen him branded an as "accidental hero".
I will confess that I was unaware registering the domain would stop the malware until after i registered it, so initially it was accidental.— MalwareTech (@MalwareTechBlog) May 13, 2017
While the kill switch won't be of much use to those computers already affected, Microsoft has released emergency security patches to defend against the ransomware for unsupported versions of Windows, including Windows XP - which runs on systems in 90 per cent of NHS Trusts - and Windows Server 2003, which is still widely used, despite no longer being supported by Microsoft.
To recap, on Friday many NHS hospitals across the UK were forced to shut down IT systems and telephones lines, and in some cases cancel operations and send patients home, after being struck by the ransomware attack, later identified to be a variant of Wanna Decryptor/WannaCry/WCry. That had first been seen in the wild earlier this year, but didn't spread very far.
The malware was spread via an SMB exploit in Windows, first publicised in February by the Shadow Brokers malware group, but patched by Microsoft in March.
The WannaCry ransomware demanded $300 worth of Bitcoin to restore ransomed files, and warned that files would be deleted in a week's time.
NHS Digital said in a statement: "The investigation is at an early stage, but we believe the malware variant is Wanna Decryptor," a spokesperson said.
"At this stage we do not have any evidence that patient data has been accessed. We will continue to work with affected organisations to confirm this.
"NHS Digital is working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organisations and to recommend appropriate mitigations."
NHS Digital added that the attack was "not specifically targeted at the NHS and is affecting organisations from across a range of sectors". Later on Friday, it was revealed that the attack had spread to 75 countries, hitting Russia's interior ministry, the Spanish telecom giant Telefonica and the US delivery firm FedEx.
Computing's Big Data and IoT Summit 2017 and the Big Data and IoT Summit Awards are coming on 17 May 2017.
Find out what construction giant Amey, Lloyds Banking Group, Financial Times and other big names are doing in big data and the Internet of Things.
Attendance to the Summit is free to qualifying senior IT professionals and IT leaders, but places are strictly limited, so apply now.
AND on the same day, Computing is also proud to present the Big Data and IoT Summit Awards, too. See the finalists - and secure a table for your team at the Awards - now
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago