An inquisitive UK-based info-security research helped to slow the global spread of the WannaCry ransomware over the weekend by buying a domain name referenced in the malware's code for a little over £8.
The 22-year-old cyber security researcher who tweets as '@MalwareTechBlog', stumbled upon a kill switch in the code of the ransomware that struck NHS hospitals across the UK on Friday.
The kill switch detects that a particular web domain exists, and when it does, stops spreading the infection. MalwareTechBlog registered the domain name - iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com - for $10.69, and found that it immediately halted the global spread of the ransomware
"IP addresses from our sinkhole have been sent to FBI and ShadowServer so affected organisations should get a notification soon," said the researcher.
Later, he admitted that he wasn't aware registering the domain would halt the spread of the attack, which has seen him branded an as "accidental hero".
I will confess that I was unaware registering the domain would stop the malware until after i registered it, so initially it was accidental.— MalwareTech (@MalwareTechBlog) May 13, 2017
While the kill switch won't be of much use to those computers already affected, Microsoft has released emergency security patches to defend against the ransomware for unsupported versions of Windows, including Windows XP - which runs on systems in 90 per cent of NHS Trusts - and Windows Server 2003, which is still widely used, despite no longer being supported by Microsoft.
To recap, on Friday many NHS hospitals across the UK were forced to shut down IT systems and telephones lines, and in some cases cancel operations and send patients home, after being struck by the ransomware attack, later identified to be a variant of Wanna Decryptor/WannaCry/WCry. That had first been seen in the wild earlier this year, but didn't spread very far.
The malware was spread via an SMB exploit in Windows, first publicised in February by the Shadow Brokers malware group, but patched by Microsoft in March.
The WannaCry ransomware demanded $300 worth of Bitcoin to restore ransomed files, and warned that files would be deleted in a week's time.
NHS Digital said in a statement: "The investigation is at an early stage, but we believe the malware variant is Wanna Decryptor," a spokesperson said.
"At this stage we do not have any evidence that patient data has been accessed. We will continue to work with affected organisations to confirm this.
"NHS Digital is working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organisations and to recommend appropriate mitigations."
NHS Digital added that the attack was "not specifically targeted at the NHS and is affecting organisations from across a range of sectors". Later on Friday, it was revealed that the attack had spread to 75 countries, hitting Russia's interior ministry, the Spanish telecom giant Telefonica and the US delivery firm FedEx.
Computing's Big Data and IoT Summit 2017 and the Big Data and IoT Summit Awards are coming on 17 May 2017.
Find out what construction giant Amey, Lloyds Banking Group, Financial Times and other big names are doing in big data and the Internet of Things.
Attendance to the Summit is free to qualifying senior IT professionals and IT leaders, but places are strictly limited, so apply now.
AND on the same day, Computing is also proud to present the Big Data and IoT Summit Awards, too. See the finalists - and secure a table for your team at the Awards - now
Attack revealed bugs and potential security flaws that were later exploited in real-world cyber attacks
5G products could start appearing from 2019 - but networks may take some time catching up
Spending will rise as companies continue to adopt technologies like 3D printing, AI and VR
Software-defined networking can centralise management of your global network, improving security and helping to optimise applications