This weekend’s large-scale ransomware attack was significantly thwarted by complete accident by a UK based 22 year-old security expert, it has been revealed.
On Friday, a large scale malware attack spanning across 150 countries was launched that severely crippled a number of services including areas of the UK’s NHS. The malware is known as ransomware, a type of malware that encrypts files and demands a ransom to decrypt them.
As the ransomware spread from computer to computer, cyber security experts from across the world rushed to help try and stop it and begin damage control. But it was a 22 year old from the UK South-West that managed to significantly slow down the spread of the ransomware, and he did it completely by accident.
Known by the online handle MalwareTech, this British security expert – like many of his equivalents from all over the planet – was examining the code behind the malware. MalwareTech noticed that the malware – upon spreading to a new machine – was making a “request” to an obscure website address that didn’t actually exist.
If every single instance of the malware made the same request to the same obscure, non-existent website, then it could be possible to track the spread of the ransomware as it travelled across the Internet. As such, MalwareTech opted to register the website address that was being requested by the ransomware, turning the non-existent web address to a very real web address.
As it turns out, in doing so this acted as a type of “kill switch” that stopped the ransomware from spreading. It appears this “kill switch” was deliberately built in to the ransomware by the person behind it so they had the ability to stop their ransomware from spreading.
The kill switch worked like this –
The ransomware would request a website address. If that request returned a DNS error – meaning the web domain didn’t exist – then the ransomware would continue. However if the ransomware detected a live domain, it would stop spreading.
When MalwareTech – who reportedly works for a digital threat assessment company – registered the website domain with the intention of monitoring the spread of the malware, he inadvertently instructed it to stop spreading.
However the security expert warned that it was likely that the creators of the ransomware were likely to rewrite their software in order to orchestrate new attacks.
So if you haven’t done so already, make sure your version of Windows is all patched up.