Accidental Hero found the kill switch to halt the WannaCry ransomware from spreading. It was able to do so using a domain name that was hidden in the WannaCry ransomware but has warned users that this was the not the end of the attack and that it could be restarted by the criminals by changing the code.
The ransomware WannaCry has wreaked havoc on several organizations, such as the NHS of UK, FedEX and the Telefonica.
In case of the NHS, all operations had to be canceled due to the ransomware attack, and X-rays, as well as patients’ records, were not available and the telephones did not work.
The ransomware was able to attack systems from everywhere in the world and forced the owners to pay thousands of dollars in order to get the files back.
The attackers created the malware by exploiting the vulnerability in Windows, which was leaked in April.
It is believed that the hacking tools are from the NSA (National Security Agency).
TheWannaCry ransomware was brought to a halt by a cyber security researcher from the UK, @malwaretechblog, along with Darien Huss of the security firm Proofpoint.
The two were able to detect a kill switch in the malware and they accidentally activated it.
The researcher is a 22-year-old person from South West UK and he is an employee of Kryptos logic, which is a threat intelligence organization based in Los Angeles.
The researcher made a statement to The Guardian that he was out and having lunch and when he returned, he saw several articles about the ransomware hitting the National Health Service and several other organizations in the UK.
He looked into the malware and found that it connected to a particular domain that was not registered, so he accidentally picked it up.
It was a kill switch that had been hard coded within the malware, so that the creator of the malware could put a stop to it whenever they wished.
It involves a long and confusing domain name that the malware requests, and when the request returns showing that the domain is still alive, the kill switch is put into effect preventing the malware from spreading.
The researcher, @MalwareTech, found the name of this unregistered domain within the malware and he bought it.
The two researchers then pointed it towards a sinkhole, which is a service for collecting and analyzing malware.
However, they never realized that this domain was the kill switch that would allow the attacker to take control of the malware and put an end to it.
The domain cost $10.69 to the researcher and thousands of connections were being sought each second for it.
However, the researcher has stated that users must update their systems as soon as possible in order to prevent further attacks.
The attackers or creators of the malware had relied on the fact that a domain would not be registered and registering it put a stop to it.
Though the researcher has been praised online for putting a stop to this widespread malware, @MalwareTech stated that what he had done was not that significant.
The kill switch only puts a stop to one version of the malware, and there are several other ransomware versions that don’t have contact with this domain and they could spread to infect computers.
WannaCry: How it Works
The WannaCry infection makes use of a worm, a program that spreads from one computer to another.
It relies on users to spread the worm by cheating them into clicking on an email attachment that carries the worm or attack code.
After the WannaCry ransomware has entered any organization, it can search for vulnerable systems and then spread the infection to them as well.
According to some experts, the attack has been created in order to make use of the weaknesses in Microsoft computers and systems.
The NSA had identified these weaknesses earlier and had termed it “EternalBlue.”