As the world began to understand the dimensions of “Wanna Decrypt0r 2.0,” the ransomware that has crippled computers worldwide Friday, a British cybersecurity researcher was already several steps ahead.
About 3 p.m. Eastern, the specialist with U.S. cybersecurity enterprise Kryptos Logic bought an unusually long and nonsensical domain name ending with “gwea.com.” The 22-year-old says he paid $10.69, but his purchase might have saved companies and governmental institutions around the world billions of dollars.
By purchasing the domain name and registering a website, the cybersecurity researcher claims that he activated a kill switch. It immediately slowed the spread of the malware and could ultimately stop its current version, cybersecurity experts said Saturday.
Hidden in the malware, the kill switch probably was not supposed to be activated anytime soon. Perhaps, it was never supposed to be there in the first place.
When Darien Huss, a researcher with U.S. cybersecurity company Proofpoint, came across the strange domain in the code Friday evening, he immediately flagged his discovery on social media.
Alerted by the finding, a 22-year-old unidentified researcher who tweets using the handle @MalwareTechBlog decided to take action, without knowing what impact registering the domain would have.
While spreading to computers, the malware made requests to the unregistered website ending with “gwea.com.” Until around 3 p.m. Friday, all of those requests went unanswered – likely triggering the activation of the malware.
For hours, a nonexistent website helped to cripple computers worldwide.
But as soon as the researcher registered the website out of curiosity about the unusual domain name, automatic requests immediately skyrocketed, according to screenshots published on his Twitter account. It was only then that the cyber researchers realized that they might have accidentally activated a kill switch in the ransomware.
“If the domain successfully resolves to an IP address, the malware will stop running,” explained cybersecurity expert McArdle.
Speaking to The Washington Post on Saturday, the 22-year-old, who spoke on the condition of anonymity, said using a domain name as a kill switch appeared unprecedented to him. “Previous malware has used such a check to detect analysis environments but not in a way which can be used to stop the malware,” he said.
It remains unknown, however, whether the website domain really was supposed to be a deliberate kill switch. Cybersecurity expert McArdle said an accidental flaw in the ransomware is more likely.
“At first glance, this may appear to be a deliberate kill switch in the malware for the authors’ use,” said McArdle, referring to the possibility the malware’s creators included the domain to be able to stop its spread if their operation gets out of control.
But “in reality it’s a flaw that actually allowed for the spread of the malware to be greatly slowed down, albeit accidentally, by the researcher who registered it early during the outbreak,” McArdle said.
Friday’s discovery may have slowed the malware’s spread, but it is unlikely to stop it, security experts said, because the malware’s creators could soon release a different version without a kill switch. Given the international disruption the ransomware caused within a few hours, however, the current slowing of the malware could give companies crucial time to update their security software or to conduct backups.