How a $10.69 purchase may have sidelined the global malware attack
london — As the world was just beginning to understand the dimensions of Wanna Decryptor 2.0, the ransomware that crippled computers worldwide, a vacationing British cybersecurity researcher was already several steps ahead.
About 3 p.m. Eastern time Friday, the specialist with U.S. cybersecurity enterprise Kryptos Logic bought an unusually long and nonsensical domain name ending with “gwea.com.” The 22-year-old says he paid $10.69, but his purchase might have saved companies and government institutions around the world billions of dollars.
By purchasing the domain name and registering a website, the cybersecurity researcher claims he activated a kill switch. It immediately slowed the spread of the malware and could ultimately stop its current version, cybersecurity experts said Saturday.
Hidden in the malware, the kill switch probably was not supposed to be activated anytime soon. Perhaps it wasn’t supposed to be there in the first place.
“What it had not counted on was a researcher doing the world a service and taking advantage of a flaw that now seemed glaringly obvious in hindsight,” said Robert McArdle, a research director with Tokyobased cybersecurity company Trend Micro.
When Darien Huss and a colleague, both researchers with U.S. cybersecurity company Proofpoint, came across the strange domain in the code early Friday afternoon, Huss immediately flagged his discovery on social media.
Alerted by the finding, a 22year-old unidentified researcher who tweets using the handle @MalwareTechBlog decided to take action, not knowing what impact that registering the domain would have.
While spreading to computers, the malware made requests to the unregistered website ending with “gwea.com.” Until about 3 p.m. Friday, all those requests went unanswered — probably triggering the activation of the malware.
But as soon as the website was registered, automatic requests skyrocketed, according to screen shots published on the researcher’s Twitter account. And by registering the website, the kill switch apparently was thrown.
“If the domain successfully resolves to an IP address, the malware will stop running,” McArdle explained.
The 22-year-old, who spoke with The Washington Post on Saturday via email on the condition of anonymity, said the use of a domain name as a kill switch appeared unprecedented to him. “Previous malware has used such a check to detect analysis environments but not in a way which can be used to stop the malware,” he said.
It remains unknown, however, whether the Web domain was intended to be a deliberate kill switch. McArdle said an accidental flaw in the ransomware is a more probable explanation.
“At first glance, this may appear to be a deliberate kill switch in the malware for the authors’ use,” McArdle said, referring to the possibility that the malware’s creators included the domain to be able to stop its spread if their operation gets out of control.
But “in reality, it’s a flaw that actually allowed for the spread of the malware to be greatly slowed down, albeit accidentally, by the researcher who registered it early during the outbreak,” McArdle said.
Friday’s discovery may have slowed the malware’s spread, but it is unlikely to stop it, security experts said, because the malware’s creators could release a different version without a kill switch.
“At this point, we have to assume that it will return,” said Ryan Kalember, a senior vice president at Proofpoint.
Still, slowing the spread of the malware could give companies crucial time to conduct backups or to update their security softwares — provided they are able to do so.
“Many large organizations continue to use out-of-date systems for which regular [updates] are not available anymore,” Kalember said.