LONDON — As the world began Friday to understand the dimensions of Wanna Decryptor 2.0, the ransomware that has crippled computers worldwide, a vacationing British cybersecurity researcher was already several steps ahead.
About 3 p.m. Eastern time, the specialist with U.S. cybersecurity enterprise Kryptos Logic bought an unusually long and nonsensical domain name ending with “gwea.com.” The 22-year-old says he paid $10.69, but his purchase might have saved companies and governmental institutions around the world billions of dollars.
By purchasing the domain name and registering a website, the cybersecurity researcher claims that he activated a kill switch. It immediately slowed the spread of the malware and could ultimately stop its current version, cybersecurity experts said Saturday. Britain's National Cyber Security Center confirmed Saturday that it was collaborating with the 22-year-old and other private researchers to stop the malware from spreading.
Hidden in the malware, the kill switch probably was not supposed to be activated anytime soon. Perhaps it was never supposed to be there in the first place.
“What it had not counted on was a researcher doing the world a service and taking advantage of a flaw that now seemed glaringly obvious in hindsight,” said Robert McArdle, a research director with Tokyo-based cybersecurity company Trend Micro.
When Darien Huss and a colleague, both researchers with U.S. cybersecurity company Proofpoint, came across the strange domain in the code early Friday afternoon, Huss immediately flagged his discovery on social media.
— Darien Huss (@darienhuss) May 12, 2017
While spreading to computers, the malware made requests to the unregistered website ending with “gwea.com.” Until about 3 p.m. Friday, all of those requests went unanswered — probably triggering the activation of the malware.
For hours, a nonexistent website helped to cripple computers worldwide.
But as soon as the researcher registered the website, out of curiosity about the unusual domain name, automatic requests immediately skyrocketed, according to screen shots published on his Twitter account. It was only then that the cyber-researchers realized that they might have accidentally activated a kill switch in the ransomware.
“If the domain successfully resolves to an IP address, the malware will stop running,” McArdle explained.
I'm surprised the organic free range potato I call a server hasn't died yet pic.twitter.com/g4VW2bMpz2
— MalwareTech (@MalwareTechBlog) May 12, 2017
The 22-year-old, who spoke with The Washington Post on Saturday via email on the condition of anonymity, said the use of a domain name as a kill switch appeared unprecedented to him. “Previous malware has used such a check to detect analysis environments but not in a way which can be used to stop the malware,” he said.
It remains unknown, however, whether the website domain was intended to be a deliberate kill switch. McArdle said an accidental flaw in the ransomware is a more probable explanation.
“At first glance, this may appear to be a deliberate kill switch in the malware for the authors' use,” said McArdle, referring to the possibility the malware's creators included the domain to be able to stop its spread if their operation gets out of control.
But “in reality, it's a flaw that actually allowed for the spread of the malware to be greatly slowed down, albeit accidentally, by the researcher who registered it early during the outbreak,” McArdle said.
Friday's discovery may have slowed the malware's spread, but it is unlikely to stop it, security experts said, because the malware's creators could release a different version without a kill switch.
“At this point, we have to assume that it will return,” said Ryan Kalember, a senior vice president at Proofpoint.
Still, slowing the spread of the malware could give companies crucial time to conduct backups or to update their security softwares — provided they are able to do so.
“Many large organizations continue to use out-of-date systems for which regular are not available anymore,” Kalember said.