The expert who stopped the attack from spreading further through activating the ‘kill switch’ on the software states that the criminals will just change the code and then start all over again. According to the accidental hero who was able to stop an unprecedented ransomware attack from spreading further across the globe by having a registered a domain hidden within the malware is warning that the attack could potentially be rebooted.
The attack used ransomware that wreaked serious havoc on a multitude of organizations including Telefonica and FedEx, in addition to the National Health Service (NHS) in the UK, where operations had to be cancelled, the phones did not work, and patient records, test results and X-rays were unavailable.
However the spread of this attack which has now been traced to a group of North Korean Hackers was halted quite suddenly when a UK cybersecurity researcher who tweeted as @malwaretechblog, with assistance from Darien Huff from Proofpoint, a security firm, discovered and activated a “kill switch” inadvertently that was inside of the malicious software.
The 22-year-old researcher from southwest England, who only identified himself as MalwareTech, works for a threat intelligence company based in LA called Kryptos Logic.
He told the Guardian that he was out having lunch with one of his friends and returned at around 3 pm and noticed all of the news articles coming out about the NHS and different UK organisations that were being hit. He said he looked into it and discovered a sample of malware that was behind it and that it connected to a certain unregistered domain name. He said he picked up on it but at the time didn’t know what it did.
There was a kill switch that was hard coded inside of the malware in the event that the creator decided to stop it from spreading any further. It involved an extremely long, nonsensical domain name where the malware made a request to – just like it was looking up a regular site – if the request came back and showed a live domain, then the kill switch would take effect and stop the malware from spreading any further. The cost of the domain was $10.69 and immediately started registering thousands of connections per second.
MalwareTech says he purchased the domain since botnets are tracked by his company, and when these domains are registered it can provide them with insight into the way the botnet is spreading. He said all they intended to do was monitor the spread of the attack and see if anything could be done about it later on. However, by just simply registering the domain that actually stopped the spread. However, he added that the hours that followed were a real emotional roller coaster.
MalwareTech says he prefers staying anonymous since it doesn’t make any sense for him to give out his personal information, since they are obviously working against bad guys who aren’t going to be happy about it.
He also stated he was planning on holding onto the URL, and that he and his colleagues were working on collecting IPs to sent to law enforcement agencies so that infected victims could be notified, especially since not everyone even knows that they were affected.