The unexpected hero who stopped the ransomware is a UK security researcher. He’s a 22-year-old man who took a week off work when he chose to examine the ransomware that’s been infecting thousands of computers worldwide.
The Friday’s attack affected thousands of organizations, including UK’s National Health Service, FedEx, and Telefonica. The NHS had to cancel some of its operations. Patient records, text results, and x-rays weren’t available. Its phones didn’t work as well.
Thankfully, Malware Tech, the UK security researcher’s pseudonym, put the attack to a sudden halt. He accidentally triggered a kill switch found in the malicious software.
He told the Guardian:
“I was out having lunch with a friend and got back about 3pm and saw an influx of news articles about the NHS and various UK organisations being hit. I had a bit of a look into that and then I found a sample of the malware behind it, and saw that it was connecting out to a specific domain, which was not registered. So I picked it up not knowing what it did at the time.”
When he register the unregistered domain, he bought it for only $10.69. Now that he owned the domain, he was able to see how widespread the attack was. However, by registering the domain name, he accidentally stopped the attack.
The kill switch was designed to stop researchers from investigating the ransomware. However, that switch caused the creators to disable it remotely.
Is the problem resolved?
Registering the domain name may have stopped the attack and spread of the malware from one computer to another. But it doesn’t mean that infected computers have been repaired.
Some experts have warned that the new versions of this malware may include a code that ignores the kill switch. Thus, if he has stopped it from further spreading, we can still expect that a new version will come and it’ll be difficult to stop.
The creators of this malware see that there’s money in it. For that reason, they won’t stop. It’s easy for them to change the code so they could start all over.
Although it won’t repair the damage and stopping it is just temporary, it allowed people in the US to update and patch their systems before they become infected again. So, if your computer hasn’t been infected, make sure that you’ve enabled Windows update and reboot your system after the upgrade.
On April 14, the said malware became available as provided by Shadow Brokers. Last year, the group claimed that it stole cyber weapons from the NSA. As mentioned previously, the attack used a malicious software known as WannaCry. It exploited a vulnerability in Windows. If a user didn’t install the security update released in March by Windows, his computer because vulnerable and prone to the attack.
When the Shadow Brokers dump became available, people in the security industry realized that most people couldn’t install a patch. It’s especially true if they used Windows XP as there’s no patch for it. Unfortunately, most NHS computers are still using the said operating system.