openpolitics.com

‘Accidental hero’ halts ransomware attack and warns: this is not over

Expert who stopped spread of attack by activating software’s ‘kill switch’ says criminals will ‘change the code and start again’

I was out having lunch with a friend and got back about 3pm and saw an influx of news articles about the NHS and various UK organisations being hit,” he told the Guardian. “I had a bit of a look into that and then I found a sample of the malware behind it, and saw that it was connecting out to a specific domain, which was not registered. So I picked it up not knowing what it did at the time.”

The kill switch was hardcoded into the malware in case the creator wanted to stop it spreading. This involved a very long nonsensical domain name that the malware makes a request to – just as if it was looking up any website – and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading. The domain cost $10.69 and was immediately registering thousands of connections every second.

 .. MalwareTech said he preferred to stay anonymous “because it just doesn’t make sense to give out my personal information, obviously we’re working against bad guys and they’re not going to be happy about this.”

.. He warned people to patch their systems, adding: “This is not over. The attackers will realise how we stopped it, they’ll change the code and then they’ll start again. Enable windows update, update and then reboot.”

.. By Friday evening, the ransomware had spread to the United States and South America, though Europe and Russia remained the hardest hit