After a wave of malware attacks crippled NHS trusts and hit hundreds of thousands of computers in 150 countries over the weekend, its spread was critically slowed by one 22 year old cyber-security guru: Marcus Hutchins of southwest England. Hutchins stumbled on the kill switch mostly by accident after registering a single suspicious domain name.
Speaking to The Guardian under the pseudonym MalwareTech, Hutchins explained how he single-handedly put a stop to one of the largest-scale ransomware attacks ever perpetrated. First, the youthful sleuth unearthed a sample of the malware behind the attack. The malware would make an external request out to one very long, nonsensical domain name, as if it were making a request to a website at that URL.
But the domain name did not resolve to any website. In fact, the domain wasn’t even registered, which meant that it would just lead to a dead end. Hutchins decided to register the peculiar domain name himself (it reportedly cost him about ten bucks), hoping it would help to track the virus.
Right away, Hutchins’ new domain name started getting thousands of connections per second. But then something even crazier happened: the malware’s spreading significantly slowed. Registering the domain had thrown a kill switch.
What is ransomware? A type of malicious software that locks an internet-enabled device, like a computer or smartphone, and demands the owner pay a ransom to unlock it. However, there’s never any guarantee that paying up will unlock the device.
How does ransomware work? Ransomware is commonly sent as a seemingly innocuous email attachment. Opening the attachment decrypts the device’s hard drive, barring the owner from accessing anything stored there.
How The Kill Switch Worked
As Hutchins discovered, the WannaCry malware was hard-coded to make continual requests to the domain name Hutchins found. As long as the domain name was not registered (as would likely remain the case, since it was a lengthy string of random characters), the request would fail, and the attack would carry on.
However, if the malware ever sent a request that revealed that that the domain was active, the kill switch would be triggered. So if the attacker ever decided to pull the plug, all he’d have to do is register the domain name. Hutchins had simply beaten him to the punch by registering the name first.
Although Hutchins’ actions killed the malware and likely saved hundreds of thousands of people around the world, his victory is less than decisive in the larger fight against WannaCry. New versions of the virus have already appeared assigned to different domain names. Registering one of these domains still acts as a kill switch to the virus it’s assigned to, but this has left security experts playing cyber-whack-a-mole as new iterations of the virus pop up.
All the while, the attackers (or copycats) are almost certainly working on more sophisticated versions of the virus — ones with a different kill switch, or no kill switch at all.
How To Help Protect Yourself From WannaCry
The WannaCry ransomware currently only affects Microsoft Windows operating systems by exploiting a security vulnerability. Microsoft released a security update to fix this vulnerability back in March, but users who have not updated remain vulnerable. Since the virus spreads itself without requiring input from the user (like opening an infected email attachment, for example) all devices that do not have the updated are at risk of being infected. If you use a Windows-based machine, you should update your copy of Windows immediately.
And even if you’re a non-Windows user, you should not let down your guard. The WannaCry threat has not been eliminated, and attacks could easily spike again soon. Keep your machine’s operating system up to date, and keep your ear to the ground.