How an Accidental 'Kill Switch' Slowed Friday's Massive Ransomware Attack

The ransomware that swept the internet isn't dead yet. But one researcher managed to at least slow it down.
This image may contain Green
Getty Images

Amid a desperate situation Friday in which hundred of thousands of ransomware attacks pelted computers in nearly 100 countries, one stroke of good fortune hit, too. As the malware analysis expert who calls himself MalwareTech rushed to examine the so-called WannaCry strain, he stumbled on a way to stop it from locking computers and slow its spread. All it took was ten bucks, and a little luck.

WannaCry swept Europe and Asia quickly yesterday, locking up critical systems like the UK's National Health Service, a large telecom in Spain, and other businesses and institutions around the world, all in record time. Once infected, a victim's computer denies access, and instead displays a message that demands the equivalent of around $300 in bitcoin.

While many thousands have had their lives impacted---including countless people in need of medical care in the UK---two things have slowed WannaCry's spread. First, Microsoft released a rare emergency patch to help protect Windows XP devices from its reach. (The company hasn't officially supported XP since 2014.) That helps the many aging systems with no security resource get ahead of infection, if they can download the patch before WannaCry hits. The other, though, was MalwareTech's happy accident.

Kill Switch

As he worked to reverse-engineer samples of WannaCry on Friday, MalwareTech discovered that the ransomware's programmers had built it to check whether a certain gibberish URL led to a live web page. Curious why the ransomware would look for that domain, MalwareTech registered it himself. As it turns out, that $10.69 investment was enough to shut the whole thing down---for now, at least.

It turned out that as long as the domain was unregistered and inactive, the query had no effect on the ransomware’s spread. But once the ransomware checked the URL and found it active, it shut down.

Competing theories exist as to why WannaCry's perpetrators built it this way. One possibility: The functionality was put in place as an intentional kill switch, in case the creators ever wanted to rein in the monster they'd created. “Based on the behavior implemented in the code, the kill switch was most likely intentional,” says Darien Huss, senior security research engineer at the security intelligence firm Proofpoint, who was working on real-time WannaCry analysis and mitigation on Friday.

MalwareTech theorizes that hackers could have included the feature to shield the ransomware from analysis by security professionals. That sort of examination often takes place in a controlled environment called a "sandbox." Researchers construct some of these environments to trick malware into thinking it's querying outside servers, even though it's really talking to a bunch of dummy sandbox IP addresses. As a result, any address the malware tries to reach gets a response---even if the actual domain is unregistered. Since the domain MalwareTech acquired was supposed to be dormant but went live, WannaCry may have assumed it was in the middle of forensic analysis, and shut down.

Building anti-analysis defenses into malware is common, but the WannaCry hackers appear to have botched the implementation. By relying on a static, discoverable address, whoever found it---in this case MalwareTech---could just register the domain and trigger WannaCry's shutdown defense.

“It was all pretty shocking, really,” MalwareTech says. The kill switch “was supposed to work like that, just the domain should [have been] random so people can’t register it.”

A Temporary Fix

The kill switch doesn't help devices WannaCry has already infected and locked down. But by registering the domain, and then directing the traffic to it into a server environment meant to capture and hold malicious traffic---known as a “sinkhole”---MalwareTech bought time for systems that hadn’t already been infected to be patched for long-term protection, particularly in the United States where WannaCry was slower to proliferate because its spread had mostly been in Europe and Asia early on.

"Thankfully MalwareTech already had infrastructure in place for the sinkhole," Huss says. "If someone had sinkholed the domain and had not been prepared then we would be seeing many more infections right now." If the setup doesn't have those enough server space and bandwidth, the malware wouldn't consistently become trapped and, in this case anyway, self-destruct.

With so many security analysts working to reverse-engineer and observe WannaCry, someone else would have eventually found the valuable mechanism MalwareTech spotted. But when infections are spreading as quickly as they were on Friday, every minute counts.

The discovery doesn't amount to a permanent fix. All it would take to get around it would be a new strain of WannaCry whose code excludes the kill switch, or relies on a more sophisticated URL generator instead of a static address. And the more fundamental problem of vulnerable devices, particularly Windows XP devices, remains. Still, MalwareTech's find helped turn a bad situation around---and saved people a lot of bitcoin in the process.