On Friday, John took an initial look at that ransomware attack which went all over the planet, locking up computers and encrypting people’s files while demanding bitcoin payments to unlock them. It was obviously a serious incident with global implications, but it also ended rather quickly. What with all of the other news breaking at the same time it was an easy story to lose track of, but the “solution” (such as it was) makes for a very interesting tale in and of itself. The Washington Post has some of the details about the computer geek who brought an end to the crises and he admits that the resolution came about essentially by accident.
About 3 p.m. Eastern time, the specialist with U.S. cybersecurity enterprise Kryptos Logic bought an unusually long and nonsensical domain name ending with “gwea.com.” The 22-year-old says he paid $10.69, but his purchase might have saved companies and governmental institutions around the world billions of dollars.
By purchasing the domain name and registering a website, the cybersecurity researcher claims that he activated a kill switch. It immediately slowed the spread of the malware and could ultimately stop its current version, cybersecurity experts said Saturday. Britain’s National Cyber Security Center confirmed Saturday that it was collaborating with the 22-year-old and other private researchers to stop the malware from spreading.
Even if you have very little interest in the geek world, this was a fascinating story which could make for a decent techno-thriller script. With all of those computers around the globe shut down, cyber-security folks quickly got hold of the code for the malware and began digging through it. But if this attack followed any of the usual patterns, a fix might be a long time coming for millions of people and who knows how much data might have been lost. Generally there would be some sort of Windows update required that would have to be pushed out and installed. And yet within twenty four hours the attack was basically “turned off.”
The anonymous researcher was looking through the code and found some insanely long URL composed of mostly random letters that nobody would ever be able to remember. It’s not exactly the sort of domain name you’d purchase for your new web site. And even more curious was the fact that the domain name didn’t even exist. Nobody had registered it. That’s when the researcher had the almost random idea of purchasing and registering the domain just to see what would happen. As soon as he did it, the malware shut down as if a “kill switch” had been activated.
Not that I understand all the nuts and bolts underneath such coding, but they’re describing it as a case where the malware was pinging that non-existent URL as part of its base functions. As long as there was no response received it kept on running. But as soon as the domain came to life and answered all of those computers, the ransomware shut off. And it was “fixed” because this one guy (who was on vacation at the time) decided to drop ten bucks on registering the URL.
But here’s the question that the experts are asking and it’s probably even more of a mystery. Why? Why would the developer of the ransomware put in a kill switch which could shut down his creation globally? It’s not as if he’d be in less trouble (assuming he’s ever caught) because he didn’t ruin as many systems around the world. And if he was the one to register the URL to activate the kill switch, wouldn’t that leave something of a breadcrumb trail leading back to him? It just doesn’t make any sense.
The researcher who figured it out is predicting that more of these attacks are on the way. I’m not suggesting that he’s actually responsible for the initial attack or is involved in any way, but something here just doesn’t add up. No… I don’t have a suggestion as to how to solve this deeper mystery (assuming such exists) or who was responsible, but something here simply doesn’t pass the smell test at first glance. The one thing I absolutely do believe, however, is that they’re right about this not being over. There’s likely more (and worse) to come.