A British security researcher and blogger says his solution to the epidemic spread of malicious ransomware happened accidentally.
The computer expert, who is known online as MalwareTech, said he was studying the malware’s computer code Friday night when he made an unusual discovery. The malware was attempting to connect to a particular location on the Internet: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea. The attempt failed because there is no such website. Nobody had ever registered such a domain.
MalwareTech saw that the software tried to contact the website, failed, and only then established the login-blocking ransomware screen that rendered infected computers unusable.
On a hunch, the blogger registered the domain. This, he figured, would allow him to log connection attempts and determine how widespread the ransomware infection was.
But it turned out that registering the domain also stopped the malware dead in its tracks. When infected computers successfully reached the website, they shut down before encrypting and locking the hard drives of infected computers.
It is hard to say why the ransomware authors set their malware to shut down this way. Some analysts believe the feature is a sort of “kill switch” that would led them prevent the malware from spreading if infection rates got out of hand.
MalwareTech disagrees. He thinks the ransomware halts execution to prevent analysis when successfully connecting to the server reveals that the code is being studied.
Although registering the odd domain halted this particular malware epidemic, it won’t have any effect on future ransomware exploits. And hard drives that are already encrypted by the malware are still being held hostage.
Said MalwareTech, "We have stopped this one, but there will be another one coming and it will not be stoppable by us. There's a lot of money in this, and there is no reason for them to stop. It's not much effort for them to change the code and start over."