A British cyber expert has told how he jumped around in excitement after discovering a kill switch which halts the global spread of the malicious software currently infecting the NHS and organisations in more than 100 countries.
The 22-year-old researcher has been hailed as an 'accidental hero' online.
The anonymous blogger discovered that upon infecting a new computer, the virus contacts a remote web address and only starts taking files hostage if it finds that address unreachable.
But if it can connect, the WannaCry program terminates itself - a function likely installed by its creator as a failsafe in case the software became uncontrollable.
By discovering the web address was unregistered, and purchasing it for less than £10, the researcher who tweets from @MalwareTechBlog, was able to redirect 5,000 connections per seconds to a harmless “sinkhole” server.
So I can only add"accidentally stopped an international cyber attack" to my Résumé. ^^— MalwareTech (@MalwareTechBlog) May 13, 2017
In an update posted moments ago, he explained how at 6.30pm on Friday after experimentation, he learned that by showing infected computers the domain was now registered, the ransomware became inactive.
He wrote: “You probably can’t picture a grown man jumping around with the excitement of having just been ransomwared, but this was me.
“The failure of the ransomware to run the first time and then the subsequent success on the second meant that we had, in fact, prevented the spread of the ransomware and prevented it ransoming any new computer.”
I will confess that I was unaware registering the domain would stop the malware until after i registered it, so initially it was accidental.— MalwareTech (@MalwareTechBlog) May 13, 2017
The process was not entirely accidental: he registered several thousand domains in the last year in his work combating computer viruses.
But no one anticipated that simply registering the domain would halt the spread of this attack.
However he warned online followers that his fix was not a permanent solution, tweeting: “So long as the domain isn't revoked, this particular strain will no longer cause harm, but patch your systems ASAP as they will try again.”
Darien Huss, 28, who works for US cybersecurity firm Proofpoint, called the British researcher a “hero.”
Mr Huss, who collaborated with the Brit behind MalWareBlog, told The Telegraph that a repeat or copycat attack should be expected “very soon” because of the simplicity of the attack and the ease of replicating it.