Skip to main content

Registering a single web address may have stopped a global malware attack

Registering a single web address may have stopped a global malware attack


Finding the kill switch

Share this story

Ethernet / Internet (stock)

Over the past 24 hours, a ransomware program called WannaCry has shut down more than 75,000 computers across 99 countries, including a string of hospitals in the United Kingdom and critical gas and water utilities in Spain. But despite the massive scale of the attack, stopping new infections from the attack seems to have been as simple as registering a single web address.

This morning, researchers announced they had found a kill switch in the code of the ransomware program — a single domain which, when registered, would prevent any infections from taking place. It’s still unclear whether registering that domain will stop every strain of the infection, but it should severely limit the global spread of the attack.

Researchers found a kill-switch and flipped it

The crucial web address is found in a small section of code, the purpose of which is still unclear. When the program is infecting a new computer, it first checks an obscure web address — — to see if the domain is registered. As long as the domain is unoccupied, the infection proceeds, encrypting the computer’s hard drive and locking it down until the ransom is paid.

That feature was first noticed by a 22-year-old UK researcher who writes under the name MalwareTech. As an experiment, MalwareTech registered the domain; now when the program ran its check, it found the web address registered and occupied. Only later did the effect of that move become clear: occupying the domain prevented any new infections from taking place. When the ransomware discovers the domain is occupied, it abruptly stops the installation process, leaving the larger system unaffected. The result is a major protection for computers still vulnerable to the attack: even if the ransomware software ends up running on your computer, the flipped kill switch will stop it from holding you for ransom.

It’s still unclear why the ransomware included such a kill switch. Some have speculated it may have been a way for the creator to shut down the system remotely, although there’s no indication that he or she decided to do so. MalwareTech has a different theory: checking the domain was a way to keep the ransomware from being spotted by malware researchers. If the program were being run in a controlled “sandbox” environment, commonly used by researchers to examine code without exposing themselves to malware, the domain may well have come back as occupied as a result of the limitations of the sandbox. In those cases, preventing installation would have been a useful trick.

Flipping the kill switch may not stop the WannaCry ransomware entirely. It’s unclear how many of the observed infections were the result of the specific strain of malware analyzed by MalwareTech. Beyond that, it would be easy for the authors to send out a new version of the ransomware with a different domain or no kill-switch protocol at all. Still, as Microsoft users rush to patch the vulnerability — and hospitals try to regain control of their IT systems — this clever bit of code analysis may have saved more than a few lives.