A security researcher that goes online by the nickname of MalwareTech is the hero of the day, albeit an accidental one, after having saved countless of computers worldwide from a virulent form of ransomware called Wana Decrypt0r (also referenced as WCry, WannaCry, WannaCrypt, and WanaCrypt0r).
What MalwareTech did was spend around £10 to register a domain he found in the ransomware's source code.
The researcher discovered that the virulent and self-spreading Wana Decrypt0r ransomware was making a pre-infection check to a domain located at iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com.
If the domain was unregistered, the ransomware would start encrypting files. But if the domain was registered, the ransomware would stop its infection process.
By registering this domain, MalwareTech had accidentally triggered a worldwide kill-switch for the ransomware's self-spreading feature.
Some analysts are suggesting by sinkholing the domain we stopped the infection? Can anyone confirm?— MalwareTech (@MalwareTechBlog) May 12, 2017
I will confess that I was unaware registering the domain would stop the malware until after i registered it, so initially it was accidental.— MalwareTech (@MalwareTechBlog) May 13, 2017
This doesn't mean the Wana Decrypt0r ransomware outbreak is over, but this particular version of the Wana Decrypt0r ransomware won't work anymore.
In the near future, the actors behind Wana Decrypt0r can very well deploy a new version with a different domain, or a different kill switch mechanism.
"It's very important everyone understands that all they [Wana Decrypt0r gang] need to do is change some code and start again," MalwareTech explained last night. "Patch your systems now!"
The Wana Decrypt0r ransomware used a self-spreading mechanism derived from an NSA exploit leaked by the Shadow Brokers. That exploit can be mitigated by installing the patches included with Microsoft security bulletin MS17-010.
Additionally, Microsoft has released an update for older operating systems that are no longer officially supported, such as Windows XP, Windows 8, and Windows Server 2003. The update can be downloaded from here.
People already infected with this ransomware will not get their files back just because that domain was registered. It means that no new infections will occur with yesterday's strain. Currently, there's no known method of breaking the ransomware's encryption.
The only viable method of getting files back at the moment is from previous operating system backups, and by paying the ransom note, as a last resort.
During yesterday's ransomware outbreak, MalwareTech also created a tracker for Wana Decrypt0r victims, and a live map, showing infections in real time, which is now terribly silent. For those affected, you can discuss this ransomware and receive support in the dedicated WanaCrypt0r & Wana Decrypt0r Help & Support Topic. Bleeping Computer also published a technical analysis of the Wana Decrypt0r ransomware.