Devastating ransomware attacks that crippled the NHS and targeted over 70 countries just before the start of the weekend has shocked the world. The ransomware was linked to NSA exploits leaked by the infamous Shadow Brokers hacker group in April. However, the propagation of the attacks was stopped by an "accidental hero" – a security researcher who found and implemented a kill switch, stemming the flow of attacks.
The security researcher going by the handle malwaretechblog on Twitter registered the domain used by the malware, which in turn allowed the kill switch to take effect, thereby stopping the spread of the attacks.
The Guardian reported that the kill switch came hardcoded into the ransomware to allow the attacker/attackers to stop its propagation. Malwaretechblog with the assistance of Darien Huss from Proofpoint implemented the kill switch, which provided people in the US more time to defend against the attacks. However, the solution came too late to help those already affected by the attacks in Europe and Asia.
"They get the accidental hero award of the day," Proofpoint's Ryan Kalember told The Guardian. "They didn't realize how much it probably slowed down the spread of this ransomware."
According to researchers at Symantec, there's currently no decryptor available for this particular strain of ransomware. This means that those already infected will either have to pay the ransom demanded by hackers or wait until a decryptor is developed and released.
"As far as I'm aware there is still no way to get data back other than paying the ransomware (which also doesn't guarantee recovery)," MalwareTech told IBTimes UK. The researcher also explained that if the registered domain is revoked, the attacks may start once again. "The chances of the domain being revoked are low, but this won't stop any new attack if they change the malware to not use our domain so people need to patch now," MalwareTech warned.
When asked how long it may take for a decryptor to be developed, MalwareTech responded, "It depends if it's possible. Strong and properly implemented cryptography would prevent any decryptor being made."
Graeme Newman, chief innovation officer at CFC Underwriting, a firm that provides cyberinsurance, told IBTtimes UK that attacks like these could cost UK businesses over £100m ($128m). The firm also said that it has already seen "a significant spike in claims" following the attacks.
"It's clear now from news reports and CFC's own claims data that the NHS isn't the only business being affected by this," Newman said. "Ransomware has been around for many years, but this particular strain is one of the fastest-spreading and most damaging that we've seen. If it continues at its current rate, it's easy to see how this could end up costing UK businesses in excess of £100m."
The ransomware hit the NHS the hardest, with surgeries and even X-rays cancelled or rescheduled. However, it remains unclear if the NHS will pay up the ransom demands. The NHS said in a statement that it is working with the National Cyber Security Centre (NSCS) to mitigate the incident, but refrained from saying anything about the ransom demands.
Security firms are still scrambling to investigate the attacks to uncover further details on how they originated. It still remains unknown as to how many may have been affected by the global onslaught. According to Kaspersky Lab the WannaCry ransomare targeted over 74 countries, launching over 45,000 attacks, with experts estimating that the true range of the attacks may likely be "much, much higher".