A security researcher has told the BBC how he "accidentally" halted the spread of ransomware affecting hundreds of organisations, including the UK's NHS.
The man, known online as MalwareTech, was analysing the code behind the malware on Friday night when he made his discovery.
He first noticed that the software was trying to contact an unusual web address - iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com - but this address was not connected to a website, because nobody had registered it.
So, every time the malware tried to contact the mysterious website, it failed - and then set about doing its damage.
MalwareTech decided to spend $10.69 (£8) and claimed the web address. By owning the web address, he could also access analytical data and get an idea of how widespread the ransomware was.
But he later realised that registering the web address had also stopped the malware trying to spread itself.
"It was actually partly accidental," he told the BBC, after spending the night investigating. "I have not slept a wink."
What happened?
Originally it was suggested that whoever created the malware had included a "kill switch" - a way of stopping it from spreading, perhaps if things got out of hand.
If that was the case, the act of registering the mysterious web address would trigger the kill switch.
But MalwareTech now thinks it was not a kill switch, but a way of detecting whether the malware was being run on a "virtual machine" - a secured, disposable environment that researchers use to inspect viruses.
While a real computer would not be able to access iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, a virtual machine might have artificially responded that it was a genuine website.
"The malware exits to prevent further analysis," MalwareTech wrote in a blog post.
"My registration... caused all infections globally to believe they were inside a [virtual machine] and exit… thus we initially unintentionally prevented the spread and further ransoming of computers."
The researcher has been called an "accidental hero" for slowing the spread of the malware.
"I would say that's correct," he told the BBC.
Does this mean the ransomware is defeated?
While the registration of the web address appears to have stopped one strain of the malware spreading, it does not mean the ransomware itself has been defeated.
Any files that were scrambled by the ransomware will still be held to ransom.
Security experts have also warned that new variants of the malware that ignore the "kill switch" will appear.
"This variant shouldn't be spreading any further, however there'll almost certainly be copycats," said security researcher Troy Hunt in a blog post.
MalwareTech warned: "We have stopped this one, but there will be another one coming and it will not be stoppable by us.
"There's a lot of money in this, there is no reason for them to stop. It's not much effort for them to change the code and start over."
Latest Stories
-
Ministry of Defence withdraws military protection for ineligible civilians
5 minutes -
Ethiopian troops ‘executed’ aid workers in Tigray war, charity says
16 minutes -
I’m ‘disappointed but not done’ with Putin, Trump tells BBC
18 minutes -
Today’s Front pages: Tuesday, July 15, 2025
41 minutes -
Fitch affirms UBA Ghana’s Credit Rating at ‘B-’, citing strong profitability and capital buffers
2 hours -
‘SafeCare is Changing Lives’: Gradually redefining quality care in Ghana
2 hours -
NSA Director General graces Teqball National Club Championship, calls for corporate support
2 hours -
Novo Nordisk and American Society of Hematology announce new initiative to help improve sickle cell disease care in Africa
3 hours -
Telecel Ghana rewards 12th Dream Car Promo Winner with brand-new Hyundai Creta
3 hours -
No vigilante group can defy a determined police – CDD Ghana’s Dr Kojo Asante
3 hours -
Grow For Me: Transforming Agriculture through mobile investment
3 hours -
Musk’s Grok signs $200m deal with Pentagon days after antisemitism row
4 hours -
10 Chinese nationals denied bail in gold case
4 hours -
Work-and-pay driver remanded for car theft
4 hours -
Man arrested for allegedly stealing prepaid meters
4 hours