Last Friday, a huge cyber-attack infiltrated and crippled the computer systems of hospitals, schools, companies and government organizations, until a 22-year-old accidently shut it down. The malicious software shut down a reported 100,000 computers since its release early that morning. As the ransomware spread throughout networks and systems, reportedly through a known Microsoft vulnerability, people were treated to pop-ups stating that their information was encrypted unless a payment was made to release the key.

Almost 100 countries in Europe and Asia were hit by this worm-like malware, until UK cyber-security researcher, Marcus Hutchins, began investigating the spread and unknowingly flipped a hidden kill-switch, seemingly stopping it in its tracks. The 22-year-old, known by his online pseudonym, MalwareTech, noticed as soon as the software installed itself onto the machine, it sent a message to an unregistered web address.

This prompted him to register the domain for tracking purposes, which stopped the ransomware in its tracks. This “kill switch” was apparently built into the program by its creators and was unwittingly discovered by Hutchins.

Although the “kill switch” may have rendered the virus inactive for the moment, the coming week may see another round of the malware’s destructive abilities. The switch has curbed the spread of the ransomware, but slight code tweaking by the cybercriminals could put the cyber world on the back foot once as many remaining infected systems are activated.

The ransomware rundown

The WannaCry ransomware penetrates a system or network via phishing emails. Once triggered, automatically it downloads itself onto the machine and spreads indiscriminately in a worm-like fashion to any linked computer. A recent leak in an NSA toolkit is the suspected inspiration behind the hack, exposing a flaw in Microsoft Windows allowing the intrusion.

The ransomware essentially locks all files on the computer until a fee is paid. In this case, it demanded $300 in BitCoin. This was until Hutchins inadvertently put a spanner in the works. By registering the web address and purchasing the site, he proceeded to sink-hole the domain name hard-coded into the malware, stopping the spread of the virus. This was accomplished by directing all the traffic to that URL into an isolated server designed to hold malicious content, effectively preventing propagation.

There are conflicting opinions as to the reason behind the kill switch. Some speculate that it is built in as an intentional kill switch by hackers to be able to handle their creation should the need arise. Others guess that it the design is an attempt to shield the software against sand box security analysis. This kind of scrutiny involves creating dummy IP addresses in which to test malware, resulting in any address it tries to reach getting a valid response.

As the domain that Hutchins registered gave a response, WannaCry may have thus assumed it was under investigation by cyber security analysts and shut itself down. These anti-analysis defense mechanisms are apparently common in the hacking game, but the weakness in this particular strategy was that the domain was a static, discernible address.

How do you stop the unstoppable?

However, this may just be a band-aid in the grand scheme of things. Experts report that they expect more attacks. The domain registration stopped the initial dissemination of the ransomware, but the threat remains. Cybercriminals would only need to re-code the malware to ping a different domain or remove the domain check altogether, and re-release it to cause another wave of injury and chaos. This is exactly what happened over the weekend according to security analysts.

Microsoft released a patch to resolve the susceptibility of Windows to the virus but many fear it is too late. The timing of the release, on a Friday, meant that by the time the fix released, most people were already logged off for the day. Furthermore, there are at least two versions of the software making the rounds, expounding the fears of cybersecurity agencies. The extent of the damage is likely to only be seen this week, as people turn on their computers.

It is mission critical for organizations to ensure their systems have all the recommended patches installed and have the necessary back-ups in place. Current research suggests that new ransomware variants appear every 48 hours, rendering the battle for cybersecurity an ongoing and retro-active one.

Microsoft’s president, Brad Smith, despite releasing automatic updates to curb the issue, believes that culpability lies with the governments for “stockpiling vulnerabilities” and allowing hackers the opportunity to access sensitive information. Whoever’s at fault, the attention must be focused to priming systems to become resilient to these attacks.

This article is published as part of the IDG Contributor Network. Want to Join?