Really fascinating story at Ars Technica from the anonymous MalwareTech, the British security researcher who stopped last week’s ransomware attack in its tracks by registering an unused domain name:
You probably can’t picture a grown man jumping around with the excitement of having just been ransomwared, but this was me. The failure of the ransomware to run the first time and then the subsequent success on the second meant that we had in fact prevented the spread of Wanna Decryptor and prevented it ransoming any new computer since the registration of the domain. I initially kept quiet about this while I reverse engineered the code myself to triple check this was the case, but by now Darien’s tweet had gotten a lot of traction.
As the researcher explains, attempting to register domains referenced by malware is a standard part of the security toolkit—it just so happens that in this case, the malware was (perhaps erroneously) written in such a way as to not encrypt files if the domain could be reached.