The Spread:
Spread to host computer through exploits in network infrastructure (since patched).Hold Drive Hostage:
Encrypt the user's entire drive, display a message to pay up for the encryption key.Repeat.
So a cyber security analyst who was digging through code the worm uses to spread realized something. There was a website url that is referenced in a few places. He tried to go to the website, but found it didn't exist. So he bought the domain for $10 from a site like godaddy.com and forwarded it to a sinkhole server where it couldn't do damage.Once he set this up, almost immediately he was getting thousands of connections a second.
What happened?
The code he edited basically (over simplified) said:- Try and connect to the website: qwhnamownflslwff.co
- If the website doesn't exist, keep on spreading.
- If the website exists, halt spreading of the malware.
Note: When we say the virus was "stopped", we are only talking about "The Spread"