The ransomware attack that locked up thousands of computers across dozens of countries slowed down over the weekend, thanks to a young man dubbed the "accidental hero."
But that same person is one of the many voices warning that the malware could be back in full force, as soon as Monday.
The WanaCrypt0r attack that quickly spread last Friday hasn't completely stopped. The Avast security blog said as of about 8 a.m. CST, it had seen more than 199,000 detections of the malware across 104 countries. The U.S. Department of Homeland Security is even keeping an eye on it.
The ransomware affects Microsoft Windows machines. It takes over the computer, locking all your important files and demanding a payment of $300 in bitcoin. The longer you wait, the higher that amount goes. And if you don't pay, it wipes your computer. (If you want an in-depth explanation of exactly how it takes over, check out this story by BleepingComputer.)
The first slowdown
The malware hit hospitals, train stations, phone companies, FedEx, and plenty of others during its initial wave.
For some reason, the malware includes a kill switch – it checks in with a specific nonsense URL, iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. If that URL has been registered, the malware stops itself. If it has not been registered yet, it keeps spreading.
MalwareTech (a 22-year-old from the UK), after poking around, saw the malware was referencing that nonsense URL, and paid a small amount of money to register it – not realizing how big of an impact it would have. When the malware saw it was now registered, it would not ransom the system.
That earned MalwareTech the moniker of "accidental hero."
But it might not be over
Still, MalwareTech and others are warning people this ransomware attack isn't necessarily done with.
"We haven’t seen a second spike in #WannaCry #ransomware attacks, but that doesn’t mean there won’t be one," the UK's National Crime Agency tweeted.
Bleeping Computer reported a ransomware attack with a second kill switch was detected Sunday, though quickly shut down. Copycats have also cropped up.
And MalwareTech quickly noted "all [the attackers] need to do is change some code and start again." And it could easily be back out there.
So patch your computer
Microsoft issued a patch back in March that covered up the security hole the malware takes advantage of. After the attack, Microsoft even took the step of issuing a security update for versions it doesn't support anymore: Windows XP, Windows 8, and Windows Server 2003.
Best Buy also has a short FAQ on things you can do to back-up your data and protect yourself.
Not everybody has downloaded and installed the security updates however. Meaning they're still vulnerable.
Brad Smith, president and chief legal officer at Microsoft, also took a swipe at the NSA.
The security hole in Windows that the attackers used here was known and logged by the NSA. And in April, the hacker group Shadow Brokers leaked a bunch of data it said was from the NSA – including information about this security flaw.
Microsoft's Smith compared it to the military getting a Tomahawk missile stolen.
"The governments of the world should treat this attack as a wake-up call," he said.