LONDON • As the world began to understand the dimensions of Wanna Decrypt0r 2.0, a British cyber-security researcher was already several steps ahead. He bought an unusually long and nonsensical domain name ending with "gwea.com".

The 22-year-old says he paid US$10.69 (S$15), but his purchase might have saved companies and governmental institutions around the world billions of dollars. By purchasing the domain name and registering a website, he claims he activated a "kill switch". It immediately slowed the spread of the malware and could ultimately stop its current version, cyber-security experts said yesterday.

When Mr Darien Huss, a researcher with US cyber-security firm Proofpoint, came across the strange domain in the code on Friday evening, he immediately flagged his discovery on social media.

Alerted by the finding, an unidentified 22-year-old researcher who tweets using the handle @MalwareTechBlog took action, without knowing what impact registering the domain would have. While spreading to computers, the malware made requests to the unregistered website ending with "gwea.com". All of those requests went unanswered - likely triggering the activation of the malware. For hours, a non-existent website helped to cripple computers worldwide. But as soon as the researcher registered the website out of curiosity, automatic requests immediately surged, according to screenshots published on his Twitter account. It was only then he realised that they might have accidentally activated a kill switch in the ransomware.

"The crisis isn't over, they can always change the code and try again," @MalwareTechBlog cautioned.

WASHINGTON POST, AGENCE FRANCE-PRESSE