On Friday, a massive cyberattack spread across 74 countries, infiltrating global companies like FedEx and Nissan, telecommunication networks, and most notably the UK’s National Health Service. It left the NHS temporarily crippled, with test results and patient records becoming unavailable and phones not working.
The ransomware attack employed a malware called WannaCrypt (that’s the official name but it also goes by WannaCry, WCry, or Wanna Decryptor) that encrypts a user’s data and then demands a payment. In this instance the price was $300 worth of bitcoin to retrieve and unlock said data.
The malware is spread through email and exploits a vulnerability in Windows. Microsoft did release a patch that fixes the vulnerability back in March, but any computer without the update would have remained vulnerable.
The attack was suddenly halted early Friday afternoon (Eastern Standard Time) thanks to a 22-year-old cybersecurity researcher from southwest England. Going by the pseudonym MalwareTech on Twitter, the researcher claimed he accidentally activated the software’s “kill switch” by registering a complicated domain name hidden in the malware.
After getting home from lunch with a friend and realizing the true severity of the cyberattack, the cybersecurity expert started looking for a weakness within the malware with the help of a few fellow researchers. On Saturday, he detailed how he managed to stop the malware spread in a blog post endearingly-titled “How to Accidentally Stop a Global Cyber Attacks”.
“You’ve probably read about the WannaCry fiasco on several news sites, but I figured I’d tell my story,” he says.
MalwareTech had registered the domain as a way to track the spread. “My job is to look for ways we can track and potentially stop botnets (and other kinds of malware), so I’m always on the lookout to pick up unregistered malware control server (C2) domains. In fact I registered several thousand of such domains in the past year,” he says.
By registering the domain and setting up a sinkhole server he was planning to track the WannaCry spread.
Fortunately, it didn’t turn out to be necessary because just by registering the domain MalwareTech he had engaged what was possibly an obscure but intentional kill switch for the ransomware. A peer linked MalwareTech to a tweet by a fellow researcher named Darien Huss who had just tweeted the discovery.
The move gave companies and institutions time to patch their systems to avoid infection before the attackers could change the code and get the ransomware going again.
In an interview with The Guardian Saturday, MalwareTech warned that the attack was probably not over. “The attackers will realize how we stopped it, they’ll change the code and then they’ll start again. Enable windows update, update and then reboot.”
As for MalwareTech himself, he says he prefers to remain anonymous. “…It just doesn’t make sense to give out my personal information, obviously we’re working against bad guys and they’re not going to be happy about this,” he told The Guardian.
To get into the nitty gritty of just why MalwareTech’s sinkhole managed to stop the international ransomware you can read his full blog post here.