A massive ransomware attack on Friday hit 99 countries and shut down thousands of operations, including FedEx and England’s National Health Service. The malware took control of computers and kept them from working unless victims made a payment of $400, going up as time elapsed. The virus had its origin in software stolen from the National Security Administration, whose security was last year.
What strikes me the most about this attack, however, is how it was stopped. The world was saved, so to speak, by a 22-year-old blogger who never went to university and who lives with his parents.
He read reports about the attack, found a copy of the virus, and saw that the code included a domain name that was not registered. So he registered it. And that stopped the virus all over the world.
More details after the jump.
The ransomware used in Friday’s attack wreaked havoc on organisations including FedEx and Telefónica, as well as the UK’s National Health Service(NHS), where operations were cancelled, X-rays, test results and patient records became unavailable and phones did not work.
But the spread of the attack was brought to a sudden halt when one UK cybersecurity researcher tweeting as @malwaretechblog, with the help of Darien Huss from security firm Proofpoint, found and inadvertently activated a “kill switch” in the malicious software.
The researcher, who identified himself only as MalwareTech, is a 22-year-old from south-west England who lives with his parents and works for Kryptos logic, an LA-based threat intelligence company.“I was out having lunch with a friend and got back about 3pm and saw an influx of news articles about the NHS and various UK organisations being hit,” he told the Guardian. “I had a bit of a look into that and then I found a sample of the malware behind it, and saw that it was connecting out to a specific domain, which was not registered. So I picked it up not knowing what it did at the time.”
The kill switch was hardcoded into the malware in case the creator wanted to stop it spreading. This involved a very long nonsensical domain name that the malware makes a request to – just as if it was looking up any website – and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading. The domain cost $10.69 and was immediately registering thousands of connections every second.
MalwareTech explained that he bought the domain because his company tracks botnets, and by registering these domains they can get an insight into how the botnet is spreading. “The intent was to just monitor the spread and see if we could do anything about it later on. But we actually stopped the spread just by registering the domain,” he said. But the following hours were an “emotional rollercoaster”. . . .
He said he got his first job out of school without any real qualifications, having skipped university to start up a tech blog and write software.
“It’s always been a hobby to me, I’m self-taught. I ended up getting a job out of my first botnet tracker, which the company I now work for saw and contacted me about, asking if I wanted a job. I’ve been working there a year and two months now.”
But the dark knight of the dark web still lives at home with his parents, which he joked was “so stereotypical”. His mum, he said, was aware of what had happened and was excited, but his dad hadn’t been home yet. “I’m sure my mother will inform him,” he said.
Illustration: WanaCrypt ransom screen, as captured by French malware hunter Kafeine. Credit: Kafeine