A massive ransomware attack on Friday hit 99 countries and shut down thousands of operations, including FedEx and Englandโs National Health Service. ย The malware took control of computers and kept them from working unless victims made a payment of $400, going up as time elapsed. ย The virus had its origin in software stolen from the National Security Administration, whose security wasย last year.
What strikes me the most about this attack, however, is how it was stopped. ย The world was saved, so to speak, by a 22-year-old blogger who never went to university and who lives with his parents.
He read reports about the attack, found a copy of the virus, and saw that the code included a domain name that was not registered. ย So he registered it. ย And that stopped the virus all over the world.
More details after the jump.
Fromย โAccidental heroโ halts ransomware attack and warns: this is not over | Technology | The Guardian:
The ransomware used in Fridayโs attack wreaked havoc on organisations including FedEx and Telefรณnica, as well as the UKโs National Health Service(NHS), where operations were cancelled, X-rays, test results and patient records became unavailable and phones did not work.
But the spread of the attack was brought to a sudden halt when one UK cybersecurity researcher tweeting as @malwaretechblog, with the help of Darien Huss from security firm Proofpoint, found and inadvertently activated a โkill switchโ in the malicious software.
The researcher, who identified himself only as MalwareTech, is a 22-year-old from south-west England who lives with his parents and works for Kryptos logic, an LA-based threat intelligence company.
โI was out having lunch with a friend and got back about 3pm and saw an influx of news articles about the NHS and various UK organisations being hit,โ he told the Guardian. โI had a bit of a look into that and then I found a sample of the malware behind it, and saw that it was connecting out to a specific domain, which was not registered. So I picked it up not knowing what it did at the time.โ
The kill switch was hardcoded into the malware in case the creator wanted to stop it spreading. This involved a very long nonsensical domain name that the malware makes a request to โ just as if it was looking up any website โ and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading. The domain cost $10.69 and was immediately registering thousands of connections every second.
MalwareTech explained that he bought the domain because his company tracks botnets, and by registering these domains they can get an insight into how the botnet is spreading. โThe intent was to just monitor the spread and see if we could do anything about it later on. But we actually stopped the spread just by registering the domain,โ he said. But the following hours were an โemotional rollercoasterโ. . . .
He said he got his first job out of school without any real qualifications, having skipped university to start up a tech blog and write software.
โItโs always been a hobby to me, Iโm self-taught. I ended up getting a job out of my first botnet tracker, which the company I now work for saw and contacted me about, asking if I wanted a job. Iโve been working there a year and two months now.โ
But the dark knight of the dark web still lives at home with his parents, which he joked was โso stereotypicalโ. His mum, he said, was aware of what had happened and was excited, but his dad hadnโt been home yet. โIโm sure my mother will inform him,โ he said.
[Keep reading. . ]
Illustration: ย WanaCrypt ransom screen, as captured by French malware hunter Kafeine. Credit: Kafeine