NHS cyber attack: Analyst, 22, discovers WannaCry ransomware's hidden kill switch 'completely by accident'
Registering a domain name listed within the program helps stop thousands of attacks
Sign up to our free weekly IndyTech newsletter delivered straight to your inbox
Sign up to our free IndyTech newsletter
A 22-year-old cybersecurity analyst accidentally shut down vast numbers of attacks by the devastating WannaCry ransomware by buying a domain name hidden in the program for about £8.29.
The domain name is believed to have been written into the software by the hackers to act as a kill switch.
Each time the program tried to infect a computer, it would try to contact the webpage. If it failed, WannaCry would carry on with the attack, but if it succeeded it would stop.
The analyst, who tweets as MalwareTech and works for Kryptos Logic, a security firm, admitted he had not realised that buying the domain name, for just $10.69, would have this fortunate effect.
WannaCry has infected tens of thousands of computers across the world, shutting down vital systems used by the NHS in Britain.
The program locks the user out of their computer and demands a ransom paid in BitCoin to return control.
Speaking to the Daily Beast, MalwareTech said he noticed the domain name, a string of nonsensical letters ending in gwea.com, in the code.
“I saw it wasn’t registered and thought, ‘I think I’ll have that,’” he told the website.
After buying the domain name, he pointed it to a ‘sinkhole’ server, which is used as a safe place to dump malicious web traffic, hoping simply to get more information about WannaCry.
“Immediately we saw five or six thousand connections a second,” MalwareTech said.
He said this appeared to have stopped large numbers of attacks, but confessed he had done this “completely by accident”.
And he warned people should still take precautions because the hackers could simply slightly alter the program to carry on making attacks.
“If we did stop it, there’s like a 100 per cent chance they’re going to fire up a new sample and start that one again,” he said.
“As long as people don’t patch, it’s just going to keep going.”
His realisation that he had helped stop some of the attacks, particularly in the US, was played out on his Twitter account.
“Some analysts are suggesting by sinkholing the domain we stopped the infection? Can anyone confirm?” he wrote.
“I will confess that I was unaware registering the domain would stop the malware until after I registered it, so initially it was accidental.”
Dan Goodin, security editor at the ArsTechnica blog, wrote: “The virally spreading worm was ultimately stopped when … MalwareTech … took control of a domain name that was hard-coded into the self-replicating exploit.
“The domain registration, which occurred around 6am California time, was a major stroke of good luck, because it was possible only because the attackers had failed to obtain the address first.
“The address appeared to serve as a sort of kill switch the attackers could use to terminate the campaign.
“MalwareTech's registration had the effect of ending the attacks that had started earlier Friday morning in other parts of the world.
“As a result, the number of infection detections plateaued dramatically in the hours following the registration. It had no effect on WCry infections that were initiated through earlier campaigns.”
Ryan Kalember, of security firm Proofpoint, told the Guardian that MalwareTech should get “the accidental hero award of the day”.
Subscribe to Independent Premium to bookmark this article
Want to bookmark your favourite articles and stories to read or reference later? Start your Independent Premium subscription today.
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies