NHS cyber attack: 'Accidental hero' who halted ransomware gets week off work as reward

The 22-year-old cyber security analyst was already on a week off when he decided to investigate the ransomware attack

Chantal da Silva
Sunday 14 May 2017 17:05 BST
Cyber-attack: MalwareTech on how he "accidentally" halted the spread of the ransomware

The 22-year-old cyber security analyst who “accidentally” managed to halt the spread of malicious ransomware that has affected hundreds of organisations, including the NHS, has been given a week off from work as a reward.

The researcher, who tweets under the name MalwareTech and works for security firm Kryptos Logic, told the BBC he was able to stop vast numbers of attacks by the WannaCry ransomware by buying a domain name hidden in the program for $10.69 (£8.29).

The domain name appears to have been written into the software by hackers as a kill switch for the malware.

The analyst had taken a week off from work, but decided to investigate the ransomware after hearing about the global cyber-attack that sent organisations like the NHS into meltdown, with hospitals across the UK having turn away non-critical patients and resort to pen and paper.

Now, he says his boss has rewarded him with another week off for all his hard work.

“The attention has been slightly overwhelming,” the 22-year-old told the BBC.

“The boss gave me another week off to make up for this train-wreck of a vacation.”

The analyst has been hailed as an “accidental hero” after saying his discovery of the ransomware kill switch “was actually partly accidental”.

He wrote on his website: “I woke up at around 10am and checked onto the UK cyber threat sharing platform where I had been following the spread of the Emotet banking malware, something which seemed incredibly significant until [Friday].

“There were a few of your usual posts about various organisations being hit with ransomware, but nothing significant... yet. I ended up going out to lunch with a friend, meanwhile the WannaCrypt ransomware campaign had entered full swing.”

The analyst said his attempt to stop the ransomware attack by registering the domain name he found “was not a whim”.

“My job is to look for ways we can track and potentially stop botnets,” he wrote. “So I’m always on the lookout to pick up unregistered malware ... domains. In fact,I registered several thousand such domains in the past year.”

The analyst said he was “jumping around with excitment” when he realised his hunch that the domain name might work as a kill switch was correct.

“Now, you probably can’t picture a grown man jumping around with the excitement of having just been ransomwared, but this was me,” he wrote on his blog.

Ransomware is a type of malicious software that blocks access to data until a ransom is paid, displaying a message to internet users requesting payment to “unlock” pages.

In this case, the hack brings up a message telling users they can recover their files – but only if they send $300 (£232.76) in bitcoins to a specific address.

An international effort is under way to hunt down the criminals behind the attack, which affected scores of countries, including the US and Russia.

Investigators are working around the clock to trace the attackers, as health authorities race to upgrade their security software amid fears hackers could exploit the same vulnerability with a different virus.

There have also been calls for an inquiry into the incident, with the UK Government and NHS chiefs questioned over Britain’s preparedness for cyber attacks.

Europol said its cybercrime unit would be supporting affected countries as its own “complex international investigation” to identify the attackers continues.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies


Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in