NHS cyber attack: Analyst, 22, discovers WannaCry ransomware's hidden kill switch 'completely by accident'

Registering a domain name listed within the program helps stop thousands of attacks

Ian Johnston
Saturday 13 May 2017 15:10 BST
Comments
NHS cyber hack: Five key questions answered

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

A 22-year-old cybersecurity analyst accidentally shut down vast numbers of attacks by the devastating WannaCry ransomware by buying a domain name hidden in the program for about £8.29.

The domain name is believed to have been written into the software by the hackers to act as a kill switch.

Each time the program tried to infect a computer, it would try to contact the webpage. If it failed, WannaCry would carry on with the attack, but if it succeeded it would stop.

The analyst, who tweets as MalwareTech and works for Kryptos Logic, a security firm, admitted he had not realised that buying the domain name, for just $10.69, would have this fortunate effect.

WannaCry has infected tens of thousands of computers across the world, shutting down vital systems used by the NHS in Britain.

The program locks the user out of their computer and demands a ransom paid in BitCoin to return control.

Speaking to the Daily Beast, MalwareTech said he noticed the domain name, a string of nonsensical letters ending in gwea.com, in the code.

“I saw it wasn’t registered and thought, ‘I think I’ll have that,’” he told the website.

After buying the domain name, he pointed it to a ‘sinkhole’ server, which is used as a safe place to dump malicious web traffic, hoping simply to get more information about WannaCry.

“Immediately we saw five or six thousand connections a second,” MalwareTech said.

He said this appeared to have stopped large numbers of attacks, but confessed he had done this “completely by accident”.

And he warned people should still take precautions because the hackers could simply slightly alter the program to carry on making attacks.

“If we did stop it, there’s like a 100 per cent chance they’re going to fire up a new sample and start that one again,” he said.

“As long as people don’t patch, it’s just going to keep going.”

His realisation that he had helped stop some of the attacks, particularly in the US, was played out on his Twitter account.

“Some analysts are suggesting by sinkholing the domain we stopped the infection? Can anyone confirm?” he wrote.

“I will confess that I was unaware registering the domain would stop the malware until after I registered it, so initially it was accidental.”

Dan Goodin, security editor at the ArsTechnica blog, wrote: “The virally spreading worm was ultimately stopped when … MalwareTech … took control of a domain name that was hard-coded into the self-replicating exploit.

“The domain registration, which occurred around 6am California time, was a major stroke of good luck, because it was possible only because the attackers had failed to obtain the address first.

“The address appeared to serve as a sort of kill switch the attackers could use to terminate the campaign.

NHS cyber-attack: Amber Rudd fails to confirm that files are safe

“MalwareTech's registration had the effect of ending the attacks that had started earlier Friday morning in other parts of the world.

“As a result, the number of infection detections plateaued dramatically in the hours following the registration. It had no effect on WCry infections that were initiated through earlier campaigns.”

Ryan Kalember, of security firm Proofpoint, told the Guardian that MalwareTech should get “the accidental hero award of the day”.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in