NHS cyber attack: Analyst, 22, discovers WannaCry ransomware's hidden kill switch 'completely by accident'

Registering a domain name listed within the program helps stop thousands of attacks

NHS cyber hack: Five key questions answered

A 22-year-old cybersecurity analyst accidentally shut down vast numbers of attacks by the devastating WannaCry ransomware by buying a domain name hidden in the program for about £8.29.

The domain name is believed to have been written into the software by the hackers to act as a kill switch.

Each time the program tried to infect a computer, it would try to contact the webpage. If it failed, WannaCry would carry on with the attack, but if it succeeded it would stop.

The analyst, who tweets as MalwareTech and works for Kryptos Logic, a security firm, admitted he had not realised that buying the domain name, for just $10.69, would have this fortunate effect.

WannaCry has infected tens of thousands of computers across the world, shutting down vital systems used by the NHS in Britain.

The program locks the user out of their computer and demands a ransom paid in BitCoin to return control.

Speaking to the Daily Beast, MalwareTech said he noticed the domain name, a string of nonsensical letters ending in gwea.com, in the code.

“I saw it wasn’t registered and thought, ‘I think I’ll have that,’” he told the website.

After buying the domain name, he pointed it to a ‘sinkhole’ server, which is used as a safe place to dump malicious web traffic, hoping simply to get more information about WannaCry.

“Immediately we saw five or six thousand connections a second,” MalwareTech said.

He said this appeared to have stopped large numbers of attacks, but confessed he had done this “completely by accident”.

And he warned people should still take precautions because the hackers could simply slightly alter the program to carry on making attacks.

“If we did stop it, there’s like a 100 per cent chance they’re going to fire up a new sample and start that one again,” he said.

“As long as people don’t patch, it’s just going to keep going.”

His realisation that he had helped stop some of the attacks, particularly in the US, was played out on his Twitter account.

“Some analysts are suggesting by sinkholing the domain we stopped the infection? Can anyone confirm?” he wrote.

“I will confess that I was unaware registering the domain would stop the malware until after I registered it, so initially it was accidental.”

Dan Goodin, security editor at the ArsTechnica blog, wrote: “The virally spreading worm was ultimately stopped when … MalwareTech … took control of a domain name that was hard-coded into the self-replicating exploit.

“The domain registration, which occurred around 6am California time, was a major stroke of good luck, because it was possible only because the attackers had failed to obtain the address first.

“The address appeared to serve as a sort of kill switch the attackers could use to terminate the campaign.

NHS cyber-attack: Amber Rudd fails to confirm that files are safe

“MalwareTech's registration had the effect of ending the attacks that had started earlier Friday morning in other parts of the world.

“As a result, the number of infection detections plateaued dramatically in the hours following the registration. It had no effect on WCry infections that were initiated through earlier campaigns.”

Ryan Kalember, of security firm Proofpoint, told the Guardian that MalwareTech should get “the accidental hero award of the day”.

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Please enter a valid email
Please enter a valid email
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Please enter your first name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
Please enter your last name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
You must be over 18 years old to register
You must be over 18 years old to register
Opt-out-policy
You can opt-out at any time by signing in to your account to manage your preferences. Each email has a link to unsubscribe.

By clicking ‘Create my account’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in