Stay up to date with notifications from The Independent

Notifications can be managed in browser preferences.

NHS cyber attack: Analyst, 22, discovers WannaCry ransomware's hidden kill switch 'completely by accident'

Registering a domain name listed within the program helps stop thousands of attacks

Ian Johnston
Saturday 13 May 2017 15:10 BST
NHS cyber hack: Five key questions answered

A 22-year-old cybersecurity analyst accidentally shut down vast numbers of attacks by the devastating WannaCry ransomware by buying a domain name hidden in the program for about £8.29.

The domain name is believed to have been written into the software by the hackers to act as a kill switch.

Each time the program tried to infect a computer, it would try to contact the webpage. If it failed, WannaCry would carry on with the attack, but if it succeeded it would stop.

The analyst, who tweets as MalwareTech and works for Kryptos Logic, a security firm, admitted he had not realised that buying the domain name, for just $10.69, would have this fortunate effect.

WannaCry has infected tens of thousands of computers across the world, shutting down vital systems used by the NHS in Britain.

The program locks the user out of their computer and demands a ransom paid in BitCoin to return control.

Speaking to the Daily Beast, MalwareTech said he noticed the domain name, a string of nonsensical letters ending in, in the code.

“I saw it wasn’t registered and thought, ‘I think I’ll have that,’” he told the website.

After buying the domain name, he pointed it to a ‘sinkhole’ server, which is used as a safe place to dump malicious web traffic, hoping simply to get more information about WannaCry.

“Immediately we saw five or six thousand connections a second,” MalwareTech said.

He said this appeared to have stopped large numbers of attacks, but confessed he had done this “completely by accident”.

And he warned people should still take precautions because the hackers could simply slightly alter the program to carry on making attacks.

“If we did stop it, there’s like a 100 per cent chance they’re going to fire up a new sample and start that one again,” he said.

“As long as people don’t patch, it’s just going to keep going.”

His realisation that he had helped stop some of the attacks, particularly in the US, was played out on his Twitter account.

“Some analysts are suggesting by sinkholing the domain we stopped the infection? Can anyone confirm?” he wrote.

“I will confess that I was unaware registering the domain would stop the malware until after I registered it, so initially it was accidental.”

Dan Goodin, security editor at the ArsTechnica blog, wrote: “The virally spreading worm was ultimately stopped when … MalwareTech … took control of a domain name that was hard-coded into the self-replicating exploit.

“The domain registration, which occurred around 6am California time, was a major stroke of good luck, because it was possible only because the attackers had failed to obtain the address first.

“The address appeared to serve as a sort of kill switch the attackers could use to terminate the campaign.

NHS cyber-attack: Amber Rudd fails to confirm that files are safe

“MalwareTech's registration had the effect of ending the attacks that had started earlier Friday morning in other parts of the world.

“As a result, the number of infection detections plateaued dramatically in the hours following the registration. It had no effect on WCry infections that were initiated through earlier campaigns.”

Ryan Kalember, of security firm Proofpoint, told the Guardian that MalwareTech should get “the accidental hero award of the day”.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies


Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in