NHS cyber attack: Analyst tells how he killed WannaCry ransomware ravaging systems around the world

Security expert, 22, experienced a rollercoaster of emotions including panic, confusion and 'jumping around with excitement'

Ian Johnston
Saturday 13 May 2017 14:35 BST
Cyber-attack: MalwareTech on how he "accidentally" halted the spread of the ransomware

The cyber analyst who accidentally triggered a 'kill switch' in the WannaCry ransomware has written about how he panicked and then literally jumped for joy as it became clear what had happened.

The virus has shutdown parts of the NHS and infected computers all over the world with users ordered to pay a ransom to recover control of their machines.

It was continuing to cause problems, with concerns some files have been lost, and the hackers are likely to have slightly altered the program to enable it to continue infecting more computers.

The UK-based analyst, known as MalwareTech on social media and aged just 22, has now written a blog about the “crazy events” that began after the malicious program struck on Friday.

At one point, there was a suggestion he had actually helped encrypt people’s data and testing this involved deliberately trying to infect his own computer.

When he realised he was in the clear, he described “jumping around with the excitement of having just been ransomwared”.

He had discovered a website domain name hidden in the ransomware’s code and was able to register it. WannaCry was designed to contact the website after infecting a computer and, if it received a reply, to shut down.

Registering the domain name caused this to happen and appears to have prevented thousands of attacks.

But this was not clear when MalwareTech, who was supposed to be on holiday, began to investigate the program, as he described in the blog post entitled, How to Accidentally Stop a Global Cyber Attack.

The gratitude of the UK authorities was plain, with the National Cyber Security Centre, which is part of intelligence agency GCHQ, reposting the blog on its website.

After getting a sample of the software, he began to carry out his analysis and “instantly noticed it queried an unregistered domain, which I promptly registered”.

He said this was not done “on a whim” but was fairly standard practice — he has registered several thousand similar domain names in the past year.

The domains are then pointed to a sinkhole server which is designed to “capture malicious traffic” and prevent the criminals from controlling infected computers.

The data can also be used to inform victims that their computers have been infected and give an idea of how large the attacks are. Registering the domains can also potentially allow analysts to take control of the bot.

MalwareTech said he then shared his sample of WannaCry, also known by several similar names, with another analyst.

Government urged to clarify whether NHS bodies could have stopped cyber attack

“Humorously at this point we had unknowingly killed the malware so there was much confusion as to why he could not run the exact same sample I just ran and get any results at all,” he wrote in the blog.

“As curious as this was, I was pressed for time and wasn’t able to investigate, because now the sinkhole servers were coming dangerously close to their maximum load.

“I set about making sure our sinkhole server was stable and getting the expected data from the domain we had registered (at this point we still didn’t know much about what the domain I registered was for, just that anyone infected with this malware would connect to the domain we now own, allowing us to track the spread of the infection).

“Sorting out the sinkholes took longer than expected due to a very large botnet we had sinkholed the previous week eating up all the bandwidth, but soon enough I was able to set up a live tracking map and push it out via Twitter.”

He said he had then asked an “employee” to find out if the malware was set up to regularly change the domain name it used.

“After about five minutes the employee came back with the news that the registration of the domain had triggered the ransomware meaning we’d encrypted everyone’s files (don’t worry, this was later proven to not be the case), but it still caused quite a bit of panic,” MalwareTech wrote.

NHS cyber hack: Five key questions answered

However by this time other analysts had begun to suggest that the opposite was true and that registering the domain name was stopping further attacks.

“Having heard to conflicting answers, I anxiously loaded back up my analysis environment and ran the sample….nothing. I then modified my host file so that the domain connection would be unsuccessful and ran it again…..RANSOMWARED,” he wrote.

“Now you probably can’t picture a grown man jumping around with the excitement of having just been ransomwared, but this was me.

“The failure of the ransomware to run the first time and then the subsequent success on the second mean that we had in fact prevented the spread of the ransomware and prevented it ransoming any new computer since the registration of the domain.”

He said while registering the domain name had the effect of a kill switch he did not believe this was the hackers’ actual intent.

Instead, he suspects it was a “badly thought out” attempt to prevent analysis by security experts like him.

“I believe they were trying to query an intentionally unregistered domain which would appear registered in certain sandbox [computer analysis] environments, then once they see the domain responding, they know they’re in a sandbox the malware exits to prevent further analysis,” he wrote.

“This technique isn’t unprecedented … however, because WannaCrypt used a single hardcoded domain, my registration of it caused all infections globally to believe they were inside a sandbox and exit.

“Thus we initially unintentionally prevented the spread and and further ransoming of computers infected with this malware. Of course now that we are aware of this, we will continue to host the domain to prevent any further infections from this sample.”

However he stressed it was “very important” to realise that his actions only stopped one sample of the ransomware.

“There is nothing stopping them removing the domain check and trying again, so it’s incredibly important that any unpatched systems are patched as quickly as possible,” he said.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies


Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in