Researcher accidentally stops massive cyberattack from spreading

This image provided by the Twitter page of @fendifille shows a computer at Greater Preston CCG as Britain’s National Health Service is investigating “an issue with IT” Friday May 12, 2017. Several British hospitals say they are having major computer problems Hospitals in London, northwest England and other parts of the country are reporting problems with their computer systems as the result of an apparent cyberattack. (@fendifille via AP)
This image provided by the Twitter page of @fendifille shows a computer at Greater Preston CCG as Britain’s National Health Service is investigating “an issue with IT” Friday May 12, 2017. Several British hospitals say they are having major computer problems Hospitals in London, northwest England and other parts of the country are reporting problems with their computer systems as the result of an apparent cyberattack. (@fendifille via AP)


CNNMoney (San Francisco) — An anonymous malware researcher inadvertently helped stop the spread of a global cyberattack that targeted nearly 100 countries.

The 22-year-old researcher, who goes by the name MalwareTech, has become an internet hero for their efforts to stem the spread of the WannaCry ransomware. MalwareTech, who is based in the U.K., did not disclose their identity or gender to CNN. MalwareTech published a blog post early Saturday morning detailing how they stopped the spread of this ransomware.

The ransomware took control of computers around the world and required owners to pay hundreds of dollars to get their files back. It took advantage of a Windows vulnerability leaked in April and the hacking tool is believed to belong to the NSA.

MalwareTech found an unregistered domain name in the ransomware and bought it for $10.69. Then, they pointed the domain to a sinkhole, or a server that collects and analyzes malware traffic. What they didn’t realize was that the domain — a random assortment of letters — was actually a kill switch, a way for someone to take control of the ransomware.

“Now one thing that’s important to note is the actual registration of the domain was not on a whim. My job is to look for ways we can track and potentially stop botnets (and other kinds of malware), so I’m always on the lookout to pick up unregistered malware control server (C2) domains. In fact I registered several thousand of such domains in the past year.” – MalwareTech

While the researcher is being lauded online for helping to prevent a more widespread outbreak, MalwareTech doesn’t consider themselves a hero.

“I just [think] don’t that what I did was that significant,” MalwareTech told CNN in an email. “And as of now I’ve had a fair bit of thanks from different people which is really appreciated, but no job offers which is nice as I’m happy where I am.”

Live WannaCry tracking map

“We found out that the domain was supposed to be unregistered and the malware was counting on this, thus by registering it we inadvertently stopped any subsequent infections,” they told CNN.

However, this only stops one version of WannaCry. There are different versions of the ransomware that do not contact that particular domain and can still spread, so it is possible for computers to get infected. Windows machines that are up-to-date are safe from this ransomware.

Darien Huss, a researcher at security firm Proofpoint, first noticed that MalwareTech’s sinkhole was preventing the ransomware from spreading.

“It seems a lot like the actors responsible for this are fairly amateur because of the implementation that they used for the kill switch,” Huss told CNN. “It was very easy for someone other than themselves to activate the kill switch.”

Huss says it is very likely we will see another attack using the exploit, even as early as Monday.

CNN’s Paul P. Murphy contributed to this report.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s