‘I sort of did what I could’

Alert re­searcher, team­work helped stem huge cy­ber­at­tack


The cy­ber­at­tack that spread ma­li­cious soft­ware around the world, shut­ting down net­works at hos­pi­tals, banks and govern­ment agen­cies, was thwarted by a young Bri­tish re­searcher and an in­ex­pen­sive do­main reg­is­tra­tion, with help from an­other 20-some­thing se­cu­rity engineer in the U.S.

Bri­tain’s Na­tional Cy­ber Se­cu­rity Cen­ter and oth­ers were hail­ing the cy­ber­se­cu­rity re­searcher, a 22-year-old iden­ti­fied on­line only as Mal­wareTech, who — un­in­ten­tion­ally at first — dis­cov­ered a so-called “kill switch” that halted the un­prece­dented out­break.

By then the “ran­somware” at­tack had crip­pled Bri­tain’s hospi­tal net­work and com­puter sys­tems in sev­eral coun­tries in an ef­fort to ex­tort money from com­puter users. But the re­searcher’s ac­tions may have saved com­pa­nies and gov­ern­ments mil­lions of dol­lars and slowed the out­break be­fore com­put­ers in the U.S. were more widely af­fected.

Mal­wareTech, who works for cy­ber­se­cu­rity firm Kryp­tos Logic, is part of a large global cy­ber­se­cu­rity com­mu­nity who are con­stantly watch­ing for at­tacks and work­ing to­gether to stop or pre­vent them, of­ten shar­ing in­for­ma­tion via Twit­ter. It’s not un­com­mon for them to use aliases, ei­ther to pro­tect them­selves from re­tal­ia­tory at­tacks or for pri­vacy.

In a blog post Satur­day, Mal­wareTech ex­plained he learned on Fri­day that net­works across Bri­tain’s health sys­tem had been hit by ran­somware, tip­ping him off that “this was some­thing big.”

He be­gan an­a­lyz­ing a sam­ple of the ma­li­cious soft­ware and no­ticed its code in­cluded a hid­den web ad­dress that wasn’t reg­is­tered. He said he “promptly” reg­is­tered the do­main, some­thing he reg­u­larly does to try to dis­cover ways to track or stop ma­li­cious soft­ware.

Across an ocean, Darien Huss, a 28-year-old re­search engineer for the cy­ber­se­cu­rity firm Proof­point, was do­ing his own anal­y­sis. The west­ern Michi­gan res­i­dent said he no­ticed the authors of the mal­ware had left in a fea­ture known as a kill switch. Huss took a screen shot of his dis­cov­ery and shared it on Twit­ter.

Soon he and Mal­wareTech were com­mu­ni­cat­ing about what they’d found: that reg­is­ter­ing the do­main name and redi­rect­ing the at­tacks to the server of Kryp­tos Logic had ac­ti­vated the kill switch, halt­ing the ran­somware’s in­fec­tions.

Huss and oth­ers were call­ing Mal­wareTech a hero on Satur­day, with Huss adding that the global cy­ber­se­cu­rity com­mu­nity was work­ing “as a team” to stop the in­fec­tions from spread­ing.

“The ‘hero’ is a bit strong,” Mal­wareTech said Sun­day. “I sort of did what I could.”

Both said they were con­cerned the authors of the mal­ware could re-re­lease it with­out a kill switch or with a bet­ter one, or that copy­cats could mimic the at­tack.

“I think it is con­cern­ing that we could def­i­nitely see a sim­i­lar at­tack oc­cur, maybe in the next 24 to 48 hours or maybe in the next week or two,” Huss said. “It could be very pos­si­ble.”

Who per­pe­trated this wave of at­tacks re­mains un­known. This is al­ready be­lieved to be the big­gest on­line ex­tor­tion at­tack ever recorded, dis­rupt­ing ser­vices in na­tions as di­verse as the U.S., Rus­sia, Ukraine, Brazil, Spain and In­dia.

Europol, Europe’s polic­ing agency, called the at­tack un­prece­dented and said com­put­ers in more than 150 coun­tries have been af­fected. Two se­cu­rity firms — Kasper­sky Lab and Avast — said Rus­sia was hit hard­est.


The main en­trance of St Bartholomew’s Hospi­tal in Lon­don, one of the hos­pi­tals whose com­puter sys­tems were af­fected by a cy­ber­at­tack Fri­day. The at­tack crip­pled com­puter sys­tems at hos­pi­tals across Eng­land, with ap­point­ments can­celled, phone lines down and pa­tients turned away.

Newspapers in English

Newspapers from Canada

© PressReader. All rights reserved.