2 CYBERSECURITY HEROES HAILED
British researcher, US engineer kill global cyberattack
THE cyberattack that spread malicious software around the world, shutting down networks at hospitals, banks and government agencies, was thwarted by a young British researcher and an inexpensive domain registration, with help from another 20-something security engineer in the United States.
Britain’s National Cyber Security Centre and others were hailing the cybersecurity researcher, a 22-year-old identified online only as MalwareTech, who — unintentionally at first — discovered a so-called “kill switch” that halted the unprecedented outbreak.
By then the ransomware attack had crippled Britain’s hospital network and computer systems in several countries in an effort to extort money from computer users.
But, the researcher’s actions may have saved companies and governments millions of dollars and slowed the outbreak before computers in the US were more widely affected.
MalwareTech is part of a large global cybersecurity community, working independently or for security companies, who are constantly watching for attacks and working together to stop or prevent them, often sharing information via Twitter.
It’s not uncommon for them to use aliases, either to protect themselves from retaliatory attacks or for privacy.
In a blog post on Saturday, MalwareTech explained that he had returned from lunch with a friend on Friday and learned that networks across Britain’s health system had been hit by ransomware, tipping him off that “this was something big”.
He began analysing a sample of the malicious software and noticed its code included a hidden web address that wasn’t registered. He said he “promptly” registered the domain, something he regularly did to try to discover ways to track or stop malicious software.
Across an ocean, Darien Huss, a 28-year-old research engineer for the cybersecurity firm Proofpoint, was doing his own analysis.
The western Michigan resident said he noticed the authors of the malware had left in a feature known as a kill switch.
He took a screenshot of his discovery and shared it on Twitter.
Soon he and MalwareTech were communicating about what they’d found: That registering the domain name and redirecting the attacks to MalwareTech’s server had activated the kill switch, halting the ransomware’s infections.
Huss and others were calling MalwareTech a hero on Saturday, with Huss adding that the global cybersecurity community was working “as a team” to stop the infections from spreading.
“I think the security industry as a whole should be considered heroes,” he said.
But, he said he was concerned the authors of the malware could re-release it without a kill switch, or with a better one, or that copycats could mimic the attack.
“I think it is concerning that we could definitely see a similar attack occur, maybe in the next 24 to 48 hours, or maybe in the next week or two,” Huss said. “It could be very possible.”
The perpetrator of this wave of attacks remains unknown. Security firms Kaspersky Lab and Avast said they identified the malicious software in more than 70 countries. Both said Russia was hit hardest.
This is already believed to be the biggest online extortion attack ever recorded, disrupting services in nations as diverse as the US, Russia, Ukraine, Brazil, Spain and India.
Europol, the European Union’s police agency, said the onslaught was at “an unprecedented level and would require a complex international investigation to identify the culprits”.
The Europol chief yesterday said the cyberattack hit 200,000 victims in at least 150 countries and that number could grow when people returned to work today.
Cybersecurity experts said the spread of the virus WannaCry had slowed, but that any respite might be brief.
Europol director Rob Wainwright told ITV’s Peston on Sunday that the attack was unique in that the ransomware was used in combination with “a worm functionality” so the infection spread automatically.
“The global reach is unprecedented. The latest count is over 200,000 victims in at least 150 countries, and those victims, many of those will be businesses, including large corporations.
“We are in the face of an escalating threat. The numbers are going up.”
He said Europol and other agencies did not yet know who was behind the attack, but “normally it is criminally minded and that is our first working theory for obvious reasons”.
The ransomware exploits a vulnerability in Microsoft Windows that was purportedly identified by the US National Security Agency for its intelligence-gathering purposes.
Hackers said they stole the tools from the NSA and dumped them on the Internet. AP
The global reach is unprecedented. The latest count is over 200,000 victims in at least 150 countries...