How a 22-year-old inadvertently halted a global cyberattack
Analyst was off work but was on his game
@eweise USATODAY SAN FRANCISCO The massive ransomware attack that crippled more than 20% of hospitals in the United Kingdom and disabled systems in as many as 74 countries appears to have been inadvertently stopped by a 22-year-old computer security researcher in England who began studying it Friday afternoon.
The story, which the as-yet-unnamed security whiz wrote up in a blog post on Saturday, is an example of the driven-to-puzzlethings-out mentality typical of people drawn to cybersecurity.
“He was in the right place at the right time, and he did the right thing without any hesitation,” said Dan Kaminsky, a longtime security researcher and chief scientist at White Ops, a New York-based security firm.
“It’s pretty great that a 22year-old can see a worldwide problem and spend a bit to help us all,” Kaminsky said.
The ransomware seems to have first appeared at 3:24 a.m. ET on Friday, said Craig Williams, a senior technical leader at security company Cisco Talos.
Within about seven hours it had been stopped in its tracks.
For the analyst, who has chosen to only be identified by his online blog name MalwareTech, things hit after lunch on Friday when he noticed all the fuss about a global ransomware attack and decided to investigate.
Although only 22, he is known in the world of cybersecurity as someone who’s good at “taking down big ugly things that are spreading fast,” in the words of Ryan Kalember, vice president for cybersecurity at Proofpoint, a Sunnyvale, Calif.-based security company.
One of the first things MalwareTech noticed was that as soon as it installed itself on a new machine, the malware tried to send a message to an unregistered Internet address, or domain name.
He promptly registered that domain, so he could see what it was up to. This was at around 3 p.m. in London, 10 a.m. ET.
The registration wasn’t done on a whim, he noted. “My job is to look for ways we can track and potentially stop botnets (and other kinds of malware),” he wrote.
However, in doing so, MalwareTech had inadvertently stopped the global attack in its tracks.
The malware contained computer code that pinged an unregistered Web address, and if it didn’t get back a message saying the address didn’t exist, it would turn itself off. Computers that already were infected with the ransomware weren’t protected but the ransomware stopped spreading except in isolated systems, Williams said.
“Now you probably can’t picture a grown man jumping around with the excitement of having just been ransomwared, but this was me. The failure of the ransomware to run the first time and then the subsequent success on the second mean that we had in fact prevented the spread of the ransomware and prevented it ransoming any new computer since the registration of the domain,” he wrote.
The website registration that stopped the ransomware that had caused thousands of companies tens of thousands of dollars worth of damage “cost about $10,” said MalwareTech’s boss, Salim Neino, CEO of Kryptos Logic.
Security experts are quick to point out that all that the criminals would need to do is rewrite the code to either ping a different domain or remove that domain check and send it out.