Self-taught accidental hero halts global ransomware attack but warns 'this is not over'

The researcher (left), who is identified only as MalwareTech, is a 22-year-old from south-west England who works for Kryptos logic.
The researcher (left), who is identified only as MalwareTech, is a 22-year-old from south-west England who works for Kryptos logic.PHOTO: DAILY MAIL
A British researcher using the Twitter handle @MalwareTechBlog managed to stop the spread of the WannaCry cyber attacks by registering the domain name being used by the malware.
A British researcher using the Twitter handle @MalwareTechBlog managed to stop the spread of the WannaCry cyber attacks by registering the domain name being used by the malware.PHOTO: EPA

LONDON - The young computer expert hailed an "accidental hero" for stopping an unprecedented global wave of cyber attacks has warned that the attack could be rebooted.

Friday's (May 12) attacks, whose targets ranged from Russia's banks to British hospitals and a French carmaker's factories, used a technique called ransomware that locks users' files unless they pay the attackers a given sum using cryptocurrency Bitcoin.

The attack stopped spreading when a UK cybersecurity researcher, tweeting as @MalwareTechBlog, helped by Mr Darien Huss from security firm Proofpoint, registered a domain name used by the malware.

"Essentially they relied on a domain not being registered and by registering it, we stopped their malware spreading," @MalwareTechBlog told AFP in a private message on Twitter.

The researcher, who is identified only as MalwareTech, is a 22-year-old from south-west England who works for Kryptos logic, a Los-Angeles-based threat intelligence company, the Guardian reported on Saturday (May 13).

"I was out having lunch with a friend and got back about 3pm and saw an influx of news articles about the NHS and various UK organisations being hit," he told The Guardian.

"I had a bit of a look into that and then I found a sample of the malware behind it, and saw that it was connecting out to a specific domain, which was not registered. So I picked it up not knowing what it did at the time."

 
 

MalwareTech said he bought the domain because his company tracks botnets and by registering these domains they can get an insight into how the botnet is spreading.

"The intent was to just monitor the spread and see if we could do anything about it later on. But we actually stopped the spread just by registering the domain," he said.

"Initially someone had reported the wrong way round that we had caused the infection by registering the domain, so I had a mini freakout until I realised it was actually the other way around and we had stopped it," he added.

MalwareTech prefers to stay anonymous "because it just doesn't make sense to give out my personal information, obviously we're working against bad guys and they're not going to be happy about this".

He told The Guardian that he planned to hold onto the URL, and he and colleagues were collecting the IPs and sending them off to law enforcement agencies so they can inform the infected victims, not all of whom know they have been affected.

Warning people to patch their systems, he added: "This is not over. The attackers will realise how we stopped it, they'll change the code and then they'll start again. Enable windows update, update and then reboot."

MalwareTech told The Daily Mail that he was "completely self-taught", having landed his first job out of school without any proper qualifications.

'I'm not a graduate. I had planned to go to university but ended up getting offered a job in security a year prior, so I took it. I'm completely self-taught so in hindsight university would probably not have been worth the time or money."

Although by the time @malwaretechblog registered the domain, it was too late to help Europe and Asia, where many organisations were affected, people in the United States had more time to develop immunity by patching their systems before they were infected, Proofpoint's Ryan Kalember said.

Friday's attack used a piece of malicious software called "WanaCrypt0r 2.0" or WannaCry, which exploits a vulnerability in Windows. While Microsoft had already released a patch (a software update that fixes the problem) in March, computers that had not installed the security update were still vulnerable.

Attacks have been recorded in at least 150 countries, including the UK, Russia, Ukraine, India, China, Italy, and Egypt. Europe and Russia have been the hardest hit so far. More than 200,000 victims have been affected, said the head of the European Union’s police agency on Sunday.