– The massive ransomware attack that crippled more than 20% of hospitals in the United Kingdom and disabled systems in as many as 74 countries appears to have been inadvertently stopped by a 22-year-old computer security researcher in England who began studying it Friday afternoon.
The story, which the as-yet-unnamed security whiz wrote up in a blog post on Saturday, is an example of the driven-to-puzzle-things-out mentality typical of people drawn to cybersecurity.
“He was in the right place at the right time, and he did the right thing without any hesitation,” said Dan Kaminsky, a longtime security researcher and chief scientist at White Ops, a New York-based based security firm.
How it happened
The ransomware appears to have first appeared at 3:24 a.m. ET on Friday, said Craig Williams, a senior technical leader at security company Cisco Talos.
Within about seven hours it had been stopped in its tracks.
For the analyst, who for security reasons has chosen to only be identified by his online blog name of MalwareTech, things hit after lunch on Friday when he noticed all the fuss about a global ransomware attack and decided to investigate.
His day job is as a security researcher at Los Angeles-based Kryptos Logic, but he was actually supposed to be on vacation this week so he hadn’t been plugged in.
“We’d had quite a bit of work over the last few months and we were both off. I’m actually in Venice right now,” said his boss, Salim Neino, CEO of Kryptos Logic. “We were talking online about how the biggest cyberattack of the year happens and we’re both off.”
Neither MalwareTech nor his boss stayed off, however.
Although only 22, he is known in the close-knit world of cybersecurity as someone who’s good at “taking down big ugly things that are spreading fast,” in the words of Ryan Kalember, vice president for cybersecurity at Proofpoint, a Sunnyvale, Calif.-based security company.
First credit to actually getting a sample of the malicious software code appears to go to Kafeine, a security researcher who doesn’t give press interviews and only goes by his screen name, but who works for Proofpoint.
Malware Tech called him “a good friend and fellow researcher” in his blog post and noted that Kafeine passed him the sample so he could begin to reverse engineer it to see how it did what it was doing.
One of the first things MalwareTech noticed was that as soon as it installed itself on a new machine, the malware tried to send a message to an unregistered Internet address, or domain name.
He promptly registered that domain, for $10.69, so he could see what it was up to. This was at around 3 p.m. in London, 10 a.m. ET. He started seeing connections from infected victims, hence his ability to track the ransomware’s spread.
The registration wasn’t done on a whim, he noted. “My job is to look for ways we can track and potentially stop botnets (and other kinds of malware),” he wrote on his blog.
However, in doing so, MalwareTech had inadvertently stopped the entire global attack in its tracks, though it took him and others awhile longer to realize it.
“Humorously,” he wrote, “at this point we had unknowingly killed the malware.”
The malware contained computer code that pinged an unregistered Web address, and if it didn’t get back a message saying the address didn’t exist, it would turn itself off. Computers that were already infected with the ransomware weren’t protected but the ransomware stopped spreading except in isolated systems.