Share

#CyberAttack: How 22-year-old discovered the kill switch

London — The cyber attack that spread malicious software around the world, shutting down networks at hospitals, banks and government agencies, was thwarted by a young British researcher and an inexpensive domain registration, with help from another 20-something security engineer in the US.

Britain's National Cyber Security Center and others were hailing the cyber security researcher, a 22-year-old identified online only as MalwareTech, who - unintentionally at first - discovered a so-called "kill switch" that halted the unprecedented outbreak.

READ: Global ransomware attacks: 6 things to know

By then the "ransomware" attack had crippled Britain's hospital network and computer systems in several countries in an effort to extort money from computer users. But the researcher's actions may have saved companies and governments millions of dollars and slowed the outbreak before computers in the US were more widely affected.

MalwareTech is part of a large global cyber security community, working independently or for security companies, who are constantly watching for attacks and working together to stop or prevent them, often sharing information via Twitter. It's not uncommon for them to use aliases, either to protect themselves from retaliatory attacks or for privacy.

In a blog post on Saturday, MalwareTech explained he returned from lunch with a friend on Friday and learned that networks across Britain's health system had been hit by ransomware, tipping him off that "this was something big".

SEE: Organisations hit by global cyber attack

He began analysing a sample of the malicious software and noticed its code included a hidden web address that wasn't registered. He said he "promptly" registered the domain, something he regularly does to try to discover ways to track or stop malicious software.

Across an ocean, Darien Huss, a 28-year-old research engineer for the cyber security firm Proofpoint, was doing his own analysis. The western Michigan resident said he noticed the authors of the malware had left in a feature known as a kill switch. Huss took a screen shot of his discovery and shared it on Twitter.

Soon he and MalwareTech were communicating about what they'd found: That registering the domain name and redirecting the attacks to MalwareTech's server had activated the kill switch, halting the ransomware's infections.

Huss and others were calling MalwareTech a hero on Saturday, with Huss adding that the global cyber security community was working "as a team" to stop the infections from spreading.

"I think the security industry as a whole should be considered heroes," he said.

But he also said he's concerned the authors of the malware could re-release it without a kill switch or with a better one, or that copycats could mimic the attack.

"I think it is concerning that we could definitely see a similar attack occur, maybe in the next 24 to 48 hours or maybe in the next week or two," Huss said. "It could be very possible."

Who perpetrated this wave of attacks remains unknown. Two security firms - Kaspersky Lab and Avast - said they identified the malicious software in more than 70 countries. Both said Russia was hit hardest.

ALERT: Microsoft issues security update after #cyberattacks

These hackers "have caused enormous amounts of disruption— probably the biggest ransomware cyber attack in history," said Graham Cluley, a veteran of the anti-virus industry in Oxford, England.

This is already believed to be the biggest online extortion attack ever recorded, disrupting services in nations as diverse as the US, Russia, Ukraine, Brazil, Spain and India. Europol, the European Union's police agency, said the onslaught was at "an unprecedented level and will require a complex international investigation to identify the culprits."

In Russia, government agencies insisted that all attacks had been resolved. Russian Interior Ministry, which runs the national police, said the problem had been "localised" with no information compromised. Russia's health ministry said its attacks were "effectively repelled."

The ransomware exploits a vulnerability in Microsoft Windows that was purportedly identified by the US National Security Agency for its own intelligence-gathering purposes. Hackers said they stole the tools from the NSA and dumped them on the internet.

Read Fin24's top stories trending on Twitter:
We live in a world where facts and fiction get blurred
Who we choose to trust can have a profound impact on our lives. Join thousands of devoted South Africans who look to News24 to bring them news they can trust every day. As we celebrate 25 years, become a News24 subscriber as we strive to keep you informed, inspired and empowered.
Join News24 today
heading
description
username
Show Comments ()
Rand - Dollar
18.97
-0.2%
Rand - Pound
24.06
+0.2%
Rand - Euro
20.57
+0.1%
Rand - Aus dollar
12.35
+0.6%
Rand - Yen
0.13
+0.8%
Platinum
900.98
-0.2%
Palladium
1,000.76
-0.5%
Gold
2,153.55
-0.3%
Silver
24.91
-0.5%
Brent-ruolie
86.89
+1.8%
Top 40
65,669
-0.9%
All Share
71,900
-0.7%
Resource 10
52,931
-0.7%
Industrial 25
99,286
-1.2%
Financial 15
16,575
-0.3%
All JSE data delayed by at least 15 minutes Iress logo
Company Snapshot
Editorial feedback and complaints

Contact the public editor with feedback for our journalists, complaints, queries or suggestions about articles on News24.

LEARN MORE
Government tenders

Find public sector tender opportunities in South Africa here.

Government tenders
This portal provides access to information on all tenders made by all public sector organisations in all spheres of government.
Browse tenders