SAN FRANCISCO — The massive ransomware attack that crippled more than 20% of hospitals in the United Kingdom and disabled systems in as many as 74 countries appears to have been inadvertently stopped by a 22-year-old computer security researcher in England who began studying it Friday afternoon.
The story, which the as-yet-unnamed security whiz wrote up in a blog post on Saturday, is an example of the driven-to-puzzle-things-out mentality typical of people drawn to cybersecurity.
“He was in the right place at the right time, and he did the right thing without any hesitation,” said Dan Kaminsky, a longtime security researcher and chief scientist at White Ops, a New York-based based security firm.
Dozens of countries battle after-effects of 'unprecedented' ransomware hack
Because nobody's really in charge of the Internet, it's messy and wonderful in equal proportion, he said.
"We maintain it with duct tape, baling wire and the good graces of no small number of 'volunteer firefighters.' I am hopeful for a future with more formal, funded support for this foundation of our suddenly global information economy. But it's pretty great that a 22-year-old can see a worldwide problem and spend a bit to help us all,” Kaminsky said.
How it happened
The ransomware appears to have first appeared at 3:24 a.m. ET on Friday, said Craig Williams, a senior technical leader at security company Cisco Talos.
Within about seven hours it had been stopped in its tracks.
For the analyst, who for security reasons has chosen to only be identified by his online blog name of MalwareTech, things hit after lunch on Friday when he noticed all the fuss about a global ransomware attack and decided to investigate.
His day job is as a security researcher at Los Angeles-based Kryptos Logic, but he was actually supposed to be on vacation this week so he hadn't been plugged in.
"We'd had quite a bit of work over the last few months and we were both off. I'm actually in Venice right now," said his boss, Salim Neino, CEO of Kryptos Logic. "We were talking online about how the biggest cyberattack of the year happens and we're both off."
Neither MalwareTech nor his boss stayed off, however.
Although only 22, he is known in the close-knit world of cybersecurity as someone who's good at "taking down big ugly things that are spreading fast," in the words of Ryan Kalember, vice president for cybersecurity at Proofpoint, a Sunnyvale, Calif.-based security company.
First credit to actually getting a sample of the malicious software code appears to go to Kafeine, a security researcher who doesn't give press interviews and only goes by his screen name, but who works for Proofpoint.
Malware Tech called him "a good friend and fellow researcher" in his blog post and noted that Kafeine passed him the sample so he could begin to reverse engineer it to see how it did what it was doing.
One of the first things MalwareTech noticed was that as soon as it installed itself on a new machine, the malware tried to send a message to an unregistered Internet address, or domain name.
He promptly registered that domain, so he could see what it was up to. This was at around 3 p.m. in London, 10 a.m. ET.
The registration wasn't done on a whim, he noted. "My job is to look for ways we can track and potentially stop botnets (and other kinds of malware)," he wrote on his blog.
However, in doing so, MalwareTech had inadvertently stopped the entire global attack in its tracks, though it took him and others awhile longer to realize it.
"Humorously," he wrote, "at this point we had unknowingly killed the malware."
The malware contained computer code that pinged an unregistered Web address, and if it didn't get back a message saying the address didn't exist, it would turn itself off. Computers that were already infected with the ransomware weren't protected but the ransomware stopped spreading except in isolated systems, said Williams.
"We think it was a kill switch that the creators built in," said Kalember. They would have been able to stop the spread of the software simply by registering and setting up the Web address — except MalwareTech got there first.
As a final test, he first ran the malware in a closed environment that was connected to the registered website and got nothing.
Then he ran it again after modifying the host system so that the connection would be unsuccessful, and the ransomware promptly took it over.
"Now you probably can’t picture a grown man jumping around with the excitement of having just been ransomwared, but this was me. The failure of the ransomware to run the first time and then the subsequent success on the second mean that we had in fact prevented the spread of the ransomware and prevented it ransoming any new computer since the registration of the domain," he wrote.
The website registration that stopped the ransomware that had caused thousands of companies tens of thousands of dollars worth of damage "cost about $10," said Neino.
Darien Huss, a security researcher at Proofpoint who'd been helping MalwareTech with the analysis, tweeted at 10:29 a.m. ET that the unregistered domain had been registered and the malware had stopped spreading.
"We were then able to get all the information out to the FBI," said Neino.
Soon thereafter the United Kingdom's National Cyber Security Centre posted the text of MalwareTech's blog on its site.
While this particular variant of the malware has been stopped, security experts are quick to point out that all that the criminals behind it would need to do is rewrite the code to either ping a different domain or remove that domain check and send it out.
This makes it all the more important that computers and networks quickly install the Windows patches that fix the problem that allowed the code to so easily spread in the first place. Microsoft issued that patch on March 14 but clearly many systems had not installed the crucial new software.
After a long and fruitful day, MalwareTech suggested that people do just that, then wrote, "Now I should probably sleep."