The WannaCry hacking’s “accidental hero”

The hack against NHS systems and other organisations across the globe last Friday (12^th May 2017) panicked many across the world, and seriously hampered our NHS’ ability to provide lifesaving care.

It has since emerged that one cyber-security expert managed to kill of the ransomware that was hacking into systems across the globe, and it was practically achieved by accident…

Unsung hero

A cyber-security blogger who identifies himself as MalwareTech revealed in his blog (www.malwaretech.com) how he worked his magic to shut down the WannaCry attack, also known as WannaCrypt malware.

The malware managed to shut down parts of the NHS systems as well as infecting computers across 150 countries, including Russia, the U.S., and China.

Users were ordered to pay ransoms to recover full control of their devices.

As the cyber-attack was so vast, it’s impossible to put an exact figure on the cost. However, BBC analysts suggest that cyber-hackers have already been paid the equivalent of £22,080.00.

How the malware was stopped

MalwareTech noted that it was partly accidental when he helped stop the attach when he registered a domain with the intention of tracking the malware. Instead, the domain that he had registered had actually disabled the malware as well as allowing them to track it. In his words: “it killed two birds with one stone.”

He said that he bought the domain as a means to check to see if the malware was running on an antivirus environment – which only cost him $10.69 (£8.29). By registering the domain, it triggered the check and so all of samples thought they were running on an antivirus environment and “they all just quit”. In more technical terms, the domains are pointed towards a sinkhole server which is designed to “capture malicious traffic” and prevent cyber-criminals from having further control of the infected computers.

He didn’t actually intend to kill off the malware. He explained that the domain was purchased because Kryptos logic, an LA-based threat intelligence company that he works for, tracks “botnets”. By registering the domain, he hoped to get a deeper understanding of how the botnet was spreading:

“The intent was to just monitor the spread and see if we could do anything about it later on.”

When it transpired that the 22 year-old managed to kill the malware, he said that he experienced a rollercoaster of emotions which included panic, confusion and ‘jumping around with excitement’ when he accidentally triggered the ‘kill switch’.

The expert told the Guardian:

“I was out having lunch with a friend and got back about 3pm and saw an influx of news articles about the NHS and various UK organisations being hit. I had a bit of look into that and then I found a sample of the malware behind it, and saw that it was connecting out to a specific domain, which was not registered. So I picked it up not knowing what it did at the time.”

Is this cyber-attack just the beginning?

Sadly, the joy may be short-lived. The anonymous hero has warned that his actions have only stopped one sample of the ransomware and that the attack could be rebooted by cyber-attackers.

He noted that the cyber-criminals will “change the code and start again”. He warned, “there is nothing stopping them from removing the domain check and trying again, so it’s incredibly important that any unpatched systems are patched as quickly as possible.”

This should be a real kick up the backside for organisations across the U.K., sadly that’s not a reality for many, more attacks are imminent.

Patients’ medical records still in the spotlight when it comes to data breaches

Dating website Guardian Soulmates data breach