An alert researcher, teamwork helped stem huge cyberattack

A screenshot of the warning screen from a purported ransomware attack, as captured by a computer user in Taiwan, is seen on laptop in Beijing, Saturday, May 13, 2017. Dozens of countries were hit with a huge cyberextortion attack Friday that locked up computers and held users' files for ransom at a multitude of hospitals, companies and government agencies. (AP Photo/Mark Schiefelbein)

An alert researcher, a cheap domain name, cross-ocean cooperation helped stem effects of cyberattack

LONDON — The cyberattack that spread malicious software around the world, shutting down networks at hospitals, banks and government agencies, was thwarted by a young British researcher and an inexpensive domain registration, with help from another 20-something security engineer in the U.S.

Britain's National Cyber Security Center and others were hailing the cybersecurity researcher, a 22-year-old identified online only as MalwareTech, who — unintentionally at first — discovered a so-called "kill switch" that halted the unprecedented outbreak.

By then the "ransomware" attack had crippled Britain's hospital network and computer systems in several countries in an effort to extort money from computer users. But the researcher's actions may have saved companies and governments millions of dollars and slowed the outbreak before computers in the U.S. were more widely affected.

MalwareTech, who works for cybersecurity firm Kryptos Logic, is part of a large global cybersecurity community who are constantly watching for attacks and working together to stop or prevent them, often sharing information via Twitter. It's not uncommon for them to use aliases, either to protect themselves from retaliatory attacks or for privacy.

In a blog post Saturday, MalwareTech explained he learned on Friday that networks across Britain's health system had been hit by ransomware, tipping him off that "this was something big."

He began analyzing a sample of the malicious software and noticed its code included a hidden web address that wasn't registered. He said he "promptly" registered the domain, something he regularly does to try to discover ways to track or stop malicious software.

Across an ocean, Darien Huss, a 28-year-old research engineer for the cybersecurity firm Proofpoint, was doing his own analysis. The western Michigan resident said he noticed the authors of the malware had left in a feature known as a kill switch. Huss took a screen shot of his discovery and shared it on Twitter.

Soon he and MalwareTech were communicating about what they'd found: That registering the domain name and redirecting the attacks to the server of Kryptos Logic had activated the kill switch, halting the ransomware's infections.

Huss and others were calling MalwareTech a hero on Saturday, with Huss adding that the global cybersecurity community was working "as a team" to stop the infections from spreading.

"The 'hero' is a bit strong," MalwareTech said Sunday. "I sort of did what I could."

Both said they were concerned the authors of the malware could re-release it without a kill switch or with a better one, or that copycats could mimic the attack.

"I think it is concerning that we could definitely see a similar attack occur, maybe in the next 24 to 48 hours or maybe in the next week or two," Huss said. "It could be very possible."

Who perpetrated this wave of attacks remains unknown. This is already believed to be the biggest online extortion attack ever recorded, disrupting services in nations as diverse as the U.S., Russia, Ukraine, Brazil, Spain and India.

Europol, Europe's policing agency, called the attack unprecedented and said computers in more than 150 countries have been affected. Two security firms — Kaspersky Lab and Avast —said Russia was hit hardest.

These hackers "have caused enormous amounts of disruption— probably the biggest ransomware cyberattack in history," said Graham Cluley, a veteran of the anti-virus industry in Oxford, England.

In Russia, government agencies insisted that all attacks had been resolved. Russian Interior Ministry, which runs the national police, said the problem had been "localized" with no information compromised. Russia's health ministry said its attacks were "effectively repelled."

The ransomware exploits a vulnerability in Microsoft Windows that was purportedly identified by the U.S. National Security Agency for its own intelligence-gathering purposes. Hackers said they stole the tools from the NSA and dumped them on the internet.

___

Sara Burnett reported from Chicago.

Related News

Apple boss Tim Cook optimistic about UK's future...

Feb 9, 2017

Apple CEO Tim Cook says the company the technology giant is committed to Britain's future outside...

Apple's Tim Cook: Fake news is 'killing people's...

Feb 11, 2017

Apple chief executive Tim Cook says fake news is "killing minds," and governments and tech firms...

Yahoo issues another warning in fallout from...

Feb 15, 2017

Yahoo is warning users of potentially malicious activity on their accounts between 2015 and 2016

Epic 'Planet Earth II' offers creatures'-eye view...

Feb 16, 2017

From jungles to deserts to mountains, the BBC's epic nature series "Planet Earth II" takes viewers...

Uber to investigate sexual harassment claim by...

Feb 20, 2017

Uber's CEO has ordered an investigation into a sexual harassment claim made by a female engineer...

The dirty dozen: UN issues list of 12 most...

Feb 27, 2017

The World Health Organization has issued a list of the top dozen bacteria most dangerous to humans,...

Peaple also read these

The dirty dozen: UN issues list of 12 most...

Feb 27, 2017

The World Health Organization has issued a list of the top dozen bacteria most dangerous to humans,...

UK judge says Tunisia police 'shambolic' during...

Feb 28, 2017

The Tunisian police response to a deadly gun attack on a popular beach resort was "at best...

What makes a cyberattack? Experts lobby to...

Mar 28, 2017

Policymakers have sometimes struggled to distinguish this-means-war cyberattacks from more mundane...

US strikes on Syria keep a lid on global stocks...

Apr 7, 2017

Soft U.S. jobs data and the decision by President Donald Trump to authorize the firing of U.S....

Markets keep cyberattack and North Korea concerns...

May 15, 2017

Financial markets on Monday brushed aside worries over the "WannaCry" ransomware cyberattack, with...

Sign up now!