LONDON — The cyberattack that spread malicious software around the world, shutting down networks at hospitals, banks and government agencies, was stemmed by a young British researcher and an inexpensive domain registration, with help from another 20-something security engineer in the U.S.
Britain’s National Cyber Security Center and others were hailing the cybersecurity researcher, a 22-year-old identified online only as MalwareTech, who – unintentionally at first – discovered a “kill switch” that halted the unprecedented outbreak.
By then, the “ransomware” attack had hobbled Britain’s hospital network and computer systems in several countries, in an effort to extort money from computer users. Hackers tricked victims into opening corrupt links in emails disguised as invoices, CBS News’ Jonathan Vigliotti reports. It’s still unclear who is behind the attack.
But a researcher’s actions may have saved companies and governments millions of dollars and slowed the outbreak before computers in the U.S. were more widely affected.
MalwareTech said in a in a blog post Saturday that he had returned from lunch with a friend on Friday and learned that networks across Britain’s health system had been hit by ransomware, tipping him off that “this was something big.”
He began analyzing a sample of the malicious software and noticed its code included a hidden web address that wasn’t registered. He said he “promptly” registered the domain, something he regularly does to try to discover ways to track or stop malicious software.
Across an ocean, Darien Huss, a 28-year-old research engineer for the cybersecurity firm Proofpoint, was doing his own analysis. The western Michigan resident said he noticed the authors of the malware had left in a feature known as a kill switch. Huss took a screen shot of his discovery and shared it on Twitter.
MalwareTech and Huss are part of a large global cybersecurity community of people, working independently or for security companies, who are constantly watching for attacks and working together to stop or prevent them, often sharing information via Twitter. It’s not uncommon for them to use aliases, either to protect themselves from retaliatory attacks or for privacy.
Soon Huss and MalwareTech were communicating about what they’d found: That registering the domain name and redirecting the attacks to MalwareTech’s server had activated the kill switch, halting the ransomware’s infections – creating what’s called a “sinkhole.”
Who perpetrated this wave of attacks remains unknown. Two security firms – Kaspersky Lab and Avast – said they identified the malicious software in more than 70 countries. Both said Russia was hit hardest.
These hackers “have caused enormous amounts of disruption- probably the biggest ransomware cyberattack in history,” said Graham Cluley, a veteran of the anti-virus industry in Oxford, England.