British researcher Marcus Hutchins finds kill switch, 'accidentally' stops malware crippling computers worldwide
As the world began to understand the dimensions of "Wanna Decrypt0r 2.0," the ransomware that has crippled computers worldwide, an accidental hero hit the kill switch.
Marcus Hutchins, a 22-year-old British cybersecurity specialist who lives with his parents in Devon, bought an unusually long and nonsensical domain name ending with "gwea.com".
He says he paid NZ$15.58, but his purchase might have saved companies and governmental institutions around the world billions of dollars.
By purchasing the domain name and registering a website, the cybersecurity researcher who works with US cybersecurity enterprise Kryptos Logic claims that he activated a kill switch. It immediately slowed the spread of the malware and could ultimately stop its current version, cybersecurity experts said on Saturday.
Hidden in the malware, the kill switch probably was not supposed to be activated anytime soon. Perhaps, it was never supposed to be there in the first place.
* NZ ups digital security after 'massive' worldwide cyberattack
* How to avoid a cyber attack: Malware and ransomware explained
* UK hospitals turn away patients after cyberattack cripples computers
Hutchins, who is self-taught, operates out of a small bedroom in his parents' house, The Telegraph reported.
When Darien Huss, a researcher with US cybersecurity company Proofpoint, came across the strange domain in the code on Saturday, he immediately flagged his discovery on social media.
Alerted by the finding, Hutchins, who tweets using the handle @MalwareTechBlog decided to take action, without knowing what impact registering the domain would have.
While spreading to computers, the malware made requests to the unregistered website ending with "gwea.com". Until around 6am on Saturday (NZT), all of those requests went unanswered - likely triggering the activation of the malware.
For hours, a non-existent website helped to cripple computers worldwide.
But as soon as Hutchins registered the website out of curiosity about the unusual domain name, automatic requests immediately skyrocketed, according to screenshots published on his Twitter account.
It was only then that the cyber researchers realised that they might have accidentally activated a kill switch in the ransomware.
I will confess that I was unaware registering the domain would stop the malware until after i registered it, so initially it was accidental.— MalwareTech (@MalwareTechBlog) May 13, 2017
So I can only add"accidentally stopped an international cyber attack" to my Résumé. ^^— MalwareTech (@MalwareTechBlog) May 13, 2017
"If the domain successfully resolves to an IP address, the malware will stop running," explained cybersecurity expert McArdle.
Speaking to The Washington Post on Saturday Hutchins said using a domain name as a kill switch appeared unprecedented to him.
"Previous malware has used such a check to detect analysis environments but not in a way which can be used to stop the malware," he said.
He told The Guardian he had no real qualifications and was self-taught.
"It's always been a hobby to me ... I ended up getting a job out of my first botnet tracker, which the company I now work for saw and contacted me about, asking if I wanted a job. I've been working there a year and two months now."
He said still living with his parents was "so stereotypical". His mum was excited, but his dad hadn't been home yet. "I'm sure my mother will inform him," he told The Guardian.
"It is quite crazy, I've not been able to check into my Twitter feed all day because it's just been going too fast to read. Every time I refresh it it's another 99 notifications."
It remains unknown, however, whether the website domain really was supposed to be a deliberate kill switch. Cybersecurity expert McArdle said an accidental flaw in the ransomware is more likely.
"At first glance, this may appear to be a deliberate kill switch in the malware for the authors' use," said McArdle, referring to the possibility the malware's creators included the domain to be able to stop its spread if their operation gets out of control.
But "in reality it's a flaw that actually allowed for the spread of the malware to be greatly slowed down, albeit accidentally, by the researcher who registered it early during the outbreak", McArdle said.
Saturday's discovery may have slowed the malware's spread, but it is unlikely to stop it, security experts said, because the malware's creators could soon release a different version without a kill switch.
Given the international disruption the ransomware caused within a few hours, however, the current slowing of the malware could give companies crucial time to update their security softwares or to conduct backups.
- Washington Post, Stuff