CNNMoney (San Francisco) — An anonymous malware researcher inadvertently helped stop the spread of a global cyberattack that targeted nearly 100 countries.
The 22-year-old researcher, who goes by the name MalwareTech, has become an internet hero for their efforts to stem the spread of the WannaCry ransomware. MalwareTech, who is based in the U.K., did not disclose their identity or gender to CNN. MalwareTech published a blog post early Saturday morning detailing how they stopped the spread of this ransomware.
The ransomware took control of computers around the world and required owners to pay hundreds of dollars to get their files back. It took advantage of a Windows vulnerability leaked in April and the hacking tool is believed to belong to the NSA.
MalwareTech found an unregistered domain name in the ransomware and bought it for $10.69. Then, they pointed the domain to a sinkhole, or a server that collects and analyzes malware traffic. What they didn’t realize was that the domain — a random assortment of letters — was actually a kill switch, a way for someone to take control of the ransomware.
“Now one thing that’s important to note is the actual registration of the domain was not on a whim. My job is to look for ways we can track and potentially stop botnets (and other kinds of malware), so I’m always on the lookout to pick up unregistered malware control server (C2) domains. In fact I registered several thousand of such domains in the past year.” – MalwareTech
While the researcher is being lauded online for helping to prevent a more widespread outbreak, MalwareTech doesn’t consider themselves a hero.
“I just [think] don’t that what I did was that significant,” MalwareTech told CNN in an email. “And as of now I’ve had a fair bit of thanks from different people which is really appreciated, but no job offers which is nice as I’m happy where I am.”Live WannaCry tracking map
“We found out that the domain was supposed to be unregistered and the malware was counting on this, thus by registering it we inadvertently stopped any subsequent infections,” they told CNN.
However, this only stops one version of WannaCry. There are different versions of the ransomware that do not contact that particular domain and can still spread, so it is possible for computers to get infected. Windows machines that are up-to-date are safe from this ransomware.
Darien Huss, a researcher at security firm Proofpoint, first noticed that MalwareTech’s sinkhole was preventing the ransomware from spreading.
“It seems a lot like the actors responsible for this are fairly amateur because of the implementation that they used for the kill switch,” Huss told CNN. “It was very easy for someone other than themselves to activate the kill switch.”
Huss says it is very likely we will see another attack using the exploit, even as early as Monday.CNN’s Paul P. Murphy contributed to this report.