Two 20-something cyber experts helped bring down the widespread ransomware attack that infiltrated networks at hospitals, banks, and government agencies in multiple countries.
A 22-year-old British researcher unintentionally found the so-called “kill switch” that authors of the malicious software left in the code. Later, he teamed up with a 28-year-old engineer in western Michigan to ultimately halt the infections, the Associated Press reported.
The unprecedented outbreak, which began last Friday, locked up computers and extorted users for large Bitcoin payments in nations as diverse as the U.S., Russia, Ukraine, Brazil, Spain, and India. It also hit the U.K.’s National Health Service, affecting computers in hospitals and doctors’ offices.
Britain’s National Cyber Security Center and others praised the 22-year-old researcher — identified only as MalwareTech — for killing the software, which reportedly blocked U.K. hospital schedules, patient files, and phone and email systems from access and rerouted emergency room patients.
MalwareTech belongs to a large global community of cybersecurity buffs who, working independently or for security companies, constantly monitor for attacks and collaborate to stop them. It’s fairly common for members to use aliases for privacy or to protect themselves from retaliatory attacks.
The young researcher explained in a blog post on Saturday how he “accidentally” stopped the global cyberattack
He said he returned from lunch with a friend on Friday and learned that a ransomeware attack had crippled Britain’s health system. A fellow researcher called Kafeine soon gave him a sample of the malicious software.
The malware, known as WannaCry or WannaCrypt, exploits a vulnerability in Microsoft Windows that was reportedly developed and used by the U.S. National Security Agency. Hackers in the group Shadow Brokers later leaked the exploit online.
In his analysis, MalwareTech noticed a hidden, unregistered web address in the code. He quickly registered the inexpensive domain to see if it would help him track or stop the software.
Meanwhile, across the pond in Michigan, Darien Huss was doing his own research. The engineer, who works for the cybersecurity firm Proofpoint, said he noticed the malware authors had included a kill switch. He took a screenshot of his finding and posted it on Twitter.
Huss and MalwareTech were soon communicating about their findings. By registering the domain name and redirecting attacks to his server, MalwareTech had apparently activated the kill switch, which halted the ransomware’s infections.
The duo’s actions may have saved companies and governments millions of dollars and slowed the outbreak before more U.S. computers were affected.
Huss praised his partner in non-crime for the discovery and said the security industry as a whole “should be considered heroes,” the AP reported. But he said he’s worried the authors of the malware could release a new and improved version without a kill switch, or that copycats could unleash similar attacks.
“I think it is concerning that we could definitely see a similar attack occur, maybe in the next 24 to 48 hours or maybe in the next week or two,” Huss told the AP. “It could be very possible.”
Security experts said the perpetrators of this attack remain unknown. The malicious software was identified in more than 70 experts, though Russia was hit the hardest.
European cybercrime experts are “working closely with affected countries’ cybercrime units and key industry partners to mitigate the threat and assist victims,” Europol, the European Union’s police agency, said on Saturday in a statement.
“The recent attack is at an unprecedented level and will require a complex international investigation to identify the culprits,” Europol said.
Associated Press contributed reporting to this story.