How WannaCry crippled the NHS and a security researcher brought it back

News by Tom Reeve

Into the breach: how a security researcher and other cyber-security experts working together and alone stopped a virulent strain of malware in its tracks.

The security researcher who is being credited as the “accidental hero” in helping to stop the WannaCry ransomware attack has seen his pleas for anonymity ignored by the mainstream media.

Marcus Hutchins, 22, who lives and works in Devon, was identified by a national newspaper as the man behind the twitter handle MalwareTech. MalwareTech is credited with shutting down the WannaCry ransomware attack by registering a specific domain name.

He said in his blog that he didn't expect it to have such a dramatic effect on the malware and that his primary interest was in gathering more data on WannaCry and the people behind it. The domain – iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[dot]com – is just one of thousands that he has registered while studying malware.

He said “the actual registration of the domain was not on a whim. My job is to look for ways we can track and potentially stop botnets (and other kinds of malware), so I'm always on the lookout to pick up unregistered malware control server (C2) domains. In fact I registered several thousand of such domains in the past year.”

At one point, he feared that by registering the domain he had actually activated the encryption function in the malware, but he quickly found out from Proofpoint researcher Darien Huss that it had had the opposite effect – it had shut the malware down.

It turns out that the malware was programmed to shut down if it received a response when pinging this domain name. There are two theories as to why this is the case.

MalwareTech said it looked like a failed sandbox detector. When capturing malware, a sandbox will attempt to provide an appropriate response when malware tries to contact external IP addresses. Malware will sometimes use this as a clue to whether it's in a sandbox by pinging non-existent addresses. If it receives a response, then it knows it's in a sandbox and shuts down.

Another theory, put forward by Rob Holmes from Proofpoint, is that the malware author put a killswitch in the malware because they were concerned about their ability to control it. Holmes bases this theory on the observation that the author was a ‘script kiddie', judging by the amateurish way the code was written.  

“A viable explanation is that a script kiddie has bolted together ransomware code with the EternalBlue vulnerability, to see what they could come up, and thought, I'd better put a mechanism in here that I can just shut it down at any point,” he said.

Holmes said that in his opinion, “for somebody in the cyber-crime world, it would take little talent” to bolt the worm – EternalBlue – to the ransomware package.

If this were a coordinated criminal attack aimed at the NHS, Holmes would expect the attackers to have been asking for a lot more money and not to have included an ‘on-off switch'.

“To have included a killswitch was pretty naive,” he said. “This was not a large-scale attack - it was the propogation that gave it scale.”

Nonetheless, Holmes has no doubt that the attackers will have made a profit from this attack. EternalBlue was available free of charge on the internet and had been analysed by countless security researchers and ransomware can be purchased cheaply on the dark web.

As of 3.08pm BST, the three bitcoin addresses associated with WannaCry ransom payments had clocked up 211 transactions totalling $54,975 (£42,600), for an initial outlay that was probably no more than a few hundred dollars.

Another security researcher wrote that he feels like it's 2003 again, not 2017. Jarno Niemelä from F-Secure said the worm component of the attack is “very similar to the W32/Blaster worm from 2003, which attacked a vulnerability in RPC/DCOM, but otherwise was very similar to WCry”.

He was also sceptical of the attackers' technical capabilities, saying they “were not exactly super  hackers”.

He said: “It is very likely that the attackers are running for the hills right now, as law enforcement around the world are definitely going to coordinate to hunt them down.”

In fact, the attackers may very well be panicking, given they went immediately to the top of the FBI Most Wanted list and are being actively sought by the likes of Europol and GCHQ.

And Holmes added: “Worms aren't new, ransomware isn't new – the two together is quite new! My hope is that if there is any silver lining that we make the most of the heightened awareness and that cyber-security is seen as a clear and present danger, not just from a financial perspective but also from a disruptive perspective – goodness, you can't have your national health service offline for a weekend.”

Meanwhile, MalwareTech is feeling the consequences of his loss of anonymity. He told the MailOnline that he was concerned for his personal safety, referring to the case of another security blogger who faced threats after he was identified online. “I've seen posts about the terrible things people have done to him and for me in future it could be the same things,” MalwareTech said.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews