In May 2017, a computer programmer known as ‘MalwareTech’ accidentally stopped the spread of a worldwide cyber attack. Marcus Hutchins, the programmer behind the name, explained to Amber-Ainsley Pritchard how he foiled the WannaCry attacks
When checking the UK cyber threat sharing platform on the afternoon of May 12, Marcus Hutchins found the site flooded with posts about various NHS systems across the country being hit by malware known as WannaCry.
Hutchins, an employee of computer security firm Kryptos Logic, managed to get hold of a sample of the malware and ran it through an analysis environment to find an unregistered domain which he then registered.
When running the sample in another analysis environment, the WannaCry ransom page appeared. From this analysis Hutchins found files making a mass connection to different computers through a problematic port known to be ‘port 445’.
Hutchins said: “The mass connection attempts immediately made me think ‘exploit scanner’.”
He said the way it was scanning made him think about the recent leak of information by the Shadow Broker hacking group, after it accessed the National Security Agency’s systems.
Once the domain was registered Hutchins directed it to a sinkhole - a server designed to capture malicious traffic and prevent hackers controlling the infected computers.
The next steps were to reverse engineer the malware. This meant establishing vulnerabilities in the malware’s code which would allow Hutchins to manipulate it, or the network of infected computers, and prevent the spread.
The sinkhole server was connecting anyone affected by the malware to the registered domain. This enabled Hutchins to track the spread of the infection which he used to create a live tracking map, which he then posted on Twitter.
Hutchins then had the registered domain checked to ensure it would not change. He also checked for any new domains that had been set up that would need to be registered.
Once the domain had been checked, Hutchins was wrongly told by a fellow programmer that from registering the domain, he had actually triggered the ransomware and encrypted all affected computers’ files. However, this was not the case, and the registration of the domain had actually stopped the ransomware and prevented further spread.
Hutchins checked that the spread of malware had stopped by checking it twice more using various analysis techniques. The ransomware failed to run, confirming he had in fact prevented the spread of the malware since the registration of the domain.
So why did the sinkhole stop an international ransomware epidemic?
Hutchins explained that the coding used in the WannaCry cyber attack was attempting to connect to the domain Hutchins had registered.
Before the domain was registered hackers could take networks of computers ransom through the use of the unregistered domain. Now that the domain had been registered, the coding would automatically quit and exit upon connecting with the domain – therefore unable to take computers hostage.
This ‘exit strategy’ built into the coding by the hackers, Hutchins believes, is done so because they fear their code would be analysed if left long enough in a registered domain.
Hutchins said: “The reason which was suggested (for the exit strategy) is that the domain is a “kill switch” in case something goes wrong, but I now believe it to be a badly thought out anti-analysis.”
From registering the domain Hutchins caused all infections to believe they were inside a registered domain and to exit. This meant he had unintentionally prevented the spread and further ransoming of computers infected with this malware.
Hutchins will continue to host the domain to prevent any more of these attacks from happening. However, he warned others to protect their computers with the patches needed because different types of cyber attacks could be attempted.