How I stopped a global cyber attack – by accident

In May 2017, a computer programmer known as ‘MalwareTech’ accidentally stopped the spread of a worldwide cyber attack. Marcus Hutchins, the programmer behind the name, explained to Amber-Ainsley Pritchard how he foiled the WannaCry attacks

LinkedIn Twitter
LinkedIn Twitter

When checking the UK cyber threat sharing platform on the afternoon of May 12, Marcus Hutchins found the site flooded with posts about various NHS systems across the country being hit by malware known as WannaCry.


Hutchins, an employee of computer security firm Kryptos Logic, managed to get hold of a sample of the malware and ran it through an analysis environment to find an unregistered domain which he then registered.


When running the sample in another analysis environment, the WannaCry ransom page appeared. From this analysis Hutchins found files making a mass connection to different computers through a problematic port known to be ‘port 445’.


Hutchins said: “The mass connection attempts immediately made me think ‘exploit scanner’.”


He said the way it was scanning made him think about the recent leak of information by the Shadow Broker hacking group, after it accessed the National Security Agency’s systems.


Once the domain was registered Hutchins directed it to a sinkhole - a server designed to capture malicious traffic and prevent hackers controlling the infected computers.


The next steps were to reverse engineer the malware. This meant establishing vulnerabilities in the malware’s code which would allow Hutchins to manipulate it, or the network of infected computers, and prevent the spread.


The sinkhole server was connecting anyone affected by the malware to the registered domain. This enabled Hutchins to track the spread of the infection which he used to create a live tracking map, which he then posted on Twitter.


Hutchins then had the registered domain checked to ensure it would not change. He also checked for any new domains that had been set up that would need to be registered.

Once the domain had been checked, Hutchins was wrongly told by a fellow programmer that from registering the domain, he had actually triggered the ransomware and encrypted all affected computers’ files. However, this was not the case, and the registration of the domain had actually stopped the ransomware and prevented further spread.


Hutchins checked that the spread of malware had stopped by checking it twice more using various analysis techniques. The ransomware failed to run, confirming he had in fact prevented the spread of the malware since the registration of the domain.


The fear
So why did the sinkhole stop an international ransomware epidemic?

Hutchins explained that the coding used in the WannaCry cyber attack was attempting to connect to the domain Hutchins had registered.


Before the domain was registered hackers could take networks of computers ransom through the use of the unregistered domain. Now that the domain had been registered, the coding would automatically quit and exit upon connecting with the domain – therefore unable to take computers hostage.


This ‘exit strategy’ built into the coding by the hackers, Hutchins believes, is done so because they fear their code would be analysed if left long enough in a registered domain.


Hutchins said: “The reason which was suggested (for the exit strategy) is that the domain is a “kill switch” in case something goes wrong, but I now believe it to be a badly thought out anti-analysis.”


From registering the domain Hutchins caused all infections to believe they were inside a registered domain and to exit. This meant he had unintentionally prevented the spread and further ransoming of computers infected with this malware.


Hutchins will continue to host the domain to prevent any more of these attacks from happening. However, he warned others to protect their computers with the patches needed because different types of cyber attacks could be attempted.



LinkedIn Twitter

Entries open for the Credit Awards 2018

Entries are now open for The Credit Awards 2018, which will celebrate its 19th year at the Grosvenor House Hotel on Park lane next May

Revealed: The F5 and Commercial Finance Awards shortlists

The shortlists have today been revealed for the F5: Future of Finance Awards and the Commercial Finance Awards. Both events will take place at the Hilton Bankside in London on October 31.

Older consumers face financial exclusion

Older consumers are at risk of being financially excluded, according to a recent occasional paper published by the Financial Conduct Authority (FCA)

Credit Summit marks decade milestone in 2018  

The Credit Summit will return to the QEll Centre on March 15 2018, marking a decade of the event and 10 years since the financial crisis

The CS Interview

Renaissance man
LinkedIn Twitter

Renaissance man


Five things the TRI Conference taught us about today’s economy
LinkedIn Twitter

Five things the TRI Conference taught us about today’s economy


"It’s up to the financial services industry to help teach students the necessary skills to manage their finances"
LinkedIn Twitter

"It’s up to the financial services industry to help teach students the necessary skills to manage their finances"


Lloyds results reveal £2bn of debt in forbearance
LinkedIn Twitter

Lloyds results reveal £2bn of debt in forbearance

Upcoming events

Mortgage Conference 2017

F5 Conference 2017

Commercial Finance Conference 2017

The Corporate M&A Exchange 2017

Credit Strategy

Did you find our website useful?

Thank you for your input

Thank you for your feedback – an online news and information service for the UK’s commercial and consumer credit industry. is published by Shard Financial Media Limited, registered in England & Wales as 5481132, Axe & Bottle Court, 70 Newcomen St, London, SE1 1YT. All rights reserved. Credit Strategy is committed to diversity in the workplace.
@ Copyright Shard Media Group