 |
| © Provided by USA TODAY. B. TONGO/EPA/REX/Shutterstock A programer shows a sample of decrypting source code in Taipei, Taiwan, 13 May, 2017. |
The massive ransomware
attack that crippled more than 20% of hospitals in the United Kingdom
and disabled systems in as many as 74 countries appears to have
been inadvertently stopped by a 22-year-old computer security researcher in
England who began studying it Friday afternoon.
The story, which the as-yet-unnamed
security whiz wrote up in a blog post on Saturday, is an example of the
driven-to-puzzle-things-out mentality typical of people drawn to
cybersecurity.
“He was in the right place at the right
time, and he did the right thing without any hesitation,” said Dan
Kaminsky, a longtime security researcher and chief scientist at White Ops,
a New York-based based security firm.
Because nobody's really in charge of the
Internet, it's messy and wonderful in equal proportion, he said.
"We maintain it with duct tape,
baling wire and the good graces of no small number of 'volunteer firefighters.'
I am hopeful for a future with more formal, funded support for this foundation
of our suddenly global information economy. But it's pretty great that a
22-year-old can see a worldwide problem and spend a bit to help us all,”
Kaminsky said.
How it happened
The ransomware appears to have first appeared at 3:24
a.m. ET on Friday,
said Craig Williams, a senior technical leader at Talos, the
security research arm of San Jose, Calif.-based tech company Cisco.
Within about seven hours it had been
stopped in its tracks.
For the analyst, who for security
reasons has chosen to only be identified by
his online blog name of MalwareTech, things hit after
lunch on Friday when he noticed all the fuss about a global ransomware
attack and decided to investigate.
His day job is as a security researcher
at Los Angeles-based Kryptos Logic, but he was actually supposed to be on
vacation this week so he hadn't been plugged in.
"We'd had quite a bit of work over the last
few months and we were both off. I'm actually in Venice right
now," said his boss, Salim Neino, CEO of Kryptos
Logic. "We were talking online about how the biggest cyberattack of
the year happens and we're both off."
Neither MalwareTech nor his boss stayed
off, however.
Although only 22, he is known
in the close-knit world of cybersecurity as someone who's
good at "taking down big ugly things that are spreading fast” in the words of Ryan Kalember,
vice president for cybersecurity at Proofpoint, a Sunnyvale,
Calif.-based security company.
First credit to actually
getting a sample of the malicious software code appears to go to
Kafeine, a security researcher who doesn't give press interviews and only goes
by his screen name, but who works for Proofpoint.
Malware Tech called him "a good
friend and fellow researcher" in his blog post and
noted that Kafeine passed
him the sample so he could begin to reverse
engineer it to see how it did what it was doing.
One of the first
things MalwareTech noticed was that as soon as it installed itself on
a new machine, the malware tried to send a message to an unregistered
Internet address, or domain name.
He promptly registered that domain, so he
could see what it was up to. This was at around 3 p.m. in London, 10
a.m. ET.
The registration wasn't done on a
whim, he noted. "My job is to look for ways we can track and potentially
stop botnets (and other kinds of malware)," he
wrote on his blog.
However, in doing so,
MalwareTech had inadvertently stopped the entire global attack in its
tracks, though it took him and others awhile longer to
realize it.
"Humorously," he
wrote, "at this point we had unknowingly killed the
malware."
The malware contained
computer code that pinged an unregistered Web address,
and if it didn't get back a message
saying the address didn't exist,
it would turn itself off. Computers that were already
infected with the ransomware weren't protected but the ransomware stopped
spreading except in isolated systems, said Williams.
"We think it
was a kill switch that the creators built in," said Kalember.
They would have been able to stop the spread of the software simply by
registering and setting up the Web address — except
MalwareTech got there first.
As a final test, he first ran the malware
in a closed environment that was connected to the registered website and got
nothing.
Then he ran it again after modifying the
host system so that the connection would be unsuccessful, and the ransomware
promptly took it over.
"Now you probably can’t picture
a grown man jumping around with the excitement of having just been
ransomwared, but this was me. The failure of the ransomware to run the first
time and then the subsequent success on the second mean that we had in fact
prevented the spread of the ransomware and prevented it ransoming any new
computer since the registration of the domain," he wrote.
The website registration that stopped the
ransomware that had caused thousands of companies’ tens of thousands of dollars
worth of damage "cost about $10," said Neino.
Darien Huss, a security researcher at
Proofpoint who'd been helping MalwareTech with the analysis, tweeted at
10:29 a.m. ET that the unregistered domain had been registered and the malware
had stopped spreading.
"We were then able to get all the
information out to the FBI," said Neino.
Soon thereafter the United Kingdom's
National Cyber Security Centre posted the text of MalwareTech's blog
on its site.
While this particular variant of the
malware has been stopped, security experts are quick to point out that all that
the criminals behind it would need to do is rewrite the code to either ping a
different domain or remove that domain check and send it out.
This makes it all the more important that
computers and networks quickly install the Windows patches that
fix the problem that allowed the code to so easily spread in the
first place. Microsoft
issued that patch on
March 14 but clearly many systems had not installed the crucial new software.
No comments:
Post a Comment