22-year-old Brit researcher and U.S. engineer helped stop huge global cyberattack from spreading further

In this May 12, 2017 photo, a display panel with an error can be seen at the main railway station in Chemnitz, Germany. Germany’s national railway says that it was among the organizations affected by the global cyberattack but there was no impact on train services. Deutsche Bahn said early Saturday that departure and arrival display screens at its stations were hit Friday night by the attack. (P. Goezelt/dpa via AP)

SARA BURNETT and SYLVIA HUI, Associated Press LONDON (AP) 05/14 — The cyberattack that spread malicious software around the world, shutting down networks at hospitals, banks and government agencies, was thwarted by a young British researcher and an inexpensive domain registration, with help from another 20-something security engineer in the U.S.

Britain’s National Cyber Security Center and others were hailing the cybersecurity researcher, a 22-year-old identified online only as MalwareTech, who — unintentionally at first — discovered a so-called “kill switch” that halted the unprecedented outbreak.

By then the “ransomware” attack had crippled Britain’s hospital network and computer systems in several countries in an effort to extort money from computer users. But the researcher’s actions may have saved companies and governments millions of dollars and slowed the outbreak before computers in the U.S. were more widely affected.

MalwareTech is part of a large global cybersecurity community, working independently or for security companies, who are constantly watching for attacks and working together to stop or prevent them, often sharing information via Twitter. It’s not uncommon for them to use aliases, either to protect themselves from retaliatory attacks or for privacy.

In a blog post Saturday, MalwareTech explained he returned from lunch with a friend on Friday and learned that networks across Britain’s health system had been hit by ransomware, tipping him off that “this was something big.”

He began analyzing a sample of the malicious software and noticed its code included a hidden web address that wasn’t registered. He said he “promptly” registered the domain, something he regularly does to try to discover ways to track or stop malicious software.

Across an ocean, Darien Huss, a 28-year-old research engineer for the cybersecurity firm Proofpoint, was doing his own analysis. The western Michigan resident said he noticed the authors of the malware had left in a feature known as a kill switch. Huss took a screen shot of his discovery and shared it on Twitter.

Soon he and MalwareTech were communicating about what they’d found: That registering the domain name and redirecting the attacks to MalwareTech’s server had activated the kill switch, halting the ransomware’s infections.

Huss and others were calling MalwareTech a hero on Saturday, with Huss adding that the global cybersecurity community was working “as a team” to stop the infections from spreading.

“I think the security industry as a whole should be considered heroes,” he said.

But he also said he’s concerned the authors of the malware could re-release it without a kill switch or with a better one, or that copycats could mimic the attack.

“I think it is concerning that we could definitely see a similar attack occur, maybe in the next 24 to 48 hours or maybe in the next week or two,” Huss said. “It could be very possible.”

Who perpetrated this wave of attacks remains unknown. Two security firms — Kaspersky Lab and Avast — said they identified the malicious software in more than 70 countries. Both said Russia was hit hardest.

These hackers “have caused enormous amounts of disruption— probably the biggest ransomware cyberattack in history,” said Graham Cluley, a veteran of the anti-virus industry in Oxford, England.

This is already believed to be the biggest online extortion attack ever recorded, disrupting services in nations as diverse as the U.S., Russia, Ukraine, Brazil, Spain and India. Europol, the European Union’s police agency, said the onslaught was at “an unprecedented level and will require a complex international investigation to identify the culprits.”

In Russia, government agencies insisted that all attacks had been resolved. Russian Interior Ministry, which runs the national police, said the problem had been “localized” with no information compromised. Russia’s health ministry said its attacks were “effectively repelled.”

The ransomware exploits a vulnerability in Microsoft Windows that was purportedly identified by the U.S. National Security Agency for its own intelligence-gathering purposes. Hackers said they stole the tools from the NSA and dumped them on the internet.

___

Burnett reported from Chicago.

https://www.apnews.com/53197fb68d754709bd7f3482c96bbe19/An-alert-researcher,-teamwork-helped-stem-huge-cyberattack

Copyright 2017 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

 

Posted in: Cybersecurity/Cybercrime, Data Security/Data Privacy, Extortion, International Policing, National Security

Leave a Reply

Your email address will not be published. Required fields are marked *

13 + 11 =

Terms of Use for Posting Comments

Terms of Use

This site (the “Site”) is operated and maintained by Law Enforcement Education Foundation, Corporation (“Company”). Throughout the Site, the terms “we”, “us” and “our” refer to Company.  The words “user,” “you” and “your” as used herein refer to you.

Please read these terms and conditions of use (“Terms of Use”) carefully before contributing content. If you do not agree to these Terms of Use, please do not contribute content. Your use of the Site is subject to the Terms and Conditions found here .

By contributing content to the Site, you represent and warrant that you are at least eighteen (18) years old and that you have read and understand these Terms of Use and any amendments thereto and agree to be bound by them. If you are not at least eighteen (18) years old or you do not agree and accept these Terms of Use, you are prohibited from contributing content.

From time to time, we may permit users to submit content to the Site.  You hereby acknowledge and agree that by submitting remarks, comments, suggestions, ideas, graphics, feedback, edits, concepts, comments, photographs, illustrations and other materials (other than personal information and/or registration information) through the Site (individually and collectively, “Submissions”), you (i) grant us a nonexclusive, royalty-free, perpetual, transferable, irrevocable and fully sub-licensable right to use, reproduce, modify, adapt, translate, distribute, publish, create derivative works from and publicly display and perform such Submissions throughout the world in any media, now known or hereafter created, without attribution to you; (ii) grant us the right to pursue at law any person or entity that violates your and/or our rights in your Submissions; and (iii) forever waive any and all of your rights, including but not limited to moral rights, if any, in and to your Submissions, including, without limitation, any all rights or requirements of attribution or identification of you as the author of the Submission or any derivative thereof.  We reserve the right to remove any of your Submissions from the Site, in whole or in part, without notice to you, for any reason or no reason.

Submissions are made voluntarily. Any submissions which include personally identifiable information are subject to our Privacy Policy found here .  You may not upload or otherwise publish content on the Site that (i) is confidential to you or any third party; (ii) is untrue, inaccurate, false or other than an original work of your authorship; (iii) that relates to or impersonates any other person; (iv) violates the copyright, trademark, patent or other intellectual property rights of any person or entity; (v) contains any content, personally identifiable information or other information, or materials of any kind that relate or refer to any other person or entity other than the provider of the products, goods or services to which the Submission relates; or (vi) violates any law, or in any manner infringes or interferes with the rights of others, including but not limited to the use of names, information, or materials that (A) libel, defame, or invade the privacy of any third party, (B) are obscene or pornographic, (C) are harmful, threatening, offensive, abusive, harassing, vulgar, false or inaccurate, racially, sexually, ethnically or are otherwise objectionable or otherwise contrary to the laws of any place where such Submissions may be accessed; (D) constitute personal attacks on other individuals; (E) promote criminal, immoral or illegal activity; (F) promote or advertise any person, product or service or solicit funds; or (G) are deemed confidential by any contract or policy.

You are solely responsible for any Submissions you make and their accuracy. We take no responsibility and assume no liability for any Submissions posted by you or any third party.

Unless approved by us in writing in advance, you agree not to: (i) provide or create a link to the Site; or (ii) create any frames at any other sites pertaining to any of the content located on the Site.

We reserve the right, in our discretion, to update, change or replace any part of these Terms of Use for Posting Comments by posting updates and/or changes to our Site.  It is your responsibility to check this page periodically for changes.  Your continued use of, and/or access to the Site, following the posting of any changes to these Terms of Use for Posting Comments, constitutes your acceptance of those changes.