Kevin Mitnick, who spent time on the FBI’s Most Wanted List for hacking 40 corporations, discusses his new book, “The Art of Invisibility,” on Lunch Break with Tanya Rivero. He also explains why hackers breach data with relative ease, and why we should never link our devices. Photo: iStock
A 22-YEAR-OLD cybersecurity researcher and a cheap domain registration helped thwart the cyberattack that spread malicious software around the world, shutting down networks at hospitals, banks and government agencies.
Britain’s National Cyber Security Centre and others hailed the researcher who discovered a so-called “kill switch” that halted the unprecedented outbreak. The person has only been identified as MalwareTech.
By then the “ransomware” attack had crippled Britain’s hospital network and computer systems in several countries in an effort to extort money from computer users.
But the researcher’s actions may have saved companies and governments millions of dollars and slowed the outbreak before computers in the US and possibly elsewhere were more widely affected.
MalwareTech is part of a global cybersecurity community, working independently or for security companies, who are constantly watching for attacks and working together to stop or prevent them, often sharing information on Twitter.
MalwareTech explained in a blog post over the weekend he learned that Britain’s health system was under attack after he had returned from lunch.
He began analysing a sample of the malicious software and noticed its code included a hidden web address that wasn’t registered. He said he “promptly” registered the domain, something he regularly does to try to discover ways to track or stop malicious software.
Across an ocean, Darien Huss, a 28-year-old research engineer for the cybersecurity firm Proofpoint, was doing his own analysis.
The western Michigan resident said he noticed the authors of the malware had left in a feature known as a kill switch. Huss took a screen shot of his discovery and shared it on Twitter.
— Darien Huss (@darienhuss) May 12, 2017
Soon he and MalwareTech were communicating about what they’d found: That registering the domain name and redirecting the attacks to MalwareTech’s server had activated the kill switch, halting the ransomware’s infections.
It reportedly cost MalwareTech just $14.47 ($US10.69) to register the domain, and to his surprise it proved vital in halting the spread of the attack.
I will confess that I was unaware registering the domain would stop the malware until after i registered it, so initially it was accidental.
— MalwareTech (@MalwareTechBlog) May 13, 2017
Huss and others were calling MalwareTech a hero on Sunday (AEST), with Huss adding that the global cybersecurity community was working “as a team” to stop the infections from spreading.
“I think the security industry as a whole should be considered heroes,” he said.
But he also said he’s concerned the authors of the malware could re-release it without a kill switch or with a better one, or that copycats could mimic the attack.
“I think it is concerning that we could definitely see a similar attack occur, maybe in the next 24 to 48 hours or maybe in the next week or two,” Huss said. “It could be very possible.”
Who perpetrated this wave of attacks remains unknown. Two security firms — Kaspersky Lab and Avast — said they identified the malicious software in more than 70 countries. Both said Russia was hit hardest.
This is already believed to be the biggest online extortion attack ever recorded, disrupting services in nations as diverse as the US, Ukraine, Brazil, Spain and India.
On Monday morning, Australian authorities were warning that as many businesses returned to work, the threat of the malware will escalate.
Europop, the European Union’s police agency, said the onslaught was at “an unprecedented level and will require a complex international investigation to identify the culprits.”
– With AP