by Soma Oj.
While it’s cool that we are swooning over Emmanuel Macron, the 39-year-old who has just become the biggest threat to Justin Trudeau’s existence as the most attractive world leader – yes, he’s also the French President but you get what we mean.
While it’s also cool that the more introspective amongst us are already finding ways to draw a corollary between Macron’s win at his age and the #NotTooYoungToRule movement in Nigeria, there’s something very important; actually someone just as important, if not more important. A young 22-year-old who sadly, would rather remain anonymous despite the huge favour he has just done us all – yes, you too!
Here’s how this happened…
Last week, a wave of Ransomware took over the internet and threatened businesses – both private and State owned – in about 74 countries including Russia, England, Spain, Taiwan, France, Japan and possibly Nigeria except that the vulnerability of our dear country to the Ransomware cannot be confirmed because you know, nobody has any truly verifiable data.
Ransomware “works by infecting a computer, locking users out of the system (usually by encrypting the data on the hard drive), and then holding the decryption or other release key ransom until the victim pays a fee, usually in bitcoin.” It’s essantially a really bad patch of virus.
So far, we have recorded more than 45,000 attacks of the #WannaCry ransomware in 74 countries around the world. Number still growing fast.
— Costin Raiu (@craiu) May 12, 2017
The above is a confirmation tweet posted by Costain Raiu, the director of the Analysis and Research team at Kapersky Labs when the attack happened.
The Ransomware, called WanaCrypt0r and WCry and #WannaCry, leverages a Windows vulnerability known as EternalBlue that allegedly originated with the NSA. The exploit was dumped into the world with a bunch of alleged NSA tools by the Shadow Brokers hacking group. Microsoft released a patch for it, known as MS17-010, in March but as it happens, many organisations don’t quickly jump on these solutions.
Adam Kujawa, the director of malware intelligence at Malwarebytes, which discovered the original version of WannaCry confirmed that “the spread is immense and that he’d “never seen anything before like it. “This is nuts”, he complained.
The confusion and the often technical description offered by the experts did not however prepare many of the organisations that were eventually affected by it for what WannaCry really meant.
For example, hospitals, doctors’ offices, and other health care institutions in London and Northern England on Friday had to cancel all non-urgent services and revert to backup procedures because WannaCry had hobbled their computers and consequently, access to patients’ information. Multiple emergency rooms around England spread word that patients should avoid coming in if possible.
In Spain, the Ransomware affected the large telecom company Telefonica, the natural gas company Gas Natural, and the electrical company Iberdrola.
The Accidental Hero
Depite being unprecedented and the reach of the Ransomware and the damage it had done so far, the spread of WannaCry was cut short when a 22-YEAR-OLD! ended it.
The young UK cybersecurity researcherrom southwest England who works for Kryptos logic, a Los Angeles-based threat-intelligence company and tweeting simply as @malwaretechblog, with the help of Darien Huss from the security firm Proofpoint, found and inadvertently activated a “kill switch” in the malicious software.
Speaking with The Guardian during the wekend, the “accidental hero” narrated how he saved the world without even meaning to:
“I was out having lunch with a friend and got back about 3 p.m. and saw an influx of news articles about the NHS and various UK organizations being hit. “I had a bit of a look into that and then I found a sample of the malware behind it, and saw that it was connecting out to a specific domain, which was not registered. So I picked it up not knowing what it did at the time.”
According to Malwaretechblog (I just thought it would be better to remove the @ from our ‘accidental hero’s pseudonym but now I see it’s better to continue to say “accidental hero” instead) he just took the kill switch which was hard coded into the malware in case the creator wanted to stop its spread. The kill switch happened to be a domain which cost $10.69 and was immediately registering thousands of connections every second.
He (this is even better that “accidental hero) explained that he bought the domain because his company tracks botnets, and by registering these domains they can get an insight into how the botnet is spreading. “The intent was to just monitor the spread and see if we could do anything about it later on. But we actually stopped the spread just by registering the domain,” he said.
So why would he rather remain anonymous?
Please know that anyone claiming to be me and accepting donations is not me. I will only post official stuff via this twitter account.
— MalwareTech (@MalwareTechBlog) May 15, 2017
Our accidental hero said he preferred to stay anonymous “because it just doesn’t make sense to give out my personal information, obviously we’re working against bad guys and they’re not going to be happy about this.”
He also said he planned to hold on to the URL, and he and colleagues were collecting the IPs and sending them off to law-enforcement agencies so they could notify the infected victims, not all of whom are aware that they have been affected.
“We have stopped this one, but there will be another one coming and it will not be stoppable by us. There’s a lot of money in this. There’s no reason for them to stop. It’s not really much effort for them to change the code and then start over. So there’s a good chance they are going to do it…”
Microsoft has also now sent out more patches for in an attempt to limit the damage.