Vigilant British researcher helps thwart global cyberattack

Updated May 13, 2017 - 8:53 pm

LONDON — The cyberattack that spread malicious software around the world, shutting down networks at hospitals, banks and government agencies, was stemmed by a young British researcher and an inexpensive domain registration, with help from another 20-something security engineer in the U.S.

Britain’s National Cyber Security Center and others were hailing the cybersecurity researcher, a 22-year-old identified online only as MalwareTech, who — unintentionally at first — discovered a “kill switch” that halted the unprecedented outbreak.

By then, the “ransomware” attack had hobbled Britain’s hospital network and computer systems in several countries, in an effort to extort money from computer users. But the researcher’s actions may have saved companies and governments millions of dollars and slowed the outbreak before computers in the U.S. were more widely affected.

MalwareTech said in a in a blog post Saturday that he had returned from lunch with a friend on Friday and learned that networks across Britain’s health system had been hit by ransomware, tipping him off that “this was something big.”

He began analyzing a sample of the malicious software and noticed its code included a hidden web address that wasn’t registered. He said he “promptly” registered the domain, something he regularly does to try to discover ways to track or stop malicious software.

Across an ocean, Darien Huss, a 28-year-old research engineer for the cybersecurity firm Proofpoint, was doing his own analysis. The western Michigan resident said he noticed the authors of the malware had left in a feature known as a kill switch. Huss took a screen shot of his discovery and shared it on Twitter.

MalwareTech and Huss are part of a large global cybersecurity community of people, working independently or for security companies, who are constantly watching for attacks and working together to stop or prevent them, often sharing information via Twitter. It’s not uncommon for them to use aliases, either to protect themselves from retaliatory attacks or for privacy.

Soon Huss and MalwareTech were communicating about what they’d found: That registering the domain name and redirecting the attacks to MalwareTech’s server had activated the kill switch, halting the ransomware’s infections — creating what’s called a “sinkhole.”


 

Who perpetrated this wave of attacks remains unknown. Two security firms — Kaspersky Lab and Avast — said they identified the malicious software in more than 70 countries. Both said Russia was hit hardest.

These hackers “have caused enormous amounts of disruption— probably the biggest ransomware cyberattack in history,” said Graham Cluley, a veteran of the anti-virus industry in Oxford, England.

The ransomware exploits a vulnerability in Microsoft Windows that was purportedly identified by the U.S. National Security Agency for its own intelligence-gathering purposes. Hackers said they stole the tools from the NSA and dumped them on the internet.

A malware tracking map showed “WannaCry” infections were widespread. Britain canceled or delayed treatments for thousands of patients. Train systems were hit in Germany and Russia, and phone companies in Madrid and Moscow. Renault’s futuristic assembly line in Slovenia, where rows of robots weld car bodies together, was stopped cold. In Brazil, the social security system had to disconnect its computers and cancel public access.

But while FedEx Corp. reported that its Windows computers were “experiencing interference” from malware — it wouldn’t say if it had been hit by the ransomware — other impacts in the U.S. were not readily apparent on Saturday.

The worldwide effort to extort cash from computer users spread so widely that Microsoft quickly changed its policy, making security fixes for this vulnerability available for free for the older Windows systems still used by millions of individuals and smaller businesses.

Britain’s home secretary said one in five of 248 National Health Service groups had been hit. Home Secretary Amber Rudd said all but six of the NHS trusts back to normal Saturday.

The U.K.’s National Cyber Security Center was “working round the clock” to restore vital health services, while urging people to update security software fixes, run anti-virus software and back up their data elsewhere.


 

All this may be just a taste of what’s coming, another cyber security expert warned.

Computer users worldwide — and everyone else who depends on them — should assume that the next big “ransomware” attack has already been launched, and just hasn’t manifested itself yet, said Ori Eisen, founder of the Trusona cybersecurity firm in Scottsdale, Arizona.

The attack held hospitals and other entities hostage by freezing computers, encrypting data and demanding money through online bitcoin payments. But it appears to be “low-level” stuff, Eisen said Saturday, given the amount of ransom demanded — $300 at first, rising to $600 before it destroys files hours later.

This is already believed to be the biggest online extortion attack ever recorded, disrupting services in nations as diverse as the U.S., Ukraine, Brazil, Spain and India. Europol, the European Union’s police agency, said the onslaught was at “an unprecedented level and will require a complex international investigation to identify the culprits.”

Huss and others were calling MalwareTech a hero on Saturday, with Huss adding that the global cybersecurity community was working “as a team” to stop the infections from spreading.

“I think the security industry as a whole should be considered heroes,” he said.

But he also said he’s concerned the authors of the malware could re-release it — perhaps in the next few days or weeks — without a kill switch or with a better one, or that copycats could mimic the attack.

The MalwareTech researcher agreed that the threat hasn’t disappeared.

“One thing that is very important to note is our sinkholing only stops this sample and there is nothing stopping them removing the domain check and trying again, so it’s incredibly important that any unpatched systems are patched as quickly as possible,” he warned.

The kill switch also couldn’t help those already infected. Short of paying, options for these individuals and companies are usually limited to recovering data files from a backup, if available, or living without them.

Security experts said it appeared to be caused by a self-replicating piece of software that enters companies when employees click on email attachments, then spreads quickly as employees share documents.

The security holes it exploits were disclosed weeks ago by TheShadowBrokers, a mysterious hacking group. Microsoft swiftly released software “patches” to fix those holes, but many users still haven’t installed updates or still use older versions of Windows.

ad-high_impact_4
News
Joseph Otting, U.S. comptroller of the currency during an interview with RJ
Joseph Otting, U.S. comptroller of the currency during an interview with the Las Vegas Review-Journal. Otting oversees all national banks, credit unions, mutual savings banks, coops and the federal branches and agencies of foreign banks in the United States. Bizuayehu Tesfaye/Las Vegas Review-Journal @bizutesfaye
Paris Wade discusses about his “Liberty Writers” website
Paris Wade, who made national headlines for operating a fake news website and boasts about getting President Donald Trump elected in 2016, speaks during an interview with the Las Vegas Review-Journal on Friday, April 20, 2018, in Las Vegas. Wade is running for Nevada Assembly. Bizuayehu Tesfaye/Las Vegas Review-Journal @bizutesfaye
Police Unity Tour from New Jersey to Washington D.C. to commemorate fallen officers.
Las Vegas Metro police and Henderson police officers ride their bikes during the Vegas Team's last practice rides in preparation for the Police Unity Tour from New Jersey to Washington D.C. to commemorate fallen officers. Bizuayehu Tesfaye/Las Vegas Review Journal @bizutesfaye
UNLV students walk out of class on national walkout day
UNLV students and supporters chanted, marched and rallied on national walkout day Friday, April 20 on the 19th anniversary of the 1999 Columbine High School shooting in Colorado. K.M. Cannon/Las Vegas Review-Journal
Captain Sasha Larkin Discusses Challenges, Progress in North West
Captain Sasha Larkin, of Metro's Northwest Area Command, discusses what issues face the northwest valley's residents and what police are doing to address them.
Southwest giving passengers on deadly flight $5,000 for compensation
Passengers on Flight 1380 have been receiving checks as a gesture of goodwill from the airline.
Ellis Island Buys Mt. Charleston Lodge
Ellis Island, which operates a casino, brewery and hotel just off the Strip, purchased the Mt. Charleston Lodge in early April.
LVMPD Arrests Suspect in Sunset Park Shooting
Captain Robert Plummer held a press conference at LVMPD headquarters Thursday to provide updates on the arrest of Anthony J. Wrobel, accused of killing a Venetian executive and wounding one other in a shooting on Sunday.
Two Black Men Arrested at Starbucks Share Their Story
Two Black Men Arrested at Starbucks Share Their Story Rashon Nelson and Donte Robinson sat down with ABC’s ‘Good Morning America’ on Thursday and said the Starbucks manager called the police two minutes after they arrived. Donte Robinson, to 'Good Morning America' Donte Robinson, to 'Good Morning America' The men were meeting with a friend for a business meeting at the store’s location at around 3:45 pm on April 12 and declined to make any purchases. Starbucks CEO Kevin Johnson issued a public apology and vowed to fix the issue by closing 8,000 stores nationwide next month for training on unconscious bias. Both Nelson and Robinson were released without charges after spending hours in jail, and the manager is no longer with the company.
Hero Southwest Pilot Was One of the Navy’s First Female Fighter Pilots
Hero Southwest Pilot Was One of the Navy’s First Female Fighter Pilots Tammie Jo Shults is being called a hero after safely landing the crippled Southwest Flight 1380 in Philadelphia. According to a spokesperson, Shults began her Navy career in 1985 and was one of the first female pilots to “transition to tactical aircraft.” She served for another eight years before moving to the Naval Reserve, retiring completely in 2001 with the rank of Lt. Commander. The Southwest flight, which was headed for Dallas from New York, was forced to make an emergency landing after one of its engines blew. One passenger was killed in the explosion when shrapnel flew through a window. Seven others suffered minor injuries aboard the flight, which carried 149 people. Passenger Peggy Phillips, to NBC News Passenger Peggy Phillips, to NBC News
Bump stock manufacturers under fire
The Justice Department said last month that it had started the process to amend federal firearms regulations to clarify that federal law defines bump stocks as machine guns.
Artist, Community Paint Winchester Skate Park
Andrew Schoultz, a Los Angeles-based artist with an upcoming exhibit at UNLV's Barrick Museum, painted the skate park at Winchester Cultural Center on Tuesday.
Prince death investigation coming to an end
Prosecutors in Minnesota plan an announcement Thursday on the two-year investigation into Prince's death from a drug overdose Prince was 57 when he was found alone and unresponsive in an elevator at his Paisley Park estate on April 21, 2016. An autopsy found he died of an accidental overdose of fentanyl. Search warrants unsealed about a year after Prince died showed that authorities searched his home, cellphone records of associates and his email accounts to try to determine how he got the drug. The county attorney has scheduled a morning announcement at which time charges could be filed.
David Copperfield executive producer testifies during the magician's civil trial
A British tourist is suing illusionist David Copperfield saying he was injured during a trick. Chris Kenner, executive producer for illusionist David Copperfield, was on the witness stand all day Tuesday, April 17. Kenner testified that a business manager for the show talked to the man after he fell. Kenner testified that the tourist, Gavin Cox, said he was OK moments after the fall. Cox later told the crew: “Maybe I will have this looked at.” Copperfield is the next witness in line for Cox’s attorneys. K.M. Cannon/Las Vegas Review-Journal
Art Bell’s Top 10 Shows
A selection of radio host Art Bell’s most popular shows.
CCSD Teacher Is a Living Organ Donor
June Monroe speaks about her kidney donation to her brother and advocacy work with the National Kidney Foundation.
Shadow Ridge High School teachers protest
Shadow Ridge High School teachers protest. Teachers are upset over many things, including the fact that the district is fighting an arbitration ruling for pay raises. Bizuayehu Tesfaye/Las Vegas Review-Journal @bizutesfaye
Clark County commissioners debate getting rid of Henderson, North Las Vegas constables
Clark County commissioners are debating whether to get rid of the Henderson and North Las Vegas constables after RJ's story pointing out questionable spending by the Henderson Constable Earl Mitchell. (Bizuayehu Tesfaye/Las Vegas Review-Journal) @bizutesfaye
1 Dead, 7 Injured After Southwest Airlines Flight Makes Emergency Landing
1 Dead, 7 Injured After Southwest Airlines Flight Makes Emergency Landing Dallas-bound Southwest Airlines Flight 1380 out of New York, which had 143 passengers and a crew of five onboard, landed in Philadelphia on Tuesday. According to NBC10, a female passenger was partially sucked out of a broken window, which was a result of the plane's engine ripping apart. It's not known if the female passenger was the one who died. Emergency personnel met the battered plane upon its landing. According to the Federal Aviation Administration, the blown engine resulted in a smashed window and a damaged fuselage. Southwest Airlines The FAA said that the NTSB will lead the investigation into what happened.
Single vehicle crash kills man
A man died Tuesday morning in a single-vehicle crash in northeast Las Vegas. The crash occurred Tuesday morning on the 1900 block of Pasadena Boulevard, near Lake Mead Boulevard and Mt. Hood Street. Police had few details, but Metro's fatal detail was on the scene investigating.
Sunset Park Homicide (update 2)
LVMPD gives update about suspect in homicide at Sunset Park (Blake Apgar)
Sunset Park Homicide (update)
Update from LVMPD on Sunset Park homicide. Releasing suspect's name (Blake Apgar)
Sunset Park Homicide
Police give details about Sunset Park homicide on Sunday, April 15, 2018. (Blake Apgar)
Parents of autistic child talk about their experience waiting for care
Parents of autistic child talk about their experience waiting for care. Bizuayehu Tesfaye/Las Vegas Review-Journal @bizutesfaye
Donald Trump Calls Out James Comey After Book Details Emerge
Donald Trump Calls Out James Comey After Book Details Emerge The President took to Twitter to criticize the former FBI director as information emerges from Comey’s new book, ‘A Higher Loyalty’. According to 'The New York Times', Comey describes Trump in the book as “unethical, and untethered to truth and institutional values.” James Comey, A Higher Loyalty, via The New York Times A Higher Loyalty hits stores on April 17.
Big Bounce America visits North Las Vegas
Billing itself as "the biggest bounce house in the world," Big Bounce America visits Craig Ranch Regional Park in Las Vegas.
Endangered Devils Hole Pupfish numbers enough for concern, but not panic
Researchers from the U.S. Fish and Wildlife Service and Death Valley National Park came together at Devils Hole, about 90 miles west of Las Vegas, for a biannual count of the Devils Hole Pupfish, an endangered species. Their count this time – 87. (Video by Patrick Connolly)
Hickey Elementary Students Put Harry Potter on Trial
Liliam Lujan Hickey Elementary School students learned how the judicial system works by putting Harry Potter on trial for the illegal use of magic.
David Copperfield in court after man injured during magic trick
The attorney for a British man who is suing illusionist David Copperfield said his client suffered serious injuries after being called on stage during Copperfield's show at MGM Grand.
The Clark County Museum Turns 50 This Month
The Clark County Museum has an extensive collection, dating back to prehistoric times in Southern Nevada up through the present day. It was first established in April 1968 and has had several locations before it's current home on South Boulder Highway.
TOP NEWS
News Headlines
ad-infeed_1
ads_infeed_2
Local Spotlight
Events
Home Front Page Footer Listing
Circular
You May Like

You May Like