Marcus Hutchins, a 22-year-old British cybersecurity expert saved companies and governmental departments worldwide billions of dollars by neutralizing the ransomware bug that was affecting pcs since Friday.
Marcus who still lives with his parents in Devon, South West England bought an unusually long and nonsensical domain name which basically acted as a kill switch on the WannaCry ransomware, known as “Wanna Decrypt0r 2.0”.
By purchasing the domain name and registering a website, Marcus who works with US cybersecurity enterprise Kryptos Logic claims that he activated a kill switch. It immediately slowed the spread of the malware.
Hidden in the malware, the kill switch probably was not supposed to be activated anytime soon. Perhaps, it was never supposed to be there in the first place.
When Darien Huss, a researcher with US cybersecurity company Proofpoint, came across the strange domain in the code on Saturday, he immediately flagged his discovery on social media.
Alerted by the finding, Hutchins, who tweets using the handle @MalwareTech took action immediately without knowing what impact registering the domain would have.
While spreading to computers, the malware made requests to the unregistered website. All the requests went unanswered – likely triggering the activation of the malware. For hours, a non-existent website helped to cripple computers worldwide.
But as soon as Hutchins registered the website out of curiosity about the unusual domain name, automatic requests immediately skyrocketed, according to screenshots published on his Twitter account.
It was only then that the cyber experts realised that they might have accidentally activated a kill switch in the ransomware.
Speaking to The Washington Post on Saturday Hutchins said using a domain name as a kill switch appeared unprecedented to him.
“Previous malware has used such a check to detect analysis environments but not in a way which can be used to stop the malware,” he said.
“It’s always been a hobby to me … I ended up getting a job out of my first botnet tracker, which the company I now work for saw and contacted me about, asking if I wanted a job. I’ve been working there a year and two months now.”
It remains unknown, however, whether the website domain really was supposed to be a deliberate kill switch.
Saturday’s discovery may have slowed the malware’s spread, but it is unlikely to stop it, security experts said, because the malware’s creators could soon release a different version without a kill switch.
Given the disruption the WannaCry ransomware caused within a few hours, however, the current slowing of the malware could give companies and governmental departments ample time to update their security softwares or to conduct backups.