As It Happens

How an anonymous 'hero' stopped Friday's cyberattack — and why we're not out of the woods yet

A security expert whose firm helped stop the spread of Friday's massive cyberattack by activating a secret kill switch discovered by an anonymous computer whiz says we haven't seen the last of the so-called WannaCry virus.
A programmer shows a sample of decrypting source code in Taipei, Taiwan. The WannaCry ransomware cyber attack hit hundreds of thousands of computers in 150 countries by encrypting files from affected computers and demanding bitcoin ransoms to decrypt them. (Ritchie B. Tongo/EPA)

read story transcript

A security expert whose firm helped stop the spread of Friday's massive cyberattack by activating a secret kill switch discovered by an anonymous computer whiz says we haven't seen the last of the so-called WannaCry virus. 

British media are hailing as a "hero" an unnamed 22-year-old cybersecurity researcher — who uses the online handle Malware Tech and works for the security firm Kryptos Logic — for halting the spread of the global ransomware attack that paralyzed, hospitals, factories, banks, government agencies and transport systems around the world.

"One of our researchers actually found the malware sample and provided it to Malware Tech," Ryan Kalember, senior vice-president at the security firm Proofpoint, told As It Happens host Carol Off. 

"He and our own internal research team both got to work doing basically reverse-engineering of the malware, trying to figure out what it did, how it did it and whether there was any way to stop it."

They discovered an unregistered domain name — or website address — coded into the malware. That turned out to be a kill switch, planted by the malware's authors in case they needed to stop it spreading. 

This is the ransom message that popped up on hundreds of thousands of computers hit by the WannaCry virus. (Ritchie B. Tongo/EPA)

"Malware Tech took that first step and spent about $10 US registering the domain name itself to create what we call a sinkhole, where instead of actually doing the bidding of the malware's author, we as defenders can have it do something else that's benign," Kalember said. 

Essentially, by activating the domain name, they stopped the WannaCry virus in its tracks by diverting it to a dead end on the internet.

But the story doesn't end there. Kalember and other security experts, including Malware Tech, are sounding the alarm that people are still at risk if they don't upgrade their systems.

Microsoft released patches last month and on Friday to fix a vulnerability that allowed the worm to spread across networks.

Code for exploiting that bug, which is known as "Eternal Blue," was released on the internet last month by a hacking group known as the Shadow Brokers. Security experts believe that code originated with the U.S. National Security Agency.

Infected computers appear to largely be out-of-date devices that organizations deemed not worth the price of upgrading or, in some cases, machines involved in manufacturing or hospital functions that proved too difficult to patch without possibly disrupting crucial operations. 

Computers using pirated software were also disproportionately affected. 

All of this means someone could come along and create a new version of the WannaCry virus — and this time, they probably won't put in a kill switch. 

"Sadly, it's not over until we're all patched," Kalember said. "These things have a longer life than anyone should ever have a reasonable expectation that they will."

With files from Reuters and Associated Press


To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.

Become a CBC Member

Join the conversation  Create account

Already have an account?