Anatomy of a hack and the anonymous hero who stopped it

As hospital after hospital went offline, security researchers around the world started poring over the ransomware that had gone round the globe.

And one 22-year-old in the UK ended up saving thousands more computers across the world being infected.

Working together through the night on an IRC channel – an online chatroom themed around a topic, in this case #wannadecryptor – researchers shared their findings.

Despite the spread of the ransomware, researchers weren’t impressed.

"It really doesn’t seem like a sophisticated attack at all," one hacker told me. "It’s embarrassing the NHS got caught out by this."

Other researchers found that the malware was using Tor – anonymity software originally developed by US defence – to communicate with its command and control centre on the deep web (the part of the internet not visible to search engines).

That command and control wasn’t active – a sign perhaps "these folks didn’t even properly set up their command infrastructure properly before launching", according to another researcher.

And there was another weakness in the malware, found by a 22-year-old security researcher in the UK, who goes by the handle of MalwareTech (MT).

The malware checked a site. MT bought the domain for a few pounds – and ended up slowing the spread of the attack. Without realising it, he had stumbled on a kill switch for the ransomware.

"The kill switch wasn’t discovered until about three hours after we’d bought the domain which had already killed all subsequent infections," MT told Sky News.

"From what I can see it killed every infection that contacted our C2 (command and control server)."

:: Hack exposes serious NHS vulnerabilities

The hackers had built in the kill switch, but not registered the site.

If that site was active, a kill switch would activate, stopping the worm’s spread. By activating the domain, MT slowed the spread.

Nor was MT impressed by the sophistication of the attack.

"Although the exploit used is very sophisticated (taken from NSA leak), the ransomware itself seems somewhat amateur", he told Sky News.

That raises more questions about NHS systems, which a Sky News investigation found to be underfunded and lacking last year – and also why the UK government didn’t do more to make sure they were secure.

While everyone, including the newish National Cybersecurity Centre, part of GCHQ, was "monitoring the situation", a handful of volunteers actually brought the ransomware to a halt.

(c) Sky News 2017: Anatomy of a hack and the anonymous hero who stopped it