Criminals use ransomware to extort money from individual users and big businesses.

A 28-year-old Purdue University graduate helped bring down a ransomware attack that affected more than 20 percent of hospitals in the United Kingdom and affected systems in more than 70 countries. 

Darien Huss, 28, discovered a “kill switch” in the malware’s code Friday, the Associated Press reported. Huss, an analyst at the California-based cybersecurity company Proofpoint, then shared that information with a British researcher, identified as MalwareTech, who managed to stop further spread by registering a domain name. 

The 22-year-old computer security researcher in England, who has opted to only be identified by his blog name, MalwareTech, began studying the malware. The analysts discovered it to be related to a type of ransomware known as “WannaCry,” Friday afternoon, USATODAY reported. 

MORE: How a 22-year-old inadvertently stopped a worldwide cyberattack

TECH IN SCHOOLS:Why Carmel doesn’t want one laptop or iPad per student

WANT TO WATCH? Will Indy 500 local blackout be lifted again?

MalwareTech was given a sample of the software code by a Proofpoint security researcher identified by their blog name, Kafeine, and was able to begin examining it to figure out how it worked. 

Among the first things MalwareTech noticed was that the malware would attempt to send messages to an unregistered domain name after installing itself on a new computer. So he registered the domain name. 

“Humorously,” he wrote in a blog post detailing the event, “at this point we had unknowingly killed the malware.”

The malware, which was pinging the unregistered domain name, was set to turn itself off if it didn’t receive a message saying the domain didn’t exist. Once registered, the domain name stopped sending that message, so the malware stopped.

To test this, he ran the malware in a closed environment connected to that newly-registered domain and got nothing. He then changed the host system to create an unsuccessful connection, at which point the ransomware turned back on. 

“Now you probably can’t picture a grown man jumping around with the excitement of having just been ransomwared, but this was me,” MalwareTech wrote. “The failure of the ransomware to run the first time and then the subsequent success on the second mean that we had in fact prevented the spread of the ransomware and prevented it ransoming any new computer since the registration of the domain.” 

A short time later, Huss tweeted that registering the domain effectively killed the malware.

Huss told the Associated Press he’s glad it wasn’t someone “with malicious intent” who discovered how to kill the malware. Still, he said, it would be easy for the developer to re-release or for someone else to create a copycat software.

USATODAY and the Associated Press contributed. 

Read or Share this story: