Young man (22) who 'accidentally' halted malicious ransomware gets week off work as reward

The domain name appears to have been written into the software by hackers as a kill switch for the malware. 

The analyst had taken a week off from work, but decided to investigate the ransomware after hearing about the global cyber-attack that sent organisations like the NHS into meltdown, with hospitals across the UK having turn away non-critical patients and resort to pen and paper.

Now, he says his boss has rewarded him with another week off for all his hard work.

“The attention has been slightly overwhelming,” the 22-year-old told the BBC.

“The boss gave me another week off to make up for this train-wreck of a vacation.”

The analyst has been hailed as an “accidental hero” after saying his discovery of the ransomware kill switch “was actually partly accidental”.

He wrote on his website: “I woke up at around 10 AM and checked onto the UK cyber threat sharing platform where I had been following the spread of the Emotet banking malware, something which seemed incredibly significant until [Friday].

“There were a few of your usual posts about various organisations being hit with ransomware, but nothing significant... yet. I ended up going out to lunch with a friend, meanwhile the WannaCrypt ransomware campaign had entered full swing.”

The analyst said his attempt to stop the ransomware attack by registering the domain name he found “was not a whim”.

“My job is to look for ways we can track and potentially stop botnets,” he wrote. “So I’m always on the lookout to pick up unregistered malware ... domains. In fact,I registered several thousand of such domains in the past year.”

The analyst said he was “jumping around with excitment” when he realised his hunch that the domain name might work as a kill switch was correct. 

“Now, you probably can’t picture a grown man jumping around with the excitement of having just been ransomwared, but this was me,” he wrote on his blog.

Ransomware is a type of malicious software that blocks access to data until a ransom is paid, displaying a message to internet users requesting payment to “unlock” pages.

In this case, the hack brings up a message telling users they can recover their files – but only if they send $300 (£232.76) in bitcoins to a specific address.

An international effort is under way to hunt down the criminals behind the attack, which affected scores of countries, including the US and Russia.

Investigators are working around-the-clock to trace the attackers, as health authorities race to upgrade their security software amid fears hackers could exploit the same vulnerability with a different virus.

There have also been calls for an inquiry into the incident, with the UK Government and NHS chiefs questions over Britain’s preparedness for cyber attacks.

Europol said its cybercrime unit would be supporting affected countries as its own “complex international investigation” to identify the attackers continues.