Massive ransomware attack halted for the price of a couple of lattes

A security researcher who still lives at home stopped a billion-dollar hack attack from spreading, says a report. The tab? $10.69.

Edward Moyer Senior Editor
Ed is a many-year veteran of the writing and editing world who enjoys taking sentences apart and putting them back together. He also likes making them from scratch. For nearly a quarter of a century, he's edited and written stories about various aspects of the technology world, from the US National Security Agency's controversial spying techniques to historic NASA space missions to 3D-printed works of fine art. Before that, he wrote about movies, musicians, artists and subcultures.
  • Ed was a member of the CNET crew that won a National Magazine Award from the American Society of Magazine Editors for general excellence online. He's also edited pieces that've nabbed prizes from the Society of Professional Journalists and others.
Edward Moyer
2 min read
Watch this: Why the WannaCry cyberattack is so bad, and so avoidable
A latte

For the price of a few cups of coffee, a major cyberattack gets stopped.

Getty Images

Ten bucks.

That's how much it reportedly cost a young cybersecurity researcher, who still lives with his folks, to stop the spread of a billion-dollar, worldwide hacking assault.

The ransomware attack, which grabbed headlines Friday, exploited a flaw in older versions of Windows to seize and encrypt computer files, making them unusable. Then it demanded money to decrypt the files and hand them back. One of the largest ever of its kind, the assault has frozen computers at hospitals, phone companies and government agencies around the globe.

The New York Times reported that the hackers/kidnappers might make more than a billion dollars once all the ransoms are paid. But on Friday night the attack's spread was halted, at least temporarily, when a 22-year-old computer researcher in the UK noticed the headlines and decided to see what was up.

"I was out having lunch with a friend and got back about 3 p.m. and saw an influx of news articles" about the attack, the researcher, who wishes to remain anonymous, told The Guardian. "I had a bit of a look into that and then I found a sample of the malware behind it."

In that chunk of code, The Guardian reported, he spied an odd-looking domain name (an address like "whitehouse.gov" or "cnet.com" that comes up in your browser bar when you go to a website). He also noticed that the domain hadn't been purchased and registered by anyone, so he ponied up the whopping $10.69 (roughly £8 and AU$15) and bought it, thus making it active.

Screech. Attack stops spreading.

It turns out the nonsensical domain name had been placed in the code as a kind of "kill switch," so the coders could halt a cyberattack simply by registering the domain and sending it live. The malware pings the domain name -- like your computer pings "cnet.com" when you want to visit the site -- and if the domain is live, the attack stops its spread.

The researcher didn't know this ahead of time though. He simply got lucky.

The reason he bought the domain "was to just monitor the spread and see if we could do anything about it later on. But we actually stopped the spread just by registering the domain," he told The Guardian.

The bad news, however, is that hackers could simply rewrite the code and use it for more attacks. The fix also doesn't help systems that are already infected. People should be sure to update Windows systems with the relevant security patches.

Still, we'd guess it wasn't a bad afternoon for this unnamed researcher.

He probably paid less to save the world, at least briefly, than he did for lunch.

CNET Magazine: Check out a sampling of the stories you'll find in CNET's newsstand edition.

Tech Enabled: CNET chronicles tech's role in providing new kinds of accessibility.