'Accidental hero' of Ransomware attack a researcher, not a gov spy
The online Leonidas is actually a 22-year-old cyber security researcher from England, identified only by his Twitter handle @malwaretechblog.
“I had a bit of a look into that and then I found a sample of the malware behind it, and saw that it was connecting out to a specific domain, which was not registered. So I picked it up not knowing what it did at the time,” the blogger now dubbed by the media as "accidental hero" told the Guardian.
He stumbled across a garbled domain name contained within the ransomware code itself while coordinating his efforts with Darien Huss from security firm Proofpoint. By purchasing and registering the domain, the two unintentionally activated the ‘kill switch’ which has stemmed the tide of ransomware attacks, for now at least.
Some analysts are suggesting by sinkholing the domain we stopped the infection? Can anyone confirm?— MalwareTech (@MalwareTechBlog) May 12, 2017
I will confess that I was unaware registering the domain would stop the malware until after i registered it, so initially it was accidental.— MalwareTech (@MalwareTechBlog) May 13, 2017
The domain, which @malwaretechblog bought, reportedly cost just $10.69.
“The intent was to just monitor the spread and see if we could do anything about it later on. But we actually stopped the spread just by registering the domain,” he added.
His efforts earned him high praise from none other than Edward Snowden:
@malwaretechblog has confirmed that he and his cyber security colleagues will be holding on to the URL in question and will be passing on any and all relevant information to authorities to assist in the investigation into one of the worst ransomware attacks in recorded history.
@malwaretechblog issued a stark warning, however: “This is not over. The attackers will realise how we stopped it, they’ll change the code and then they’ll start again. Enable windows update, update and then reboot.”
"It is quite crazy, I’ve not been able to check into my Twitter feed all day because it’s just been going too fast to read. Every time I refresh it it’s another 99 notifications.”
If you're wondering why I've been replying slow all day pic.twitter.com/Q6VHnp6bAJ— MalwareTech (@MalwareTechBlog) May 13, 2017
FedEx and Telefonica were two high-profile victims of the attacks, which also wreaked havoc on the UK’s National Health Service (NHS) and local and long-distance rail traffic in the Ruhr region of Germany.
When asked about the safety of private patient data on NHS systems, including X rays, test results and patient records, UK Home Secretary Amber Rudd warned that some information may have been irrevocably lost, as cited by The Independent.
When asked whether patients' files were backed up, Ms Rudd responded rather weakly: “I hope the answer is yes, that is the instructions that everybody has received in the past… I expect… [we] will find out over the next few days if there are any holes in that.”
@malwaretechblog’s actions came too late to save victims in Europe and Asia but did help contain the ransomware extremely quickly before it could spread throughout the digital infrastructure in the US. Europe and Russia were the hardest hit in the attack.
The Russian interior ministry has reported that about 1,000 computers in total have been affected.
The whole incident has been marked as another victory for open source information and security collaboration between companies and researchers.
From the initial Shadow Broker dumps, through to Vault 7 material, and the recent ransomware, crowd-sourced/open source infosec is awesome 👌 https://t.co/Hpkw7yvGgz— Joseph Cox (@josephfcox) May 13, 2017
Bitcoin ransoms totaling up to $23,000 have already allegedly been paid.