The expert who stopped spread of attack by activating software’s ‘kill switch’ says criminals will ‘change the code and start again’

The “accidental hero” who halted the global spread of an unprecedented ransomware attack by registering a garbled domain name hidden in the malware has warned the attack could be rebooted.

The ransomware used in Friday’s attack wreaked havoc on organisations including FedEx and Telefónica, as well as the UK’s National Health Service (NHS), where operations were cancelled, X-rays, test results and patient records became unavailable and phones did not work. As many as 70,000 NHS devices including computers, magnetic resonance imaging (MRI) scanners, blood storage fridges and theatre equipment could have been affected.

But the spread of the attack was brought to a sudden halt when one UK cybersecurity researcher tweeting as @malwaretechblog, with the help of Darien Huss from security firm Proofpoint, found and inadvertently activated a “kill switch” in the malicious software.

The researcher, who identified himself only as MalwareTech, is a 22-year-old from south-west England who works for Kryptos logic, an LA-based threat intelligence company.

“I was out having lunch with a friend and got back about 3pm and saw an influx of news articles about the NHS and various UK organisations being hit,” he told the Guardian. “I had a bit of a look into that and then I found a sample of the malware behind it, and saw that it was connecting out to a specific domain, which was not registered. So I picked it up not knowing what it did at the time.”

The kill switch was hardcoded into the malware in case the creator wanted to stop it spreading. This involved a very long nonsensical domain name that the malware makes a request to – just as if it was looking up any website – and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading. The domain cost $10.69 and was immediately registering thousands of connections every second.

The attack affected mainly Asia and Europe and which originated in Brazil.  Portugal Telecom, which ensured that the attack had no repercussions or impact on services, activated a security plan, asking some workers to turn off the computer. Energy company EDP has cut its network’s Internet access to prevent possible cyberattacks and has ensured that no problems were recorded. Galp also said it was monitoring and monitoring the situation and reinforced security measures.

In France, Renault stopped production at several sites to prevent the spread of the global cyber attack. Deutsche Bahn, the German National Railway was hit, the ransom demand appearing on departure and arrival boards. In Sewden the local authority in Timra said about 70 of its computers were effected. In China some universities and secondary schools were hit and in Indonesia two of its largest hospitals were attacked.

The Judiciary Police is monitoring the situation and trying to understand the scope of cyberattack. Yesterday, the G7 finance ministers, who met in Italy, focused their attention on cybersecurity.