An accidental hacker hero, but serendipity still counts.
As [MalwareTech] researched the spread of WannaCry, which hit 48 NHS hospitals across Britain particularly hard, the 22-year-old saw that one of the web domains used by the attackers hadn’t been registered. So he registered the site, took control of the domain for $10.69 and started seeing connections from infected victims, hence his ability to track the ransomware’s spread.
But in doing that he also took down the WannaCry operation without meaning to. Whoever was behind the ransomware included a feature designed to detect security tools that would fake internet access for quarantined PCs by using a single IP address to respond to any request the computer made. This is a feature of a “sandbox,” where security tools test code in a contained environment on a PC. When MalwareTech registered his domain to track the botnet, the same IP address was pinged back to all infected PCs, not just sandboxed ones. “So the malware thought it was in a sandbox and killed itself. Lol,” MalwareTech said. “It was meant as an anti-sandbox measure that they didn’t quite think through.”
The ransomware people are even now compensating, though, so update your security protection.