British blogger who halted cyber attack reveals NEW threat

Daily Mail – by Scott Campbell

The UK blogger who discovered a ‘kill switch’ that has slowed the spread of a virus wreaking havoc across the globe has revealed that the world is facing a fresh cyber attack from malicious hackers who are trying to sabotage the fix.

The 22-year-old ‘accidental hero’ – who lives at home in the south of England with his mother and father – spotted a loophole in the code that meant he could block the virus. 

He says he inadvertently halted the ransomware just hours after hearing news of a cyber attack on the NHS while out for lunch with a friend while on a week off from his job at an information security company.

But speaking exclusively to MailOnline, the anonymous computer security expert revealed that cyber attackers are working to bring down the ’emergency stop’ which is halting the virus from spreading in a bid to infect millions more across the globe.

He said: ‘We’ve actually been getting attacks today – we don’t think it’s the actual group who were spreading the malware but another group is trying to attack us so the infections resume.

An anonymous British blogger, 22, became an accidental hero by putting the brakes on the spread of the mass cyber attack, pictured
Cyber security worker @MalwareTech exploited a loophole by spending £8 to register the domain name the virus tries to connect to when infecting a new computer, causing a 'kill switch' to activate

He confirmed the block on the virus was an accident because he did not realise registering the website would work

The softly-spoken cyber expert, who goes by the username MalwareTechBlog online, continued: ‘Obviously they haven’t actually been successful, but had they been that would actually be quite a serious thing and it wouldn’t really be something to laugh about.’

The security worker spent £8 registering the domain name the virus tries to connect with when it infects a new computer and pointed it at a ‘sinkhole server’ in Los Angeles.

It caused the malicious software to enact an ’emergency stop’, immediately halting its spread – but at first the cyber expert feared he had actually made the virus epidemic worse.

Speaking of the moment he stopped the virus, the anti-malware expert told MailOnline: ‘It should have been really nice but someone had made a mistake and told me that our registering of the domain actually caused the infection.

‘When I found out that it was actually the opposite it was more a relief.

‘Rather than a feeling of ‘yes, we’ve done this’ – it was like ‘oh god, I haven’t f***** up the world, so that’s really great’.’

The ransomware hit computers around the globe including in Germany where the rail network was infected

The virus infection resulted in a ransom message appearing on screens across the German rail network creating 'massive disturbances'

The computer expert revealed that he has been in touch with the government’s National Cyber Security Centre about the fix – and that to say thank you his bosses have given him another week off work, which he plans to spend surfing.

He said: ‘I was trying to avoid doing work for a week, doing odd jobs around the house, but I just got pulled back in.

‘I don’t really want anything, I just want to get back to my job really. My boss rewarded my with a new week off to replace my not-really week off.’

But the 22-year-old does not believe the attack was specifically targeted at the NHS – rather that the health service ‘happened to be vulnerable’ and got ‘caught in the crosshairs’.

Nevertheless he says it is ‘a serious thing and there is a real risk to real people’s health if you’re shutting down hospital systems.’

The young self-taught cyber expert said he initially became interested in computers at the age of 11 when his mother and father installed parental control software on their family machine.

One Twitter user posted this picture of computers in their university lab that were infected with the ransomware - it has wreaked havoc after spreading quickly around the globe

He set about working out how to get around the filters sparking a long interest in information security that got him his first job in the industry 10 years later in September last year.

MalwareTechBlog said: ‘It was a bit “red and blue wire” thing – but more fumbling about trying to figure out if the registering of the domain caused the infections or stopped them.’

He also issued advice for people who are infected – or those who are concerned that their computers could get the malware.

He said: ‘The people who’re already infected, there’s not really much you can do. You can potentially pay the ransom but I don’t know if this one will decrypt the files yet.

‘It comes as Home Secretary Amber Rudd said six hospitals remained affected by the malware today with the 42 others affected returning to normal.’

Ms Rudd, who chaired a Cobra meeting into the crisis this afternoon, confirmed 48 hospitals were affected by the scam, with many cancelling operations and telling patients to steer clear of A&E departments.

A Nissan factory in Sunderland is the latest victim of the hack after it spread from NHS hospitals to industry.

Teams of technicians have worked ’round the clock’ today to restore hospital computer systems in Britain and check bank or transport services in other nations.

Speaking after the emergency meeting, Ms Rudd acknowledged ‘there’s always more’ that can be done to protect against viruses.

A fifth of trusts were hit by the ransomware on Friday afternoon, forcing hospitals to cancel and delay treatment.

Ms Rudd said: ‘Of the 48 that have been impacted, most of them are back to normal course of business.

‘So only six of them have some limits on their business.’

She added: ‘The response has in fact been very good. We think we have the right preparedness in place and also the right plans going forward over the next few days to ensure that we limit its impact going forward.’

The worldwide attack was so unprecedented that Microsoft quickly changed its policy and announced that it will make security fixes available for free for older Windows systems, which are still used by millions of individuals and smaller businesses.

Speaking about his temporary halt, @MalwareTechBlog said: ‘Essentially they relied on a domain not being registered and by registering it, we stopped their malware spreading,’

The anonymous researcher warned however that people ‘need to update their systems ASAP’ to avoid a fresh attack.

He added: ‘The crisis isn’t over, they can always change the code and try again.’

The wave of cyber attacks, which has affected 130,000 systems in more than 100 countries, apparently exploited a flaw exposed in documents leaked from the US National Security Agency.

The attacks used a technique known as ransomware that locks users’ files unless they pay the attackers a designated sum in the virtual currency Bitcoin.

Affected by the onslaught were computer networks at hospitals in Britain, Russia’s interior ministry, the Spanish telecom giant Telefonica and the US delivery firm FedEx and many other organisations.

The blogger warned vulnerable users to update their system and said the code could always be changed and the virus could start spreading again

French carmaker Renault also announced it was attacked. A spokeswoman said the company was ‘doing what is needed to counter this attack.’

@MalwareTechBlog added: ‘I will confess that I was unaware registering the domain would stop the malware until after I registered it, so initially it was accidental.

But computers already affected will not be helped by the solution.

‘So long as the domain isn’t revoked, this particular strain will no longer cause harm, but patch your systems ASAP as they will try again.’

Forcepoint Security Labs said in a Friday statement that the attack had ‘global scope’ and was affecting networks in Australia, Belgium, France, Germany, Italy and Mexico.

In the United States, FedEx acknowledged it had been hit by malware and was ‘implementing remediation steps as quickly as possible.’

Also badly hit was Britain’s NHS, which declared a ‘major incident’ after the attack, which forced some hospitals to divert ambulances and scrap operations.

Pictures posted on social media showed screens of NHS computers with images demanding payment of $300 (£230) in Bitcoin, saying: ‘Ooops, your files have been encrypted!’

It demands payment in three days or the price is doubled, and if none is received in seven days, the files will be deleted, according to the screen message.

A hacking group called Shadow Brokers released the malware in April claiming to have discovered the flaw from the NSA, according to Kaspersky Lab, a Russian cybersecurity provider.

Ransomware: How do hackers take your data hostage?

A Nissan spokesman told the Newcastle Chronicle staff were working to restore the multimillion pound factory to working order.

A spokesman said: ‘Like many organisations, our UK plant was subject to a ransomware attack affecting some of our systems on Friday evening. Our teams are working to resolve the issue.’

It is understood production has still not resumed today, but that the plant was not operating at full capacity when the attack began.

The attack came at an embarrassing time for Prime Minister Theresa May after she pledged to make Britain the ‘safest place to do business online’ during campaigning for the General Election.

Mrs May said: ‘We want social media companies to do more to help redress the balance and will take action to make sure they do.

‘These measures will help make Britain the best place in the world to start and run a digital business, and the safest place in the world for people to be online.’

Many are questioning where Health Secretary Jeremy Hunt is after he has so far remained silent on the crisis.

Shadow health secretary Jonathan Ashworth said concerns were repeatedly flagged about the NHS’s outdated computer systems, which left it vulnerable to the virus.

In a letter to Mr Hunt on Saturday he wrote: ‘As Secretary of State, I urge you to publically outline the immediate steps you’ll be taking to significantly improve cyber security in our NHS.

‘The public has a right to know exactly what the Government will do to ensure that such an attack is never repeated again.’

He added: ‘NHS Trusts have been running thousands of outdated and unsupported Windows XP machines despite the Government ending its annual £5.5million deal with Microsoft, which provided ongoing security support for Windows XP, in May 2015.

‘It effectively means that unless individual trusts were willing to pay Microsoft for an extended support deal, since May 2015 their operating systems have been extremely vulnerable to being hacked.’

Speaking to the BBC, Ms Rudd said no patient data had been ‘stolen’ but she could not confirm that all NHS files are backed-up, and ‘hoped the answer was yes’.

She said: That is the instructions that everybody has received in the past. That is good cyber defence, but I expect, and we will find out over the next few days if there are any holes in that.’

She added: ‘There may be lessons to learn from this but the most important thing now is to disrupt the attack, let’s come back to afterwards whether there are lessons to be learned.’

Ms Rudd later told Sky News: ‘It is disappointing that they have been running Windows XP – I know that the Secretary of State for Health has instructed them not to and most have moved off it.’

She added: ‘Where the patient data has been properly backed up, which has been in most cases, work can continue as normal because the patient data can be downloaded and people can continue with their work.’

But data released under the Freedom of Information Act in December suggested 90 per cent of NHS trusts are using outdated software Windows XP, which is 16 years old and has been branded ‘obsolete’, leaving systems more vulnerable to attacks.

Speaking to BBC Radio 4’s Today programme, Ms Rudd added the virus had not been targeted at the NHS, saying the attack ‘feels random in terms of where it’s gone to and where it’s been opened’.

She added: ‘Windows XP is not a good platform for keeping your data as secure as the modern ones, because you can’t download the effective patches and anti-virus software for defending against viruses.

‘CQC (Care Quality Commission) does do cyber checks on the NHS trusts, on hospitals when they do their visits, and they will be advising NHS trusts to move to modernise their platforms and I think that after this experience, I would expect them all to move forward with modernising.’

Labour leader Jeremy Corbyn branded the hackers ‘unbelievably disgusting’.

He said: ‘What we’ve now got is a bunch of 21st Century highway robbers that have hacked into our NHS and are basically offering protection money to get the information back in order to treat cancer patients or anybody else.

‘It’s unbelievably disgusting and I’ve got nothing but contempt for those people that have done it, and I’m sure all of you would share that.

‘But I’m also very angry that in 2014, there was a one-year renewal of the protection system on the NHS systems which was not renewed after that and not renewed the year after that and so are systems are now not upgraded and not protected. As a result, we’ve got this dreadful situation that NHS workers are facing today.

‘And so we obviously support our NHS workers but I tell you this, a Labour government would not leave our NHS’s very vital information systems unprotected. We would protect them.’

Speaking to Sky News, computer expert Lauri Love warned this may not be the end of the attack.

The Finnish-British national, who is accused of stealing data from the US government, said: ‘I’m sad to say that this is probably only just beginning; administrators are in for a very difficult weekend,’ he said.

‘We should expect to see this in almost every country in the world.

‘If you’ve been infected, not only have your files been encrypted and you’re being held to ransom, but your machine is being used as a zombie to attempt to affect other machines on the internet.’

Ciaran Martin, chief executive of the National Cyber Security Centre (NCSC), said thousands of organisations have been affected in dozens of countries around the world.

‘The picture is emerging that this is affecting multiple countries and sectors and is not solely targeted at the NHS,’ he added.

‘We are very aware that attacks on critical services such as the NHS have a massive impact on individuals and their families, and we are doing everything in our power to help them restore these vital services.

‘It is important that organisations reduce the risks of these attacks happening to them.’

The NCSC has warned organisations to ensure security and anti-virus software is up to date and to back up important data.

National Crime Agency (NCA) investigators are working with NCSC experts to track down those behind the virus.

Oliver Gower, deputy director of the NCA cyber crime unit, said: ‘This was a large-scale attack, but we are working closely with law enforcement partners and industry experts in the UK and overseas to support victims and identify the perpetrators.

‘Cyber criminals may believe they are anonymous but we will use all the tools at our disposal to bring them to justice.

‘Victims of cyber crime should report directly to ActionFraud. We encourage the public not to pay the ransom demand.’

Gang behind ‘unprecedented’ attack using ‘atom bomb of malware’ which has now spread to 130,000 systems in more than 100 countries are targeted by global task force

More than 100 countries across the world have been affected by the ‘unprecedented’ cyber attack using a computer virus ‘superweapon’ dubbed the ‘atom bomb of malware’.

It is believed more than 130,000 IT systems are affected around the world, including hospitals in the UK, telecoms and gas firms in Spain, schools in China, railways in Germany and the FedEx delivery company.

The European Union’s police agency, Europol, says it is working with countries hit by the ransomware scam to rein in the threat, help victims and track down the criminals.

In a statement, Europol’s European Cybercrime Centre, known as EC3, said the attack ‘is at an unprecedented level and will require a complex international investigation to identify the culprits.’

EC3 says its Joint Cybercrime Action Taskforce, made up of experts in high-tech crime, ‘is specially designed to assist in such investigations and will play an important role in supporting the investigation.’

The attack, which has locked up computers and held users’ files for ransom, is believed the biggest of its kind ever recorded.

Meanwhile Russia is believed to be the worst affected country with computers in its interior ministry hit and its second largest phone network – Megafon – also targeted.

Ticketing machines and computers at German railway stations have also been affected alongside Spanish companies including telecoms giant Telefonica, power firm Iberdrola and utility provider Gas Natural.

Union members at French carmaker Renault say the global cyberattack has forced it to halt production at sites in France in an effort to stop the malware from spreading.

The two unionists spoke on condition of anonymity because of the sensitiveness of the issue.

They say the factory of Renault factory at Sandouville, in northwestern France, was one of the sites affected.

Hundreds of private users in Taiwan were also struck by the malware.

Deutsche Bahn in Germany said departure and arrival display screens at its stations were hit Friday night by the attack.

The railway said that there was no impact on actual train services.

The head of Turkey’s Information and Communication Technologies Authority or BTK says the nation was among those affected by the ransomware attack.

Omer Fatih Sayan said the country’s cyber security center is continuing operations against the malicious software.

The company said it deployed extra staff to busy stations to provide customer information, and recommended that passengers check its website or app for information on their connections.

Heart surgery I waited ten months for was cancelled at the last minute because of the cyber attack, reveals patient

A heart patient told last night how his long-awaited operation was cancelled because of the cyber attack as he waited to go into the operating theatre.

Patrick Ward, 47, had travelled with his family from his home in Steeple, Dorset, to St Bartholomew’s Hospital in Central London for open heart surgery.

He was due to have a septal myectomy, for which he had been waiting ten months.

The surgery involves removing part of the septum – a wall of tissue that separates part of the heart – which is obstructing the flow of blood.

After having his arms and chest shaved and a cannula inserted into the back of his hand, he was ready to go into theatre when his surgeon told him they had to cancel the operation.

‘I was told at about 1.30 that there had been a cyber hack and we couldn’t proceed today,’ he said. ‘Apparently if I needed a blood transfusion during the procedure they would need to access files on their database, which they can no longer do.

‘They can’t tell me when the next available slot is to reschedule, so we’ll stay at a hotel in London tonight and head back to Dorset tomorrow.’

Mr Ward, a sales director for an ice cream company, said: ‘It’s a specialist operation so it could be a while before I get another appointment. What I have isn’t life-threatening but it has impacted my life a lot. It’s very restricting.

‘I think this is one of the few hospitals that can do it, and they only do it on certain days which is why I’ve had to wait so long to get a date set. It prevents me from doing exercise and I get pains when I walk. I was hoping to be able to play football again after the operation.

‘I was supposed to spend a week in hospital recovering. My daughter travelled from Liverpool today to spend the weekend with me.’

Emma Simpson took her son, Sebastian, to Whipps Cross University Hospital in Leytonstone, east London, for an X-ray on his broken toe but was sent home because of the cyber attack.

They had an appointment with an orthopaedic clinic to check that the toe was healing properly.

But when they arrived they were greeted by ‘chaos’ and told that computers would be down until ‘at least Monday’.

‘They sent us away and said they would call us with a new appointment,’ she told ITV London. ‘Lots of people were very disappointed.’

A woman with a suspected blood clot was turned away from the Lister Hospital in Stevenage, Hertfordshire.

Janetts Douras originally went to the A&E department on Thursday with the suspected clot but was sent home after six hours and told to return yesterday for a CT scan.

But after an hour she was sent away again with medication that she must inject herself to thin her blood.

She was asked to come back on Monday but said: ‘I can’t see it happening.’

Read more:
Follow us: @MailOnline on Twitter | DailyMail on Facebook


7 thoughts on “British blogger who halted cyber attack reveals NEW threat

  1. It’s amazing how these viruses never effect or affect the banking Industry.

    Fk the english language. ..

    This so called spelling… and grammar..are knot my own thoughts.

    There sum 1 elses.

    I’m the kind of person that sticks a Q tip all the way in…balls deep.

    Fk the die rections.

    1. 70% of ATMs under Threat?
      The vulnerable Windows XP software is what 70% of the 2.19 lakh ATMs in India use, according to the Centre’s own admission, even as banks have been trying to upgrade their software. Microsoft stopped providing support—security patches and other tools—for the Windows XP System in 2014.

      Apparently ATM bank machines in India & China are freezing up now.

      1. I’ve seen the screen of an ATM here in the States go down and reboot after I asked it for money ( that it didn’t give me)
        It was Windows XP

  2. Forcepoint is run by raytheon and I wonder if the anonymous blogger who struck gold twice was at synagogue on Saturday? Chock full of coincidences

  3. Why use Windows at all unless you game or there is software you need to use. I run Linux Mint 18.1 and only use Windows if it’s in a Virtual Box not connected to the Internet. Linux is a bit twitchy and takes some getting used to but once you try it, you WILL love it. Here is one way to start…
    Good luck.

    1. …also if you are able to copy or “ghost” your drive to an external hard drive on a daily basis, an infection like this would mean nothing, as you would simply format the drive and then copy the contents of the ghost drive back. Programs like Acronis can do this as well as “hide” the data inside a “secure zone” so that even if your external drive is connected, the secure zone stays uninfected.

Join the Conversation

Your email address will not be published. Required fields are marked *