- UK blogger, 22, 'accidentally' found method to block spread of cyber attack
- He found way to register virus as a website which caused a 'kill switch'
- But the cyber expert warned a group of hackers are trying to sabotage the fix
The UK blogger who discovered a 'kill switch' that has slowed the spread of a virus wreaking havoc across the globe has revealed that the world is facing a fresh cyber attack from malicious hackers who are trying to sabotage the fix.
The 22-year-old 'accidental hero' - who lives at home in the south of England with his mother and father - spotted a loophole in the code that meant he could block the virus.
He says he inadvertently halted the ransomware just hours after hearing news of a cyber attack on the NHS while out for lunch with a friend while on a week off from his job at an information security company.
But speaking exclusively to MailOnline, the anonymous computer security expert revealed that cyber attackers are working to bring down the 'emergency stop' which is halting the virus from spreading in a bid to infect millions more across the globe.
He said: 'We've actually been getting attacks today - we don't think it's the actual group who were spreading the malware but another group is trying to attack us so the infections resume.
An anonymous British blogger, 22, became an accidental hero by putting the brakes on the spread of the mass cyber attack, pictured
Cyber security worker @MalwareTech exploited a loophole by spending £8 to register the domain name the virus tries to connect to when infecting a new computer, causing a 'kill switch' to activate
He confirmed the block on the virus was an accident because he did not realise registering the website would work
The softly-spoken cyber expert, who goes by the username MalwareTechBlog online, continued: 'Obviously they haven't actually been successful, but had they been that would actually be quite a serious thing and it wouldn't really be something to laugh about.'
The security worker spent £8 registering the domain name the virus tries to connect with when it infects a new computer and pointed it at a 'sinkhole server' in Los Angeles.
It caused the malicious software to enact an 'emergency stop', immediately halting its spread - but at first the cyber expert feared he had actually made the virus epidemic worse.
Speaking of the moment he stopped the virus, the anti-malware expert told MailOnline: 'It should have been really nice but someone had made a mistake and told me that our registering of the domain actually caused the infection.
'When I found out that it was actually the opposite it was more a relief.
'Rather than a feeling of 'yes, we've done this' - it was like 'oh god, I haven't f***** up the world, so that's really great'.'
The ransomware hit computers around the globe including in Germany where the rail network was infected
The virus infection resulted in a ransom message appearing on screens across the German rail network creating 'massive disturbances'
The computer expert revealed that he has been in touch with the government's National Cyber Security Centre about the fix - and that to say thank you his bosses have given him another week off work, which he plans to spend surfing.
He said: 'I was trying to avoid doing work for a week, doing odd jobs around the house, but I just got pulled back in.
'I don't really want anything, I just want to get back to my job really. My boss rewarded my with a new week off to replace my not-really week off.'
But the 22-year-old does not believe the attack was specifically targeted at the NHS - rather that the health service 'happened to be vulnerable' and got 'caught in the crosshairs'.
Nevertheless he says it is 'a serious thing and there is a real risk to real people's health if you're shutting down hospital systems.'
The young self-taught cyber expert said he initially became interested in computers at the age of 11 when his mother and father installed parental control software on their family machine.
One Twitter user posted this picture of computers in their university lab that were infected with the ransomware - it has wreaked havoc after spreading quickly around the globe
He set about working out how to get around the filters sparking a long interest in information security that got him his first job in the industry 10 years later in September last year.
MalwareTechBlog said: 'It was a bit "red and blue wire" thing - but more fumbling about trying to figure out if the registering of the domain caused the infections or stopped them.'
He also issued advice for people who are infected - or those who are concerned that their computers could get the malware.
He said: 'The people who're already infected, there's not really much you can do. You can potentially pay the ransom but I don't know if this one will decrypt the files yet.
'It comes as Home Secretary Amber Rudd said six hospitals remained affected by the malware today with the 42 others affected returning to normal.'
Ms Rudd, who chaired a Cobra meeting into the crisis this afternoon, confirmed 48 hospitals were affected by the scam, with many cancelling operations and telling patients to steer clear of A&E departments.
A Nissan factory in Sunderland is the latest victim of the hack after it spread from NHS hospitals to industry.
Teams of technicians have worked 'round the clock' today to restore hospital computer systems in Britain and check bank or transport services in other nati
Speaking after the emergency meeting, Ms Rudd acknowledged 'there's always more' that can be done to protect against viruses.
A fifth of trusts were hit by the ransomware on Friday afternoon, forcing hospitals to cancel and delay treatment.
Ms Rudd said: 'Of the 48 that have been impacted, most of them are back to normal course of business.
'So only six of them have some limits on their business.'
She added: 'The response has in fact been very good. We think we have the right preparedness in place and also the right plans going forward over the next few days to ensure that we limit its impact going forward.'
The worldwide attack was so unprecedented that Microsoft quickly changed its policy and announced that it will make security fixes available for free for older Windows systems, which are still used by millions of individuals and smaller businesses.
Speaking about his temporary halt, @MalwareTechBlog said: 'Essentially they relied on a domain not being registered and by registering it, we stopped their malware spreading,'
The anonymous researcher warned however that people 'need to update their systems ASAP' to avoid a fresh attack.
He added: 'The crisis isn't over, they can always change the code and try again.'
The wave of cyber attacks, which has affected 130,000 systems in more than 100 countries, apparently exploited a flaw exposed in documents leaked from the US National Security Agency.
The attacks used a technique known as ransomware that locks users' files unless they pay the attackers a designated sum in the virtual currency Bitcoin.
Affected by the onslaught were computer networks at hospitals in Britain, Russia's interior ministry, the Spanish telecom giant Telefonica and the US delivery firm FedEx and many other organisations.
The blogger warned vulnerable users to update their system and said the code could always be changed and the virus could start spreading again
This map released by cybersecurity experts, shows the impact of the ransomware around the world - with blue dots showing where attacks have been made. Russia is thought to be the worst affected, while Taiwan fears being the victim of a second wave. Europe was targeted first, meaning there were fewer incidents in the US because companies were able to prepare themselves better
French carmaker Renault also announced it was attacked. A spokeswoman said the company was 'doing what is needed to counter this attack.'
@MalwareTechBlog added: 'I will confess that I was unaware registering the domain would stop the malware until after I registered it, so initially it was accidental.
But computers already affected will not be helped by the solution.
'So long as the domain isn't revoked, this particular strain will no longer cause harm, but patch your systems ASAP as they will try again.'
Forcepoint Security Labs said in a Friday statement that the attack had 'global scope' and was affecting networks in Australia, Belgium, France, Germany, Italy and Mexico.
Cyber attack Q&A: What happened, why are hospitals vulnerable and didn't the NHS know it was at risk?
Cyber criminals have unleashed their most dangerous weapon on the NHS – 'ransomware'. CHIEF REPORTER SAM GREENHILL explains.
What happened?
At 1.30pm yesterday, NHS computers came under massive attack from cyber criminals threatening to destroy patient files unless they received a ransom.
Staff found computers locked, with a warning that files had been scrambled to make them unintelligible. It gave a one-week deadline to pay up and recover the data – or see it deleted. In response, dozens of NHS Trusts shut down their IT systems – cutting off phone lines and medical machinery.
Who is affected?
At least 37 NHS Trusts have been attacked by the 'Wanna Decryptor' ransomware virus.
What is ransomware?
A malicious virus which infects devices and holds information hostage until a ransom is paid. It can be triggered by a staff member clicking on a link in a malicious email that may look innocent. The virus lies low until it is activated, either by a timer or remotely by the cyber gang.
Blackpool Victoria Hospital is one of many across the country hit - operations have been cancelled and ambulances diverted
What are the cyber criminals demanding?
The ransom note warns: 'Do not waste your time. Nobody can recover your files without our decryption service.' It demands $300 (£230) worth of the digital currency bitcoins – per computer infected – within three days or the price doubles. If the ransom is not paid by Friday, the files will be wiped 'forever'.
What are bitcoins?
The controversial web currency, dubbed 'geek's gold', recently overtook the value of an ounce of gold. One bitcoin is worth £1,367. They are not physical coins and only exist in cyberspace. Users can remain anonymous, which is why they are often used for illegal activity.
Why are hospitals vulnerable?
Many NHS computers are running very out-of-date software which can have serious security flaws. At least ten health trusts still rely on the Windows XP operating system, released in 2001.
Why target hospitals?
This is viewed as 'unethical' by some hackers, but hospitals are increasingly being seen as easy targets who will pay up quickly because getting systems running is a matter of life and death.
Who are the prime suspects?
Sources said the attack pointed to a criminal network rather than a state. Security insiders have vowed that the Government will not pay a ransom. Hackers in Russia, China, Ukraine and Taiwan have been pioneering ransomware lately.
Didn't the NHS know it was at risk?
Almost a third of NHS trusts have been infected by ransomware, according to the latest edition of the British Medical Journal. Experts have been warning about the risk to the NHS for years. Last year the Papworth Heart Hospital in Cambridge was attacked, but fortunately, a backup had just been completed of its files, meaning the system could be rebooted and the data was safe. The IT director said: 'We were very, very lucky.'
How can attacks be prevented?
Software should be kept up to date. Anti-virus programs can also be used to 'clean' malicious software from a computer.
In the United States, FedEx acknowledged it had been hit by malware and was 'implementing remediation steps as quickly as possible.'
Also badly hit was Britain's NHS, which declared a 'major incident' after the attack, which forced some hospitals to divert ambulances and scrap operations.
Pictures posted on social media showed screens of NHS computers with images demanding payment of $300 (£230) in Bitcoin, saying: 'Ooops, your files have been encrypted!'
It demands payment in three days or the price is doubled, and if none is received in seven days, the files will be deleted, according to the screen message.
A hacking group called Shadow Brokers released the malware in April claiming to have discovered the flaw from the NSA, according to Kaspersky Lab, a Russian cybersecurity provider.
Ransomware: How do hackers take your data hostage?
A Nissan spokesman told the Newcastle Chronicle staff were working to restore the multimillion pound factory to working order.
A spokesman said: 'Like many organisations, our UK plant was subject to a ransomware attack affecting some of our systems on Friday evening. Our teams are working to resolve the issue.'
It is understood production has still not resumed today, but that the plant was not operating at full capacity when the attack began.
The attack came at an embarrassing time for Prime Minister Theresa May after she pledged to make Britain the 'safest place to do business online' during campaigning for the General Election.
Mrs May said: 'We want social media companies to do more to help redress the balance and will take action to make sure they do.
'These measures will help make Britain the best place in the world to start and run a digital business, and the safest place in the world for people to be online.'
Many are questioning where Health Secretary Jeremy Hunt is after he has so far remained silent on the crisis.
Shadow health secretary Jonathan Ashworth said concerns were repeatedly flagged about the NHS's outdated computer systems, which left it vulnerable to the virus.
WHO IS BEHIND THE ATTACK?
It is currently unknown who the culprits are but it is understood criminal gangs will be investigated and it is likely Russia - which suffered the most from the attack - will form a large part of the inquiry.
Russia has been the focus of several hacking investigations in recent months, with allegations from US sources of state-sponsored attempts to influence last year's US election.
Cyber spies Fancy Bears also operate out of Russia and have been involved in many recent hacking incidents including releasing details of athletes receiving therapeutic use of banned substances ahead of international competitions.
The identity of the culprits remains unknown but the EU's police agency Europol has launched a taskforce to investigate the crimes, with Russia expected to form a large part of the inquiry (file picture)
These included British cyclists Sir Bradley Wiggins and Chris Froome, both Tour de France winners, which showed they had been given exemptions to use banned drugs to treat asthma and allergies.
The spotlight could also fall on North Korea following claims from security experts last month that state-sponsored hackers targeted banks in 18 countries to steal funds to boost its nuclear programme.
A hacking operation known as Lazarus has targeted financial institutions in Europe, Central and South America, Africa, India and the Middle East, according to Russian researchers.
Cyber security firm Kaspersky Lab said it had obtained digital evidence that fuels suspicions that North Korea was involved in last year's $81 million cyber heist of the Bangladesh central bank's account at the Federal Reserve Bank of New York.
According to the Guardian, the criminals behind the scam have only generated around $20,000 (£15,500) so far.
North Korea could also fall under the spotlight following accusations of state-sponsored hacking of 18 banks around the world last month. Pictured is leader Kim Jong-Un
Investigators Elliptic, a firm that works with law enforcement agencies to track illegal activity around online currency bitcoin, said it had identified a number of addresses for recipients of the funds, but was unable to identify them so far.
Co-founder Tim Robinson told the paper: 'In terms of identifying the attacker, what we can see at the moment is that around $20,000 worth of ransoms have been paid to these addresses.
'There are actually two versions of this malware, there was one that appeared in April and we've identified one bitcoin address associated with that, and there's a second version which appeared on Friday and we've identified three bitcoin addresses associated with that.
'These three addresses have received 8.2 bitcoins to date, which is about $14,000 dollars, and all of those bitcoins are still within those addresses. The ransomer hasn't withdrawn any of the funds yet so there's no opportunity to trace them.'
In a letter to Mr Hunt on Saturday he wrote: 'As Secretary of State, I urge you to publically outline the immediate steps you'll be taking to significantly improve cyber security in our NHS.
'The public has a right to know exactly what the Government will do to ensure that such an attack is never repeated again.'
He added: 'NHS Trusts have been running thousands of outdated and unsupported Windows XP machines despite the Government ending its annual £5.5million deal with Microsoft, which provided ongoing security support for Windows XP, in May 2015.
'It effectively means that unless individual trusts were willing to pay Microsoft for an extended support deal, since May 2015 their operating systems have been extremely vulnerable to being hacked.'
Speaking to the BBC, Ms Rudd said no patient data had been 'stolen' but she could not confirm that all NHS files are backed-up, and 'hoped the answer was yes'.
She said: That is the instructions that everybody has received in the past. That is good cyber defence, but I expect, and we will find out over the next few days if there are any holes in that.'
She added: 'There may be lessons to learn from this but the most important thing now is to disrupt the attack, let's come back to afterwards whether there are lessons to be learned.'
Ms Rudd later told Sky News: 'It is disappointing that they have been running Windows XP - I know that the Secretary of State for Health has instructed them not to and most have moved off it.'
CYBER ATTACK ON NHS WAS 'ALWAYS GOING TO HAPPEN'
Kingsley Manning, pictured, said it is not clear which organisation within the NHS 'has the responsibility for seeing that trusts' cyber security is fit for purpose'
An online attack on Britain's healthcare system was 'always going to happen', the former head of the body managing NHS cyber security said.
The Government has invested to protect against such an incident, ex-NHS Digital chairman Kingsley Manning said, but he added that it can be 'difficult' to ensure trusts spend on cyber security.
He described 'a patchwork of regulation' around who is responsible for making sure appropriate safeguards are in place.
Mr Manning told BBC Radio Four's PM programme: 'We were very well aware that this was a threat and indeed the Secretary of State and the Government has always seen it as being a threat.
'In fact we were investing and have been investing significant amounts of money in the anticipation that this sort of thing would happen. It was always going to happen.'
He added: 'There is also a patchwork of regulation in this area by comparison to, say, medical equipment or drugs.'
He said it is not clear which organisation within the NHS 'has the responsibility for seeing that trusts' cyber security is fit for purpose'.
In estimating that adequate systems for the health service could cost around £100 million each year, he said: 'In a world where every last £1 million of NHS spending is under severe scrutiny it is very difficult to get individual trusts, even if you provide the money centrally, to actually use that money for this purpose.'
She added: 'Where the patient data has been properly backed up, which has been in most cases, work can continue as normal because the patient data can be downloaded and people can continue with their work.'
But data released under the Freedom of Information Act in December suggested 90 per cent of NHS trusts are using outdated software Windows XP, which is 16 years old and has been branded 'obsolete', leaving systems more vulnerable to attacks.
Speaking to BBC Radio 4's Today programme, Ms Rudd added the virus had not been targeted at the NHS, saying the attack 'feels random in terms of where it's gone to and where it's been opened'.
She added: 'Windows XP is not a good platform for keeping your data as secure as the modern ones, because you can't download the effective patches and anti-virus software for defending against viruses.
'CQC (Care Quality Commission) does do cyber checks on the NHS trusts, on hospitals when they do their visits, and they will be advising NHS trusts to move to modernise their platforms and I think that after this experience, I would expect them all to move forward with modernising.'
Labour leader Jeremy Corbyn branded the hackers 'unbelievably disgusting'.
He said: 'What we've now got is a bunch of 21st Century highway robbers that have hacked into our NHS and are basically offering protection money to get the information back in order to treat cancer patients or anybody else.
'It's unbelievably disgusting and I've got nothing but contempt for those people that have done it, and I'm sure all of you would share that.
'But I'm also very angry that in 2014, there was a one-year renewal of the protection system on the NHS systems which was not renewed after that and not renewed the year after that and so are systems are now not upgraded and not protected. As a result, we've got this dreadful situation that NHS workers are facing today.
'And so we obviously support our NHS workers but I tell you this, a Labour government would not leave our NHS's very vital information systems unprotected. We would protect them.'
Speaking to Sky News, computer expert Lauri Love warned this may not be the end of the attack.
The Finnish-British national, who is accused of stealing data from the US government, said: 'I'm sad to say that this is probably only just beginning; administrators are in for a very difficult weekend,' he said.
'We should expect to see this in almost every country in the world.
'If you've been infected, not only have your files been encrypted and you're being held to ransom, but your machine is being used as a zombie to attempt to affect other machines on the internet.'
Labour leader Jeremy Corbyn, pictured in Lowestoft today, called the hackers '21st Century highway robbers'
Ciaran Martin, chief executive of the National Cyber Security Centre (NCSC), said thousands of organisations have been affected in dozens of countries around the world.
'The picture is emerging that this is affecting multiple countries and sectors and is not solely targeted at the NHS,' he added.
'We are very aware that attacks on critical services such as the NHS have a massive impact on individuals and their families, and we are doing everything in our power to help them restore these vital services.
'It is important that organisations reduce the risks of these attacks happening to them.'
The NCSC has warned organisations to ensure security and anti-virus software is up to date and to back up important data.
National Crime Agency (NCA) investigators are working with NCSC experts to track down those behind the virus.
Oliver Gower, deputy director of the NCA cyber crime unit, said: 'This was a large-scale attack, but we are working closely with law enforcement partners and industry experts in the UK and overseas to support victims and identify the perpetrators.
'Cyber criminals may believe they are anonymous but we will use all the tools at our disposal to bring them to justice.
'Victims of cyber crime should report directly to ActionFraud. We encourage the public not to pay the ransom demand.'
Gang behind 'unprecedented' attack using 'atom bomb of malware' which has now spread to 130,000 systems in more than 100 countries are targeted by global task for.
More than 100 countries across the world have been affected by the 'unprecedented' cyber attack using a computer virus 'superweapon' dubbed the 'atom bomb of malware'.
It is believed more than 130,000 IT systems are affected around the world, including hospitals in the UK, telecoms and gas firms in Spain, schools in China, railways in Germany and the FedEx delivery company.
The European Union's police agency, Europol, says it is working with countries hit by the ransomware scam to rein in the threat, help victims and track down the criminals.
The German rail system was also experiencing issues due to the ransomware. Photos surfaced on social media showing ticket machines at train stations having been affected
Several computers at a university in Italy were also randomly targeted in the cyber attack
In a statement, Europol's European Cybercrime Centre, known as EC3, said the attack 'is at an unprecedented level and will require a complex international investigation to identify the culprits.'
EC3 says its Joint Cybercrime Action Taskforce, made up of experts in high-tech crime, 'is specially designed to assist in such investigations and will play an important role in supporting the investigation.'
The attack, which has locked up computers and held users' files for ransom, is believed the biggest of its kind ever recorded.
Meanwhile Russia is believed to be the worst affected country with computers in its interior ministry hit and its second largest phone network - Megafon - also targeted.
Ticketing machines and computers at German railway stations have also been affected alongside Spanish companies including telecoms giant Telefonica, power firm Iberdrola and utility provider Gas Natural.
Union members at French carmaker Renault say the global cyberattack has forced it to halt production at sites in France in an effort to stop the malware from spreading.
The two unionists spoke on condition of anonymity because of the sensitiveness of the issue.
They say the factory of Renault factory at Sandouville, in northwestern France, was one of the sites affected.
Hundreds of private users in Taiwan were also struck by the malware.
Deutsche Bahn in Germany said departure and arrival display screens at its stations were hit Friday night by the attack.
The railway said that there was no impact on actual train services.
The head of Turkey's Information and Communication Technologies Authority or BTK says the nation was among those affected by the ransomware attack.
Omer Fatih Sayan said the country's cyber security center is continuing operations against the malicious software.
The company said it deployed extra staff to busy stations to provide customer information, and recommended that passengers check its website or app for information on their connections.
Heart surgery I waited ten months for was cancelled at the last minute because of the cyber attack, reveals patient
A heart patient told last night how his long-awaited operation was cancelled because of the cyber attack as he waited to go into the operating theatre.
Patrick Ward, 47, had travelled with his family from his home in Steeple, Dorset, to St Bartholomew's Hospital in Central London for open heart surgery.
He was due to have a septal myectomy, for which he had been waiting ten months.
The surgery involves removing part of the septum – a wall of tissue that separates part of the heart – which is obstructing the flow of blood.
Patrick Ward, 47, had travelled with his family to St Bartholomew's Hospital in Central London for open heart surgery only to have the operation cancelled
After having his arms and chest shaved and a cannula inserted into the back of his hand, he was ready to go into theatre when his surgeon told him they had to cancel the operation.
'I was told at about 1.30 that there had been a cyber hack and we couldn't proceed today,' he said. 'Apparently if I needed a blood transfusion during the procedure they would need to access files on their database, which they can no longer do.
'They can't tell me when the next available slot is to reschedule, so we'll stay at a hotel in London tonight and head back to Dorset tomorrow.'
Mr Ward, a sales director for an ice cream company, said: 'It's a specialist operation so it could be a while before I get another appointment. What I have isn't life-threatening but it has impacted my life a lot. It's very restricting.
'I think this is one of the few hospitals that can do it, and they only do it on certain days which is why I've had to wait so long to get a date set. It prevents me from doing exercise and I get pains when I walk. I was hoping to be able to play football again after the operation.
'I was supposed to spend a week in hospital recovering. My daughter travelled from Liverpool today to spend the weekend with me.'
Emma Simpson and her son whose appointment was delayed after the attack
Emma Simpson took her son, Sebastian, to Whipps Cross University Hospital in Leytonstone, east London, for an X-ray on his broken toe but was sent home because of the cyber attack.
They had an appointment with an orthopaedic clinic to check that the toe was healing properly.
But when they arrived they were greeted by 'chaos' and told that computers would be down until 'at least Monday'.
'They sent us away and said they would call us with a new appointment,' she told ITV London. 'Lots of people were very disappointed.'
A woman with a suspected blood clot was turned away from the Lister Hospital in Stevenage, Hertfordshire.
Anthony Brett from Bow, east London, was about to have a stent put in his liver to treat his cancer when he was told the procedure could not happen
Janetts Douras originally went to the A&E department on Thursday with the suspected clot but was sent home after six hours and told to return yesterday for a CT scan.
But after an hour she was sent away again with medication that she must inject herself to thin her blood.
She was asked to come back on Monday but said: 'I can't see it happening.'
RANSOMWARE: THE CYBER ATTACK THAT CRIPPLED THE WORLD
What is ransomware?
Ransomware is a type of malicious software that criminals use to attack computer systems.
Hackers often demand the victim to pay ransom money to access their files or remove harmful programs.
The aggressive attacks dupe users into clicking on a fake link – whether it's in an email or on a fake website, causing an infection to corrupt the computer.
In some instances, adverts for pornographic website will repeatedly appear on your screen, while in others, a pop-up will state that a piece of your data will be destroyed if you don't pay.
In the case of the NHS attack, the ransomware used was called Wanna Decryptor or 'WannaCry' Virus.
What is the WannaCry virus?
The WannaCry virus targets Microsoft's widely used Windows operating system.
The virus encrypts certain files on the computer and then blackmails the user for money in exchange for the access to the files.
It leaves the user with only two files: Instructions on what to do next and the Wanna Decryptor program itself.
When opened the software tells users that their files have been encrypted and gives them a few days to pay up or their files will be deleted.
It can quickly spread through an entire network of computers in a business or hospital, encrypting files on every PC.
How to protect yourself from ransomware
Thankfully, there are ways to avoid ransomware attacks, and Norton Antivirus has compiled a list of prevention methods:
1. Use reputable antivirus software and a firewall
2. Back up your computer often
3. Set up a popup blocker
4. Be cautious about clicking links inside emails or on suspicious websites
5. If you do receive a ransom note, disconnect from the Internet
6. Alert authorities
293
