At around 2:30 on that Friday afternoon, Marcus Hutchins returned from picking up lunch at his local fish-and-chips shop in Ilfracombe, sat down in front of his computer, and discovered that the internet was on fire. “I picked a hell of a fucking week to take off work,” Hutchins wrote on Twitter.

Within minutes, a hacker friend who went by the name Kafeine sent Hutchins a copy of WannaCry’s code, and Hutchins began trying to dissect it, with his lunch still sitting in front of him. First, he spun up a simulated computer on a server that he ran in his bedroom, complete with fake files for the ransomware to encrypt, and ran the program in that quarantined test environment. He immediately noticed that before encrypting the decoy files, the malware sent out a query to a certain, very random-looking web address:

That struck Hutchins as significant, if not unusual: When a piece of malware pinged back to this sort of domain, that usually meant it was communicating with a command-and-control server somewhere that might be giving the infected computer instructions. Hutchins copied that long website string into his web browser and found, to his surprise, that no such site existed.

So he visited the domain registrar Namecheap and, at four seconds past 3:08 pm, registered that unattractive web address at a cost of $10.69. Hutchins hoped that in doing so, he might be able to steal control of some part of WannaCry’s horde of victim computers away from the malware’s creators. Or at least he might gain a tool to monitor the number and location of infected machines, a move that malware analysts call “sinkholing.”

article image

What Is Sinkholing?

Sure enough, as soon as Hutchins set up that domain on a cluster of servers hosted by his employer, Kryptos Logic, it was bombarded with thousands of connections from every new computer that was being infected by WannaCry around the world. Hutchins could now see the enormous, global scale of the attack firsthand. And as he tweeted about his work, he began to be flooded with hundreds of emails from other researchers, journalists, and system administrators trying to learn more about the plague devouring the world’s networks. With his sinkhole domain, Hutchins was now suddenly pulling in information about those infections that no one else on the planet possessed.

For the next four hours, he responded to those emails and worked frantically to debug a map he was building to track the new infections popping up globally, just as he had done with Kelihos, Necurs, and so many other botnets. At 6:30 pm, around three and a half hours after Hutchins had registered the domain, his hacker friend Kafeine sent him a tweet posted by another security researcher, Darien Huss.

The tweet put forward a simple, terse statement that shocked Hutchins: “Execution fails now that domain has been sinkholed.”

In other words, since Hutchins’ domain had first appeared online, WannaCry’s new infections had continued to spread, but they hadn’t actually done any new damage. The worm seemed to be neutralized.

Huss’ tweet included a snippet of WannaCry’s code that he’d reverse-engineered. The code’s logic showed that before encrypting any files, the malware first checked if it could reach Hutchins’ web address. If not, it went ahead with corrupting the computer’s contents. If it did reach that address, it simply stopped in its tracks. (Malware analysts still debate what the purpose of that feature was—whether it was intended as an antivirus evasion technique or a safeguard built into the worm by its author.)

Hutchins hadn’t found the malware’s command-and-control address. He’d found its kill switch. The domain he’d registered was a way to simply, instantly turn off WannaCry’s mayhem around the world. It was as if he had fired two proton torpedoes through the Death Star’s exhaust port and into its reactor core, blown it up, and saved the galaxy, all without understanding what he was doing or even noticing the explosion for three and a half hours.