That Friday afternoon, around 2:30 a.m., Marcus Hutchins returned from lunch pickup at his local fish and chip shop in Ilfracombe, sat down in front of his computer, and found the Internet was on fire. “I chose a hell of a week to start work,” Hutchins wrote on Twitter.
Within minutes, a hacker friend named Kafeine Hutchins sent a copy of WannaCry’s code, and Hutchins tried to disassemble it while his lunch was still sitting in front of him. First, he turned a simulated computer on a server that he was running in his bedroom with fake files that the ransomware could encrypt and ran the program in this quarantined test environment. He immediately noticed that the malware sent a request to a specific, very random looking web address before encrypting the deception files: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com.
This occurred to Hutchins as meaningful, if not unusual: when malware pinged back to this type of domain, it usually meant that it was communicating with a command and control server somewhere that might be giving instructions to the infected computer. Hutchins copied this long website string into his web browser and was surprised to find that there was no such website.
So he visited the domain registrar Namecheap and registered this unattractive web address four seconds after 3:08 p.m. for $ 1
Once Hutchins set up this domain on a server cluster from his employer Kryptos Logic, it was bombarded with thousands of connections from every new computer infected by WannaCry worldwide. Hutchins could now see firsthand the enormous global scale of the attack. And as he tweeted about his work, he was flooded with hundreds of emails from other researchers, journalists, and system administrators trying to learn more about the plague that is engulfing the world’s networks. With his sinkhole domain, Hutchins suddenly got information about those infections that nobody else on the planet had.
Over the next four hours, he replied to these emails and worked desperately to debug a card he created to keep track of emerging infections, just like he had done with Kelihos, Necurs, and so many other botnets . Around three and a half hours after Hutchins registered the domain, his hacker friend Kafeine sent him a tweet at 6:30 p.m., which was posted by another security researcher, Darien Huss.
The tweet made a simple, concise statement that shocked Hutchins: “Execution fails after the domain sinks.”
In other words, since Hutchins’ domain first appeared online, WannaCry’s new infections had spread, but in fact they hadn’t done any new harm. The worm appeared to be neutralized.
Huss’ tweet contained a section of WannaCry’s code that he had reverse engineered. The logic of the code showed that the malware first checked whether it could reach Hutchins’ web address before encrypting files. If not, the computer content has been corrupted. When it reached that address, it just stopped. (Malware analysts are still debating what the purpose of this feature was – whether it was intended as an anti-virus workaround or a protective measure the author built into the worm.)
Hutchins hadn’t found the malware’s command and control address. He had found his kill switch. The domain he had registered was a way to easily and instantly turn off WannaCry’s mess around the world. It was as if he had fired two proton torpedoes through the death star’s outlet into his core, blown him up, and saved the galaxy without understanding what he was doing or noticing the explosion for three and a half hours.