The spread of Friday’s attack was dramatically slowed by the young cyber security researcher, identified by the UK Telegraph as 22-year-old Marcus Hutchins and known on Twitter as @Malwaretechblog.
Mr Hutchins said he was looking through the code of the “WannaCry” malware and discovered an unusual domain name listed. He decided to look it up and, upon realising that it was not registered, he purchased it for about $10.69 ($AU14.45).
“I was out having lunch with a friend and got back about 3pm and saw an influx of news articles about the NHS and various UK organisations being hit,” Mr Hutchins told the Guardian.
“I had a bit of a look into that and then I found a sample of the malware behind it, and saw that it was connecting out to a specific domain, which was not registered. So I picked it up not knowing what it did at the time.”
It’s Saturday morning and just a small reminder that @MalwareTechBlog literally saved the world and probably some lives.
— Lesley ? (@hacks4pancakes) May 13, 2017
Meanwhile, a Michigan-based cyber security expert named Darien Huss also noticed the domain name, and realised it could be a “kill switch” for the malware.
Mr Hutchins and Mr Huss began communicating online and discovered that through registering the domain name and redirecting the attacks to Mr Hutchins’ own server, the ransomware was crippled.
Kurtis Baron, a friend of Mr Hutchins and founder of Fidus Information Security, told The Telegraph he was “just doing his job”.
“It is not a job to him, more a passion that he happens to get paid for,” he said.
Mr Hutchins was previously working for a private intel threat firm based in LA and it’s believed he is from a seaside resort on the north Devon coast in England.
He also attended DEFCON, the largest annual convention for internet hackers.
The efforts do appear to have slowed the spread of the malware – but there are fears a new version could be created without the “kill switch” included.
Marin Ivezic, cybersecurity partner at PwC and based in Hong Kong, said that some clients had been “working around the clock since the story broke” to restore systems and install software updates, or patches, or restore systems from backups.
Microsoft released patches last month and on Friday to fix a vulnerability that allowed the worm to spread across networks, a rare and powerful feature that caused infections to surge.
Code for exploiting that bug, which is known as “Eternal Blue,” was released on the internet in March by a hacking group known as the Shadow Brokers.
The group claimed it was stolen from a repository of National Security Agency hacking tools.
Hong Kong-based Ivezic said that the ransomware was forcing some more “mature” clients affected by the worm to abandon their usual cautious testing of patches “to do unscheduled downtime and urgent patching which is causing some inconvenience.”