It’s also refreshingly simple to explain compared with many other, more intricate cybercrime tactics. In a ransomware attack, hackers infect your computer with a virus that scrambles, or “encrypts”, your files. Then they charge you a ransom to unscramble them, most often paid in the virtual currency Bitcoin, which, if used correctly, makes the transaction impossible to trace back to the culprit.
Sounds easy enough for a techie, but how do you go about obtaining a program capable of encrypting files? Well, handily for the hackers, Microsoft makes this very thing. If a PC user wants to encrypt their own files (perhaps for security or privacy reasons). they can use a tool called Windows Crypto. Once it’s done scrambling the files it puts WINCRY at the end of the file name. Of course, if you’re scrambling your own files, you hold the decryption key, so you can unscramble your files whenever you want.
The people behind the May 2017 virus used the same software to help encrypt victims’ files but with a twist: they kept the decryption key and charged victims a fee to get it back. They also had a sense of humour: they renamed WINCRY to WannaCry – because that’s what you wanna do when you find out your precious photos, emails and music collection are being held to ransom.
The business model of ransomware may be straightforward, but it still faces the challenge of many cybercrime campaigns: scale. In order to make a profit, you need wide distribution. How are you going to get your ransomware on enough machines to earn the big bucks? Traditionally the answer has been spam email. But WannaCry used a frightening new tactic, as Hutchins discovered as he peered into the virus code. “WannaCry spread from computer to computer, which meant you didn’t have to open a malicious email or click a strange link. It was just able to hack your computer remotely,” he says.
In our modern world of interconnected tech, this meant that the virus was out of control, spreading indiscriminately.
“People had assumed that they were going after the NHS,” says Hutchins. “But seeing all this data, it was clear that this was not targeted to the NHS. It was not even targeted at the UK. This was just hitting anything, everywhere in the world. It was at a phenomenal scale, like nothing I’d ever seen before. It was just infections coming in the thousands every few seconds. It was overwhelming.”
Marcus isn’t the only one becoming deeply unsettled by the spread of the virus. Three miles from the hospital from which Ward has just been discharged, in a backstreet behind Vauxhall underground station, is a nondescript office block bristling with CCTV. It’s the headquarters of the National Crime Agency. That Friday morning, members of staff are turning up the volume on the office TV. Sky News is reporting a cyber attack on a hospital in the north west of England. Other reports soon start to flood into the NCA, most of which end up on the desk of Mike Hulett, Director of Operations for the Agency’s National Cybercrime Unit.
“It becomes pretty rapidly apparent around lunchtime on that day that this is not just an isolated incident affecting one hospital or one organisation,” he says. Working with the newly formed National Cyber Security Centre, the NCA officers have to figure out how the virus is spreading so quickly. It first hit Argentina around midnight, and within half a day it was raging across Europe. Hulett and his team discern that the malware is exploiting a particular “port” – a digital doorway built into computers that allows different machines on the same network to communicate with each other: Port 445, to be specific. On some machines, Port 445 doesn’t just allow communication from other computers on the same network but is also set up to be “public facing”, meaning that anyone, anywhere in the world, can send the computer messages using the port – including computer viruses. This is how WannaCry is spreading around the world. It hops from computer to computer within a network, infecting each one it lands on and scrambling its files. Then it calls out to random computer addresses around the world, hunting for a machine with a public-facing Port 445. Once it finds one, it hops over, infects it and begins to spread within that computer’s network too.
The more connected the organisation is, the easier it is for WannaCry to spread. And this means that, while it may not have been the intended target, the NHS, as one of the world’s largest employers, becomes one of the hardest hit.
As Hulett notes: “The ability to connect across the country so that your results and tests and so on can be sent quickly from institution to institution means that you’ve got quite a widely interconnected system particularly susceptible to infection.”
Meanwhile, in his bedroom in Devon, Hutchins is still dissecting the WannaCry code and spots something unusual. Before infecting a victim, the virus would try to visit a particular website that had a long, seemingly random address. If it found the website was offline, the virus would kick in, scrambling the files, demanding a ransom and attempting to infect other machines. But if the virus found the website was up and running, it would stop, leaving the victim’s files untouched. So Hutchins has the idea of checking who actually owns the website that the virus is trying to visit.
“And nobody owned it, so I immediately registered it,” he says. It costs him less than £10 – a cheap investment that would have, as accountants say, “considerable upside”. By taking control of the website, Hutchins has, in fact, brought the outbreak to a halt. The virus code sees that the site is up and running, and so it stops, no longer infecting any computers or trying to spread itself. “Within seconds of registering the domain, the infection rate just started declining,” he says.
“Usually stopping malware is this huge feat where you’re fighting for weeks or months battling the guys on the other end. You’re coming up with clever ways to dismantle their infrastructure. I had never come across something so easy.”
Hutchins has just stopped one of the world’s most dangerous virus outbreaks for the price of a large fish and chips.
To read our exclusive interview with Geoff White, click here.
The Lazarus Heist – From Hollywood to High Finance: Inside North Korea’s Global Cyber War by Geoff White (Penguin Random House) is published on Thursday, June 9. Preorder for £20 at books.telegraph.co.uk or call 0844 871 1514