WannaCry Was Stopped by a 22-Year-Old Who Bought a Domain for $10.69

On May 12, 2017, at 07:44 UTC, a worm called WannaCry began encrypting hard drives across the public Internet. Within twenty-four hours it had hit more than 300,000 machines in roughly 150 countries. In Britain, the National Health Service was hit hard enough to cancel surgeries, divert ambulances, and shut MRI scanners; later UK government estimates put the cost of disruption and IT cleanup at around £92 million across some 70,000 affected devices.

The weapon WannaCry rode in on was not new. It was EternalBlue, a Windows SMBv1 vulnerability the U.S. National Security Agency had been quietly exploiting for years. In April 2017 a group called The Shadow Brokers leaked it. Microsoft had already issued a patch on March 14. Many organizations — for reasons ranging from "we're still on Windows XP" to "we'll patch next quarter" — had not installed it.

What saved a great deal of additional damage was a 22-year-old British researcher named Marcus Hutchins, who works under the handle MalwareTech. While reverse-engineering the binary on a Friday afternoon, he noticed it tried to reach a long, gibberish domain — iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com — and bailed if it got a response. He registered the domain, for $10.69, and the worm immediately stopped spreading on machines that could resolve it. Attribution arrived later in the year: in December 2017, the U.S. and U.K. formally blamed North Korea's Lazarus Group. Despite the scale of the attack, only about 327 victims paid the ransom, generating roughly $130,000 in bitcoin.