The WannaCry malware attack that crippled computers around the world in mid-May 2017 could have been much worse if not for the quick-thinking actions of a 22-year-old British cyber protector.

His actions are a bright light on an incident that caused costly damage to companies and individuals who rely on a digital workplace. It’s also a happy ending to May’s huge ransomware attack – a serendipitous end.

WannaCry Dominates Technology News

The attack began by exploiting software leaked by the U.S. National Security Agency. The ransomware spread rapidly to 150 countries and major companies such as FedEx and Nissan. The attack brought down portions of Britain’s National Health Service, delaying treatment for patients at British hospitals.

Once infected, a computer would spread the malware throughout a networked system. An infected computer became inoperable with its monitor displaying a red sign instructing the user to pay about $300 in bitcoin to unlock the machine.

White-hat computer experts began reverse-engineering the code, looking for a solution. One of those experts uses the handle “MalwareTech.”

Hackers often include a kill switch code. One theory is that if the perpetrators feel the attack has gone too far, they can stop it. Another is that the code is included to alert the hackers when security analysts are trying to stop the attack.

In this case, the plan backfired.

A Critical Discovery, A $10 Domain Fix

The WannaCry builders included a dummy URL in the code. MalwareTech found the URL and noted that it wasn’t registered. He made the decision to spend $10 to register the domain.

Once the website was registered and hosted, it activated a kill switch. When the WannaCry ransomware connected to the website and it was no longer gibberish, the program shut down.

MalwareTech then created a “sinkhole” on the domain. Malicious traffic directed to the server was captured and held there. This meant committing server space and bandwidth to capture and kill attacks.

Buying Time

The sinkhole bought time. It bought the extra time needed for security patches to be disseminated and installed.

While the fix slowed the attack days after it began, there is not a permanent solution. A new strain that excludes the kill switch domain or uses a URL generator instead of a single static address could cause more havoc.

MalwareTech is rather humble about his role in the process. In a series of tweets only days after the attack began, MalwareTech downplayed his impact on slowing down the attack. He was offered a $10,000 reward by HackerOne, a platform dedicated to stopping malicious software. He announced he was donating the reward to charity.