My short bio: Hey I'm MalwareTech, a malware researcher, programmer, and blogger, I'm also known as the "accidental hero" who helped stop WannaCry. Someone submitted an AMA Request last week and I promised that I'd do one when the dust settles if people are still interested, so true to my word I'm here.

My Proof:

Also sorry for the grammatical mistake in the title, this will plague me forever more.

Update: due to way more interest than expected I'm going to have to skip questions similar to ones that have already been asked (I'm working from oldest to newest, so if the question above yours has been answered then check down the AMA for similar).

Update2 I'm heading to sleep now but will continue answering questions tomorrow.

Comments: 2635 • Responses: 75  • Date: 

HydrogenLine3391 karma

First of all - you have the thanks of many! I'm sure it's been a whirlwind of publicity and lack of privacy since you assisted with the WCRY takedown. Despite the hassles, what is the best thing that you've taken away from this experience?

MalwareTech4691 karma

I've always wanted to do educational videos and possibly conference talks, but until i got dragged out into the spotlight I wasn't confident enough to make the leap from being anonymous. Now that my identity has become public, I feel more confident to give it a go as it's a much smaller jump to make.

Matth1as2187 karma

Did you receive some job offerings from governments?

MalwareTech7490 karma

No. They probably took one look at all the shitposting and memes in my twitter feed and were like "naaaah".

qwertz_ge2160 karma

What's your PC setup specs?

Also, what VM software provide the best isolation for malware testing?

MalwareTech3340 karma

CPU: i7 6700k

Ram: 2x 16GB DDR4 3200 Mhz (G.SKILL Ripjaws)

Disk: Samsung 960 PRO

MB: Asus Maximus VIII Hero

GPU: Nvidia GTX Titan X (Pascal)

Monitor: 3x Dell u2715h

Case: Cooler Master Cosmos 2

Not sure about best isolation but I use VMWare Workstation for local VMs and ESXi for remote (VMware fanboy here).

SureShaw1319 karma

What are some good resources or ways to learn about cyber security?

MalwareTech1769 karma

For cyber security in general I'd honestly say twitter. Find out who the major players are in the part of the security industry you're interested in and follow em. You will learn so much just by reading all the writeups others tweet (you can use google, but twitter you will always know when and where something new is happening).

Spudgun88893 karma

Could you suggest some good Twitter accounts to follow?

MalwareTech352 karma

look through the list of people i follow on twitter and pick out the ones you think are best.

not_2sec4u1315 karma

HELLO SIR, GOOD WORK WITH THE KILL SWITCH. MY QUESTION IS: 2sec4u should get a pay rise, can you confirm if you agree with this?

MalwareTech2275 karma

Yes, we will up your shitposting allowance to 100 shitposts per day.

FloatingGhost261 karma



MalwareTech533 karma

I can confirm I agree with this. We need to put him on basic bitch sensitivity training.

DSNakamoto1209 karma

Any advice for someone looking to avoid being doxxed? Asking for a friend.

MalwareTech2322 karma

Simply put: if you want to be truly never found you can't share any personal stuff about you online, you need total separation of your real life and online identity (including avoiding any use of your real name and address for online services, including billing). Honestly it's not fun and not worth it unless you've actually got something to hide.

Initially I lost out on many job offers because I wasn't comfortable publicly linking my online identity to my real one.

DuncanYoudaho1081 karma

Are you going to DEFCON and can I buy you a drink?

MalwareTech2580 karma

Yes, but please don't buy me a drink (the more drunk I get the less able I am to say no to a free drink and I usually end up passed out in a hedge somewhere).

omaroh1058 karma

Behold the most common question. How did you get into ethical hacking and security and what books did you use?

MalwareTech1599 karma

Technically I'm not an ethical hacker but a malware researcher (I consider ethical hacking to be more the pentester route). I got into it through programming and a fascination with how malware works.

Books I'd recommend to get started: Practical Reverse Engineering. You should also look into python books (python is great for automating tasks) and Assembly (you'll need x86_64 for reversing on windows/linux and a form of ARM or MIPS for "embedded" devices).

Edit: as others have pointed out, practical reverse engineering won't help if you're a general beginner not a beginner reverse engineer. If you're not coming from a programming background then knowing ASM is a must and C is always helpful. You should be able to engineer software before trying to reverse engineer it

kali-ctf996 karma

if you were to be removed by a foreign power, what would be your favourite and why is it best Korea?

MalwareTech2160 karma

Because glorious leader can speak in 1567 different languages and doesn't need to research because he just knows things from birth.

sc_HiddenText749 karma

Firstly, massive thanks MT ... were you at work when you found the bug in the code or was it something you thught you'd have a dig into?

MalwareTech1353 karma

I was actually on holiday. I made it a grand total of 3 days into my week off before i got sucked back in :)

CrowSkull668 karma

Aren't you afraid that the WannaCry hackers will want retribution?

MalwareTech1723 karma

Nah, you quickly learn not to worry about things you can't control or you worry all the time.

Smylers603 karma

What changes would you like to UK press regulation? Is there anything that could outlaw the privacy intrusions that you have suffered while still enabling a free press and genuine investigative journalism?

MalwareTech1003 karma

Ideally make people's houses/friends/family off limits until they've been charged (and found guilty of) a serious crime.

Gone_Girl568 karma

Have you spoken to your buddy that sold you out to gutter press?

MalwareTech858 karma

I'm not sure it was a friend anymore, I think someone who knew me pointed them in the right direction and they did the rest themselves.

JustAnotherExpat_dxb502 karma

What languages can you code in?

What is your opinion on certifications in IT and do you think it's necessary? Do you have any?

MalwareTech885 karma

Coding languages I'm fluent in: C, C++, Assembly (both x86 and x64), PHP, JavaScript.

Also familiar with: Python, Lua, Objective-C, ARM32, Visual Basic (but wouldn't say I'm fluent as I've not been programming them for long).

Certifications: None (but I imagine they'd help).

Skyflyer571 karma

Also familiar with: Python, Lua, Objective-C, ARM32, Visual Basic (but wouldn't say I'm fluent as I've not been programming them for long).

But can you create a GUI interface using Visual Basic to track the killers ip address?

MalwareTech828 karma

No, I can only create gooey interface for that.

crypt0cypher470 karma

Hey, I'm @CryptoCypher on Twitter.

I am currently working on a book that discusses identity security along with operational security. The purpose of this book is to explain the importance of pseudonyms and how to operate a persona "anonymously" online. In this, I will be covering various topics.

With that said, my question is this: would you be willing to get in contact with me to collaborate on my work?

I feel that your experience with UK tabloids as a security researcher would make an excellent example of why people should take the time to lock down their identity security and re-evaluate their OPSEC. Your story could help others realize the importance of locking down their persona.

I don't typically use Reddit, so if you're interested, my Twitter DMs are open.


MalwareTech384 karma

Sure, DM me on twitter anytime.

sc_HiddenText464 karma

What has been the oddest corporate offering you've been given. I spotted the free t-shirts and pizzas, anything else ?

MalwareTech759 karma

I think free pizzas was probably the weirdest, though I did get offered my own radio show which was interesting.

gossi396 karma

If you could go back in time, would you register the domain again?

MalwareTech937 karma

Yes. I think in hindsight knowing the damage caused by this malware would make me more likely to do it, even knowing the personal consequences. It's pretty heartbreaking when all the emails in your inbox not from journalists are people pleading with you to find a way to recover the lost photos of their kids or dead relatives.

R-EDDIT357 karma

What have you learned from malware about programming that general programmers would do well to learn from?

MalwareTech639 karma

Generally how not to code. Most malware developers seem to have learned programming from writing malware, so they fall for all the gotchas and make some absolutely horrible mistakes.

yabkat348 karma

How do we know you're not one of the people who made the ransomware?

MalwareTech945 karma

I was going to give you a silly answer but then I felt I should answer this seriously as I've actually seen a lot of conspiracies.

I do not want fame nor money, so I'm not sure why it'd be worth the risk of spending the rest of my life in jail to get 2 things I don't want. Not to mention every intelligence agency in the world is looking at this right now, there's no way they haven't already investigated me to cover all their bases. Not to mention it took the media 3 days to find my real name and address, how long do you think it would take the world's most powerful intelligence agencies to find me if I was the person responsible?

password-is-flump1333 karma

could you hack my reddit account if you wanted?

MalwareTech425 karma


IamAngelInvestor251 karma

Why the cat? Why Sunglasses? Heard the U.K. Is rainy and dark - where is your ideal travel spot & why no direct flights -?

MalwareTech492 karma

It's from a meme I found quite funny:

Travel spots: I've only been to Vegas and Lyon, so definitely Vegas.

No direct flight: because I live in the middle of nowhere and only have non major airports.

Zadokk227 karma

Windows XP has been blamed for leaving NHS computers vulnerable to WannaCry. Is the simple answer correct: that if they were running more modern OSes (eg Win7 or Win10) then they would have been unaffected?

MalwareTech396 karma

According to multiple analysts I've spoken the malware actually fails on XP (haven't had time to check myself yet), so that would suggest unpatched newer systems were to blame.

Smylers206 karma

3rd-party Windows anti-virus software causes more harm than good, claims ex-Mozilla engineer Robert O'Callahan — do you agree? If not, what would you recommend for non-technical Windows users?

MalwareTech386 karma

Some AVs cause problems, most do things they really shouldn't (code injection into browsers), but the free version of Windows Defender (not the enterprise one, which is crazy good) is pretty much the equivalent of trying to bail out a sinking ship with a colander.

SureShaw63 karma

/u/MalwareTech - Really hoping you can answer this one. Also, for technical users what would you recommend?

MalwareTech115 karma

Personally I'd recommend one of the better rated 3rd party AVs, unless you're actually worried about governments / criminal APT groups writing 0days to exploit your AV.

kenelbow177 karma

What are your career goals long term? Has all the recent publicity changed them?

MalwareTech250 karma

Nah, will continue working for my current company and aiming towards launching our new platforms later this year.

MrDork156 karma

Has your new-found fame helped you get laid more?

MalwareTech537 karma

I literally didn't leave the house the entire time i was famous

IamAngelInvestor146 karma

Future plans? If knighted, will you be Sir $real_name or Sir MalwareTech, Lord of Pizza - I feel like asking a 22 year future plans needs a bit of humor -

MalwareTech197 karma

Future plans are just to continue work and travel more. If I got a knighthood I'd definitely prefix all my online names with Sir just for the novelty, but keep my real name as is.

Nicketick144 karma

How did you get started in this world? What resources do you recommend if you want to learn more about the technical aspects of your work?

MalwareTech185 karma

I got started through programming and an interest in the inner workings of malware. To get started in reverse engineering I'd recommend learning assembly and reading some books / blog posts from known reverse engineers (most of what i learned comes from just reading random blog posts and some trial + error).

tampe125123 karma

After sinkholing a domain, what's the next steps? Do you run any specific script on the server? By the way, how many domains do you have registered?

MalwareTech203 karma

Everything is automated so i just enter the domain + malware family name into the commandline and the system registers the domain, points it to the sinkhole, then sets up a tracker (all of this is using a bunch of python scripts I wrote). As for domains I really don't know, but it's over 2,000.

TheComputerInside120 karma

How many sinkhole domains did you have to obtain? and Favorite cat?

MalwareTech223 karma

It's hard to count because we use about 8 different registrars. All I know is the total of domain we've registered in the past 2 year exceeds 2,000.

As for cats, I love the Russian Blue's with the short legs and big chubby faces.

Mnyow89 karma

Hello, just a quick question. We now see the figures of the attack, and it's obviously been a huge campaign but maybe not as big as we thought first. Do you think the media coverage has made it look bigger than it actually is and do you think media coverage on those topics actually does more harm than good? I'll be honest here, i'm an infosec journalist, but had the chance to be off work those last two weeks. But i'm genuinely curious about this. But again, thanks for your work, you're doing great stuff.

MalwareTech125 karma

I honestly don't know. Our sinkhole only sees the infections we stopped, so I don't think anyone really knows the full scale of how many systems were infected prior to the sinkholing.

I think the media coverage was neutral. On one hand some got the word out that people need to do something, but on the other some made it sound like I'd come up with a miracle cure for ransomware.

DeathHacker84 karma

What operating system do you prefer to work in? (If it's Linux, which distribution?)

MalwareTech392 karma

Windows 10 because I'm a heathen

Scarazer79 karma

Will the recent explosion of followers change your tweeting habits at all? Will you be posting the same amount of memes?

MalwareTech175 karma

No. I imagine I'm going to lose a lot of followers when I have time to return to normal twitter usage.

sean4lynch70 karma

About to start a masters in cyber security, what is the best and worst thing about working Infosec?

MalwareTech192 karma

Best is definitely the many many selfless people you meet who will insist on always being there to help you and never accept anything in return. Worst is the scriptkiddie groups you will see who cause the same kind of pain serious criminals cause, but do it for "lulz" instead of money. Really makes you lose faith in humanity.

IamAngelInvestor66 karma

How did you get started - why do you do it? Who are your heroes? Whom do you dislike but have learned from? What investment advice are you getting? What shapes and informs your worldview, and why?

Gotta run looking forward to learning more - thanks for taking the time -

MalwareTech108 karma

How i got started:

Almost all of what I do is simply because I enjoy it and for no other reason. I'm not in this for fame or money, just passion.

I generally don't like the term heroes as it seems to cartoony, but the researchers at ESET and PrevX who published the TDL4 and Rovnix analysis articles are who inspired my interest in reverse engineering and are largely responsible for where i am now.

I don't really dislike anyone if I learn from them, that's an automatic like from me (unless they're truly an asshole, which I don't think I've met anyone who is).

Not getting any investment advice yet (hopefully soon).

My world view is mostly shaped by my own personal experiences. Although I remain open to other people's experiences, ultimately I feel I can't fully understand something until I've experienced it myself.

Bandwidth_Wasted57 karma

This may have been asked, and sorry if it was, but what is to stop the makers of this from simply releasing a different one that doesn't check a domain like the first iteration did?

MalwareTech140 karma

Nothing stops them, that's why I went to great lengths to warn everyone to patch ASAP.

throwaway13292949151 karma

I gather you've been learning for 11 years now so for us starting out in infosec reaching that point and level of knowledge can seem hugely intimidating. My question is, for those 11 years how much time were you putting into learning? Was it every night after school? Just at the weekends?

And secondly, you seem to have load of friends in infosec, were you all learning together or was this something you did by yourself for the majority of those years?

MalwareTech63 karma

For most part odd weekends and when I could get away at school, I didn't start full time studying until i left college (4 years ago).

balgan47 karma

Whats your favorite pizza and why is it pepperoni with garlic sauce?

MalwareTech81 karma

Chicken Supreme with sweetcorn (Though I've recently learned that sweetcorn on pizza offends people more than pineapple).

balgan18 karma

Now seriously, when things calm down, lets get that Patreon of yours setup with RE and sinkholing tuts :D

MalwareTech26 karma

No money, yes tutorials. :)

bbbbbmm9 karma

Did your justeat reward come with limitations, or can you get as much free pizza delivered every day for a year as you want?

MalwareTech23 karma

They didn't have a way to implement it so they gave me £500 credit, so it's not limited to a year or just to pizza which is nice.

FineMalt42 karma

Hello well-done for the great job a couple questions. Whats a typical "working" day like for you ? and have any of the threats you were worried about since quelling wannacry materialised yet.?


MalwareTech75 karma

My work day isn't really typical because I work from home. I tend to alternate between working and gaming randomly throughout the day. When I'm working I'm usually reversing malware or programming the backend for our sinkhole network.

Threats: nothing particularly worrying just your average banking malware (Emotet is what I was looking at beforehand).

REMalware40 karma

How do you starting learning the malware enough to write simulation bots to interact with it?

If I were to want to follow say, 5 steps I need to know about how it works and communicates, what are those 5 steps?

I'd like to learn more about this process but there is not much available publicly.

If you know of any resources, could you please share them.

Thanks and keep up the good work.

MalwareTech56 karma

For the most part malware just uses the same ways to communicate that normal software uses (HTTP wrappers, FTP wrappers, raw sockets), once you're familiar with these and possibly the windows crypto API, you can start looking into how it encrypts/structures the data sent to the C2.

embeddedrookie38 karma

New CS grad here. Any advice?

Also, what do you think about all the talk of Russian hackers and how the US is standing against it?

MalwareTech71 karma

Look into getting some certs or public research up, will really help boost your profile.

I think the US is doing the best they can against a form of warfare they've never really been on the receiving end of. This type/level of PsyOps is unprecedented IMO.

Ickarus_34 karma

Could you explain to us laymen how you actually went about stopping WannaCry? I have very basic computer knowledge, and am just curious how the process even works.

Im sorry if this is a really stupid quedtion, but Is it a matter of infecting a machine with the malware and then running 'triple-class-A-wizard-hacker'-diagnostic-utility-type-shit that gives you a sense of what the malware is doing? Is there like, an actual script the malware runs that you can look at and figure out how it works? I've always had trouble wrapping my head around how this stuff works as I have only the most basic knowledge of programming and computer systems. It surely can't be as simple as opening up 'virus.exe' and figuring out how it does what it does, right?

Is there some sort of video or documentary that kind of breaks down the process of fixing things like this?

Thanks man.

MalwareTech39 karma

Check out my explanation at

glassjar133 karma

What VPNs would you suggest?

MalwareTech116 karma

The best VPN is the one people don't suggest. The more suggested a VPN is the more likely someone who's worth targeting is using it, which makes it a greater target for both good guys and bad.

Telnet_Rules30 karma

What do you think about Miria targeting the sinkhole domain? Just skiddies having a giggle, or harbinger of malware collaboration?

MalwareTech56 karma

Skids, always skids. If it's Mirai it's skids; I only ever saw one sophisticated hacker using Mirai and even then he had heavily customised the code.

Rage209727 karma

So was it an accident? From what I read you used your knowledge of malware to inspect the code then used what you learned to stop it.
So I was somewhat confused how it was reported as an accident.
Did you trip and fall onto several years of anti-malware experience?

MalwareTech47 karma

I guess it depends how you look at it. For me it seems accidental as I didn't know the domain would stop the malware at the time of registering it, so that part was what I consider an accident.

j17smith23 karma

At what age did you become interested in cyber security and/or tech? Did you teach yourself a lot of the stuff whilst still at school?

MalwareTech58 karma

Around 11 and yeah I taught myself while I was in school (mostly against my IT teacher's wishes).

IamAngelInvestor19 karma

Thoughts behind privacy vs privacy against hackers vs privacy from overly aggressive journalists? French "right to be forgotten?" Privacy in a digital age vs big business?

MalwareTech50 karma

Journalists were definitely far more determined to find me than any hacker ever has been _. A friend at a big paper said they had an entire team dedicated just to finding me for 3 days solid, it's crazy.

SelfAwardingTrophy16 karma

Do you remember what the first script/program you wrote was? If so, what was it?

MalwareTech56 karma

It was a Visual Basic Excel macro to disable various group policy restrictions set on the school computers. regedit / cmd was disabled but most of the restrictions were stored in HKCU keys which are editable by the current user if you did it via code, but because running of 3rd party exes was also disabled, I found you could just run VB6 code using the Microsoft Office macro editor.

TenPest00713 karma

If you could go back to before claiming 'that domain name' would you change what you did by telling everyone?

MalwareTech35 karma

I'd probably do it quietly and buy myself an extra week before the Media find me.

Ffrribbib11 karma

How would you suggest someone who has very very little (really basic HTML and not much past a marquee tag) get better at coding?

Sorry if i'm a tad late to the AMA

MalwareTech15 karma

Just dive right in. Find something you'd like to code, break it down into smaller parts and research how to do those parts.

Cruel_Coppinger10 karma

Scones: Cream then jam or jam then cream? TY

MalwareTech28 karma

Cream first because cream is easy to spread onto scones and then put a dollop of jam on top, if you do it the other way around you just get jam everywhere.

brittbratx47 karma

Why did you want to do cyber security to begin with? What caught your interest?

Additionally, in my original line of work as a pet nurse, we needed to continue going to school to keep our licensure active and good to practice with. Considering you currently do not have a degree, would I be correct in assuming that you don't need to have official "classes" to keep up to date on how to continue doing your job effectively? If that is true, how do you keep your knowledge fresh and up to par?

Thank you so much for taking the time to read this, and possibly answering!

MalwareTech11 karma

I think what caught my interested was the first rootkit i ever saw. The idea that malware can manipulate the OS to remain well hidden was something I really wanted to look into.

That's correct, I keep up to date via twitter and frequent research.

L4mpshade6 karma

Do you think using IDA is required for malware researching? A lot of books seem to be based around it. Can you recommend any alternatives?

MalwareTech8 karma

No it's not required, but I'd definitely never give it up for anything.

TheLawsOfChaos4 karma

Would you prefer future malware be as easily stoppable as this one (not counting patching/admin practices etc) or ones that require more of a puzzle hunt to disassemble?

MalwareTech10 karma

I prefer the challenge, but if it means stopping people being hurt then easily stoppable.

whatisrealityy4 karma

Are you going to change your carreer plans because of what happened?

MalwareTech7 karma

Not at all :)

CuteLittlePolarBear2 karma

Any malware you found especially interesting to reverse (maybe because they did something different)?

MalwareTech3 karma

I really like Dridex because it's just so much more sophisticated than anything else around these days.

sweetAndHella2 karma

Your twitter description implies you have a(n opinionated) dog - is this true? If so, please provide photo evidence!

Also thanks for your work :D

MalwareTech6 karma

No I actually don't have a dog, just a cat, but i felt that was too stereotypical.

Darathin2 karma

What are your favorite and/or must-have IDA plugins?

MalwareTech3 karma

IDA Python. With that you can make any plugin you can dream of :)

recrudesce2 karma

What's your favourite pizza topping?

Nah, kidding. How much data throughput did you see once you had the sinkhole endpoint set up ?

MalwareTech5 karma

If I'd set up a sinkhole for WannaCry specifically (which in hindsight would have caused me so much less headache) I'd be able to tell you. Unfortunately we used our sinkhole cluster we use for all sinkholing operations so it was a drop in the ocean of the couple hundred GB of traffic we see daily.

Larzdk2 karma

Hi! Just a random thought here - do you think the publicity of the DNS registration and sinkholing of data forced the malware creators to move faster with updated code than usual? Or is it business as usual when they figure out bugs in their payload?

MalwareTech5 karma

In this case they never updated, but usually such a thing would usually cause them to begin updating code immediately.

IamAngelInvestor2 karma

Forgot the most important one, how do you stay sharp at what you do what are your sources for information and becoming more knowledgeable personally that you use every day once a week? How do you stay on top of your ITSec game? What other sources of media do you like to keep yourself up to date?

MalwareTech8 karma

I always keep in touch with other researchers and make sure to follow all the great sources on twitter; people make fun of Twitter, but I always hear about everything there about an hour before anywhere else.

Media: I tend to read Reuters for serious stuff and dailymail because the comment section is 900% of your recommended daily allowance for both humour and salt.

Blythyvxr1 karma

Which papers doxxed you?

MalwareTech4 karma

Not going to name names, as I don't want to instigate anything.

jedisct11 karma

Are you sit, or sat?

MalwareTech3 karma


ripnox1 karma

Is the website root-me a good way to learn about cyber security ?

MalwareTech2 karma

Not actually tried it.

14th_Eagle1 karma

Does pineapple belong on pizza?

MalwareTech2 karma

I'm not against it, but I don't like it either.

heavypizzabreath1 karma

If you were so against being identified, why were you doing so many interviews? And since being "doxxed", why have you invited journalists into your home? This all seems very counter to your original stance on being "anonymous".

MalwareTech24 karma

If you look at all the voice interviews I did prior to being identified (assuming they haven't been cut), every single one is designed to clarify I haven't permanently stopped the attack and people still need to patch ASAP, ideally before Monday when we suspected another attack would take shape.

Once I did get identified a friend in PR called and warned me that as long as there was a possibility of "the first face to face interview with MalwareTech" journalists would continue hanging around outside my house and harassing people who know me irl. They recommended I pick the biggest news organisation I could find and do a single face to face interview; which would mean there was no story left to be had and other news organisations would leave from outside my house. My boss and I decided on Associated Press for the exclusive as they are the most respectable and didn't harass my friends/family, and sure enough the morning after the interview went live, there were no journalists to be seen (except for a couple of BBC ones because BBC aren't allowed to publish material from Associated Press).