The cyberattack that spread malicious software around the world, shutting down networks at hospitals, banks and government agencies, was stemmed by a young British researcher and an inexpensive domain registration, with help from another 20-something security engineer in the US.

Key points: British engineer accidentally activated a hidden 'kill switch' by registering a domain found in malware code

British engineer accidentally activated a hidden 'kill switch' by registering a domain found in malware code Action may have saved companies and governments millions of dollars

Action may have saved companies and governments millions of dollars Attackers could still reactivate the malware easily on unpatched computers

Britain's National Cyber Security Centre and others were hailing the cybersecurity researcher, a 22-year-old identified online only as MalwareTech, who — unintentionally at first — discovered a "kill switch" that halted the unprecedented outbreak.

By then, the "ransomware" attack had hobbled Britain's hospital network and computer systems in several countries, in an effort to extort money from computer users.

But the researcher's actions may have saved companies and governments millions of dollars and slowed the outbreak before computers in the US were more widely affected.

MalwareTech said in a blog post on Saturday that he had returned from lunch with a friend on Friday and learned that networks across Britain's health system had been hit by ransomware, tipping him off that "this was something big".

He began analysing a sample of the malicious software and noticed its code included a hidden web address that was not registered.

He said he "promptly" registered the domain, something he regularly does to try to discover ways to track malicious software, paying just $10.69 for the address.

Across an ocean, Darien Huss, a 28-year-old research engineer for the cybersecurity firm Proofpoint, was doing his own analysis.

The western Michigan resident said he noticed the authors of the malware had left in a feature known as a kill switch. Huss took a screen shot of his discovery and shared it on Twitter.

MalwareTech and Huss are part of a large global cybersecurity community of people, working independently or for security companies, who are constantly watching for attacks and working together to stop or prevent them, often sharing information via Twitter.

It is not uncommon for them to use aliases, either to protect themselves from retaliatory attacks or for privacy.

Soon Huss and MalwareTech were communicating about what they had found: That registering the domain name and redirecting the attacks to MalwareTech's server had activated the kill switch, halting the ransomware's infections — creating what is called a "sinkhole".

Although the web address was "fairly obvious" in the code, MalwareTech said he suspected those behind the attack were not aware it could be used to stop the ransomware's spread.

Attack could be reactivated with new code

Who perpetrated this wave of attacks remains unknown. Two security firms — Kaspersky Lab and Avast — said they identified the malicious software in more than 70 countries. Both said Russia was hit hardest.

How did the attack occur? Attack appeared to be caused by a self-replicating piece of software that takes advantage of vulnerabilities in older versions of Microsoft Windows, security experts say

Attack appeared to be caused by a self-replicating piece of software that takes advantage of vulnerabilities in older versions of Microsoft Windows, security experts say It spreads from computer to computer as it finds exposed targets.

It spreads from computer to computer as it finds exposed targets. Ransom demands start at $US300 and increase after two hours, a security researcher at Kaspersky Lab says

Ransom demands start at $US300 and increase after two hours, a security researcher at Kaspersky Lab says Security holes were disclosed several weeks ago by TheShadowBrokers, a mysterious group that has repeatedly published what it says are hacking tools used by the NSA

Security holes were disclosed several weeks ago by TheShadowBrokers, a mysterious group that has repeatedly published what it says are hacking tools used by the NSA Shortly after that disclosure, Microsoft announced it had already issued software "patches" for those holes

Shortly after that disclosure, Microsoft announced it had already issued software "patches" for those holes But many companies and individuals have not installed the fixes yet or are using older versions of Windows that the company no longer supports and for which no patch was available

"One thing that is very important to note is our sinkholing only stops this sample and there is nothing stopping them removing the domain check and trying again, so it's incredibly important that any unpatched systems are patched as quickly as possible," MalwareTech warned.

He also tweeted that while version one of the software was stoppable, the subsequent version "will likely remove the flaw".

"You're only safe if you patch ASAP."

The kill switch also could not help those already infected. Short of paying, options for these individuals and companies are usually limited to recovering data files from a backup, if available, or living without them.

Security experts said it appeared to be caused by a self-replicating piece of software that enters companies when employees click on email attachments, then spreads quickly as employees share documents.

The security holes it exploits were disclosed weeks ago by TheShadowBrokers, a mysterious hacking group.

Microsoft swiftly released software "patches" to fix those holes, but many users still have not installed updates or still use older versions of Windows which are no longer supported by Microsoft.

Proofpoint's Ryan Kalember said MalwareTech gets "the accidental hero award of the day", The Guardian reported.

But the young British researcher said otherwise: "I'm not a hero, just a guy doing what he can."

ABC/AP