In May, the WannaCry ransomware spread around the world and crippled the UK’s National Health Service as machines had their files encrypted. Thousands of computers were impacted and the ransomware’s spread was only stopped after a ‘kill switch’ was discovered.
Malware security researcher Marcus Hutchins was dubbed a hero after finding and registering a URL within the ransomware’s code. By registering the domain, Hutchins stopped the EternalBlue exploit from hitting more devices.
Hutchins, after attending the DEF CON hacker event in Las Vegas, has been arrested. The researcher goes by the handle of MalwareTech. According to Motherboard, Hutchins was detained by the country’s authorities.
Hutchins was initally detained by the Henderson Detention Center in Nevada, with his name briefly appearing on the website’s list of detainees.
However, it is the FBI who has an interest in Hutchins. An indictment from the Department of Justice (DoJ), dated July 11, alleges that the 23-year-old created the Kronos malware. The malware is a banking trojan that was seen in 2014 and 2015 and was designed to spread through emails, hoovering up the financial details of users as it did so.
The law enforcement document says Hutchins also updated the malware while another unnamed defendant helped to distribute it online. It adds Kronos was advertised on the AlphaBay blackmarket – only last month was it confirmed an international police operation took AlphaBay offline on July 4.
There are six counts within the indictment that allege Hutchings not only created malware but transmitted it and attempted to cause damage to “10 or more protected computers”. The document says a video of the banking trojan was published online on around July 13 2014 – a YouTube that day but has been removed since the charges were published. It also says the other defendant in the case tried to sell the Trojan on online forums for thousands of dollars.
Separately, the DoJ has published a statement saying Hutchins has been charged with creating the trojan. It says Kronos has been “configured to exfiltrate” banking details of systems in Canada, Germany, Poland, France and the UK. “Kronos presents an ongoing threat to privacy and security, as the Kelihos botnet was observed loading Kronos on computers through email phishing campaign in late 2016,” the DoJ’s statement says.
The UK’s National Crime Agency said it is aware that a UK national has been arrested in the US, however it is not responsible for what happens under the country’s laws. The National Cyber Security Centre also said it is aware of the situation.
Following the news that Hutchins had been arrested, Andrew Mabbitt, the founder of security firm Fidus tweeted to say he wasn’t being told where the researchers was being held.
“I’m working on getting a lawyer for @MalwareTechBlog as he has no legal representation and no visitors,” Mabbitt continued to say. In a later tweet, Mabbitt said he had been able to locate Hutchins and that he was in a “Las Vegas FBI field office”. Days before the hacker conference Mabbitt had tweeted about attending the event with Hutchins and other security researchers.
Prior to the arrest, Hutchins had been attending DEF CON and tweeting about his time there. The last tweets publicly made were on August 2, where it he posted about being on a plane. At present, it is unclear where he was arrested.
Held annually, DEF CON sees security researchers from around the world descend on the US to demonstrate the latest threats and vulnerabilities. This year, multiple ethical hackers showed how it was possible to manipulate voting machines used in the US election.
After stopping WannaCry, Hutchins wrote online that the ransomware had been a series of “crazy events”. Based in the UK, he works for security company Kryptos Research. In a blog post he explained that he woke up at 10AM monitored some other ransomware that was spreading then went to lunch. “When I returned home at about 2:30, the threat sharing platform was flooded with posts about various NHS systems all across the country being hit, which was what tipped me of to the fact this was something big,” he continued to say.
He obtained a copy of the ransomware and started to analyse it. Within this, there was an unregistered domain, which Hutchins registered. Despite registering the domain, which can be considered standard practice when it is contained within malware, Hutchins said he didn’t know it would stop the spread of WannaCry. He “unknowingly killed the malware,” his blogpost says.
The ransomware impacted computers in more than 150 countries around the world and demanded those with infected machines should pay $300 in Bitcoin to get their files unlocked. The untargetted cyberattack has been linked to North Korean hacking groups. Although, on August 2, it is reported that $140,000 raised by the ransomware attack was withdrawn from the Bitcoin wallet where payment was demanded to be made.
CNN reported the money had been removed but it is still not known who withdrew the money.