Briton Who Stopped WannaCry Arrested

Uploaded on 2017-08-07 in TECHNOLOGY--Hackers, NEWS-News Analysis, FREE TO VIEW

Marcus Hutchins, (Twitter ID @MalwareTech) the British security researcher who was credited with stopping the WannaCry outbreak in its tracks by discovering a hidden “kill switch” for the malware, has been arrested by the FBI over his alleged involvement in another malicious software targeting bank accounts.

According to an indictment released by the US Department of Justice on Thursday 3rd August, Hutchins is accused of having helped to create, spread and maintain the banking Trojan Kronos between 2014 and 2015.

The Kronos malware was spread through emails with malicious attachments such as compromised Microsoft word documents, and hijacked credentials such as Internet banking passwords to let its user steal money with ease.

Hutchins, who is indicted with another unnamed co-defendant, stands accused of six counts of hacking-related crimes as a result of his alleged involvement with Kronos. “Defendant Marcus Hutchins created the Kronos malware,” the indictment, filed on behalf of the eastern district court of Wisconsin, alleges. 

He was arraigned in Las Vegas and made no statement in court beyond mumbling one-word answers in response to a few basic questions from the judge.

A public defender noted that Hutchins has no criminal history and has cooperated with federal authorities in the past. The court-appointed attorney said Hutchins needed more time to hire a private attorney. 
His mother, Janet Hutchins, told the Press Association it was “hugely unlikely” that her son was involved because he has spent “enormous amounts of time” combating such attacks. She said she was “outraged” by the charges and has been “frantically calling America” trying to reach her son.

At the courthouse, a friend of Hutchins who declined to give his name, said he was shocked to hear about the arrest. 
“There’s probably a million difference scenarios that could have played out to where he’s not guilty,” he said. “I’m definitely worried about him.”

Special agent in charge Justin Tolomeo said: “Cyber-criminals cost our economy billions in loses each year. The FBI will continue to work with our partners, both domestic and international, to bring offenders to justice.”
Hutchins’ co-defendant advertised the malware for sale on AlphaBay, a darknet marketplace, the indictment alleges, and sold it two months later. The encrypted website operated like an extralegal eBay for drugs and malware, with independent sellers offering their products in exchange for payment in a number of crypto-currencies such as bitcoin. It was not clear from the indictment if the malware was actually sold through AlphaBay.

The marketplace was shut down on 20 July, following a seizure of its servers by US and European police including the FBI and the Dutch national police. FBI acting director Andrew McCabe said AlphaBay was 10 times as large as the notorious Silk Road marketplace at its peak.

When the site was taken down, its servers were seized, giving authorities a window into activity on the site. The operation included the arrest on 5 July of suspected AlphaBay founder Alexandre Cazes, a Canadian citizen detained on behalf of the US in Thailand. Cazes, 25, died a week later while in Thai custody.

New Kronos infections continued as late as 2016, when the malware was repurposed into a form used to attack small retailers, infecting point-of-sale systems and harvesting customers’ credit card information.
“A lot of us thought of Kronos as crime-ware-as-a-service,” Kalember said, since a Kronos buyer would also be getting “free updates and support” and that “implied there’s a large group behind it”.

He also warned that the actions of a researcher examining the malware can look very similar to those of a criminal in charge of it. “This could very easily be the FBI mistaking legitimate research activity with being in control of Kronos infrastructure. Lots of researchers like to log in to crime-ware tools and interfaces and play around.”
On top of that, for a researcher looking into the world of banking hacks, “sometimes you have to at least pretend to be selling something interesting to get people to trust you”, he said. “It’s not an uncommon thing for researchers to do and I don’t know if the FBI could tell the difference.”
On June 13, a video demonstrating the Kronos malware was posted to YouTube, allegedly by Hutchins’ co-defendant (the video was taken down shortly after Hutchins’ arrest). That same day, Hutchins tweeted asking for a sample of the malware to analyse.

Hutchins, better known online by his handle MalwareTech, had been in Las Vegas for the annual Def Con hacking conference, the largest of its kind in the world. He was at the airport preparing to leave the country when he was arrested, after more than a week in the city without incident.

The security researcher became an accidental hero in May when he registered a website, which he had found deep in the code of the ransomware outbreak that was wreaking havoc around the world, including disrupting operations at more than a third of NHS trusts and bodies. The site, it turned out, acted as a kill switch for the malware, which stopped infecting new computers if it saw that the URL had been registered.

When WannaCry first appeared, in early May, it spread rapidly, infecting hundreds of thousands of computers worldwide in less than a day, encrypting their hard drives and asking for a ransom of $300 in bitcoin to receive the decryption key. It moved particularly quickly through corporate networks thanks to its reuse of security exploit, called EternalBlue, first discovered by the NSA before being stolen and leaked by an allegedly Russian-linked hacking group called The Shadow Brokers.
Both US and UK intelligence agencies later linked the malware outbreak to North Korean state actors, who have become bolder in recent years at using cyberattacks to raise revenue for the sanction-laden state. 

Hutchins was recently given a special recognition award at cybersecurity celebration SC Awards Europe for halting the WannaCry malware. The malware ended up affecting more than 1m computers, but without Hutchins’ apparent intervention, experts estimate that it could have infected 10-15m.

Hutchins’ employer, cybersecurity firm Kryptos Logic, had been working closely with the US authorities to help them investigate the WannaCry malware. Hutchins handed over information on the kill switch to the FBI the day after he discovered it, and the chief executive of the firm, Salim Neino, testified in from of the US House of Representatives Committee on Science, Space & Technology the following month.
“The largest success, though incomplete, was the ability for the FBI and NCSC of the United Kingdom to aggregate and disseminate the information Kryptos Logic provided so that affected organisations could respond,” Neino told the committee.  
Hours after Hutchins was arrested by the FBI, more than $130,000 (£100,000) of the bitcoin ransom taken by the creators of WannaCry was moved within the bitcoin network for the first time since the outbreak. There is nothing to suggest the withdrawal, which appears to have moved the coins into a “mixer”, a digital money-laundering system, is connected to the arrest of Hutchins.

Guardian

You Might Also Read:

WannaCry Drives Cyber Insurance:

WannaCry Returns To Attack Honda:

 

« S. Korea Spy Agency Attempted To Rig Election
The Rise Of The Introvert: Is There An IT Personality? »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Cybsecurity Foundation (CSF)

Cybsecurity Foundation (CSF)

Cybsecurity is a non-profit NGO, which aims to work on improvement of security levels in the Polish cyberspace.

Federal Office For Information Security (BSI)

Federal Office For Information Security (BSI)

The BSI (Bundesamt fur Sicherheit in der Informationstechnik) is the federal cyber security agency and the chief architect of secure digitalisation in Germany.

CyberPolicy

CyberPolicy

CyberPolicy is a cyber protection solution for small businesses. It combines three important components against cyber threats - Cyber Plan, Cybersecurity and Cyber Insurance.

Rubicon Workflow Solutions

Rubicon Workflow Solutions

Rubicon is a leading provider of managed IT support and strategic services, specialising in creative and mixed platform environments.

Comiq

Comiq

Comiq provide software quality assurance, testing and project management services. Areas of expertise include cybersecurity.

Jetico

Jetico

Jetico provides pure & simple data protection software for all sensitive information throughout the lifecycle. Solutions include data encryption and secure data erasure.

ReFirm Labs

ReFirm Labs

ReFirm Labs provides the tools you need for firmware security, vetting, analysis and continuous IoT security monitoring.

US Secret Service

US Secret Service

The US Secret Service has a pivotal role in securing the nation’s critical infrastructures, specifically in the areas of cyber, banking and finance.

Cyber Tec Security

Cyber Tec Security

Cyber Tec Security is an IASME Certification Body for Cyber Essentials basic/Plus. We also provide ongoing Managed Security Services.

PeopleSec

PeopleSec

PeopleSec specializes in the human element of cybersecurity with a comprehensive set of services designed to maximize your security by educating your workforce as a whole.

BCN Group

BCN Group

BCN Group is an agile IT solutions provider. We are experts in delivering and managing business-critical technology solutions.

GuardYoo

GuardYoo

GuardYoo's SaaS platform allows cybersecurity professionals to perform Compromise Assessment remotely from anywhere in the world.

ATHENE National Research Center For Applied Cybersecurity

ATHENE National Research Center For Applied Cybersecurity

ATHENE is the largest research center for cybersecurity and privacy in Europe, conducting application-oriented top-level research for the benefit of the economy, society and the state.

Cenobe Cyber Security

Cenobe Cyber Security

Cenobe provides customized solutions to keep you ahead of potential threats and ensure the security of your organization's systems and data.

ZEUSS

ZEUSS

ZEUSS is a diversified data center, cybersecurity, and green energy company.

Axient

Axient

Axient advances defense and civilian missions from aerospace to cyberspace with multi-domain test and analysis, mission engineering and operations, and advanced technologies.