Hero of WannaCry Ransomware Arrested: Here's Why

Hero of WannaCry Ransomware Arrested: Here'southward Why

UPDATED viii:15 a.1000. Friday with press release from the Department of Justice.

Marcus Hutchins, the English security researcher who unmarried-handedly stopped the WannaCry ransomware worm in May, was arrested last night (Aug. 2) by the FBI in Las Vegas as he was about to board a plane dorsum to the U.K.

(Prototype credit: Hutchins, center, with journalists following the WannaCry outbreak. Credit: Marcus Hutchins)

A one thousand-jury federal indictment released past the Department of Justice accuses Hutchins, 23, of developing the Kronos banking Trojan, which is unrelated to WannaCry. Hutchins and a co-defendant whose name was redacted in the indictment are accused of selling and distributing the banking Trojan in online criminal forums.

Hutchins, who as of May lived with his parents, works remotely for Kryptos Logic, a Los Angeles data-security firm. He had been in Las Vegas for the annual Black Chapeau and DEF CON security conferences, where he rented exotic sports cars, shot machine guns at a shooting range, met with journalists, lost his wallet and spent a dark sleeping in a hotel lobby.

MORE: What to Do If Yous're Infected past Ransomware

Accused of coding malware

The indictment, issued July 12 in U.S. Commune Court in the Eastern District of Wisconsin (which includes Milwaukee and Dark-green Bay), lists six counts against Hutchins and the unnamed co-defendant, including "to knowingly cause the transmission of a programme" that would "intentionally cause impairment without potency to x or more than protected computers."

The indictment too alleges that Hutchins "created the Kronos malware," and that on July 13, 2014, "a video showing the functionality of the 'Kronos banking Trojan' was posted to a publicly available website." That video, which the indictment alleges was posted by Hutchins' unnamed co-accused, was on YouTube until this afternoon (Aug. 3).

On that same date, Hutchins tweeted "Anyone got a kronos sample?"

Two days earlier, Trusteer, an Israeli security firm now owned past IBM, had announced the discovery of Kronos on a Russian cybercrime forum, and malware researchers were eager to get their hands on a copy.

The indictment goes on to allege that the unnamed co-defendant tried to sell the Kronos malware in August 2014; that Hutchins and the co-accused updated the Kronos malware in January 2015; that the co-defendant advertised the Kronos malware on the dark-web AlphaBay Market in Apr 2015; that the co-defendant sold a version of Kronos in June 2015 "for approximately $2,000 in digital currency"; and that the co-defendant in July 2015 offered "crypting" services that would encrypt some of the malware's activities to evade detection by security software.

Last calendar month, AlphaBay Market place was suddenly shut downwards after its alleged creator and operator, a 26-year-old Canadian, was arrested in Thailand and died in a Bangkok jail cell. The indictment of Hutchins and his co-accused was issued on July eleven, 2 days before the announcement that AlphaBay had been shuttered.

Mistaken accusation?

Nearly of the activities related to the Kronos malware appear to be solely attributed to Hutchins' co-accused; Hutchins himself is accused only of developing and updating the malware.

On his blog, Hutchins said that he did indeed create simple malware for inquiry purposes, and released some of the code. Such activity is not unusual for legitimate malware researchers.

On his YouTube page, Hutchins demonstrated how several kinds of malware operated; again, that is non unusual.

It is possible that something that Hutchins coded made its way into legitimate malware, without his participation or knowledge. It could also be that an online criminal with a grudge may be falsely accusing Hutchins of similar activities.

"My reading of the indictment is that @MalwareTechBlog wrote some lawmaking, but everything else was done past the other guy," tweeted Rob Graham, co-founder of Errata Security in Atlanta, today (Aug. 3).

"It's non a crime to create malware. Information technology's non a crime to sell malware," law professor Orin Kerr told Wired today. "Information technology's a crime to sell malware with the intent to farther someone else'due south law-breaking. This story alone doesn't really fit."

Possible past misdeeds

Until Hutchins was unmasked by London tabloids following the WannaCry outbreak, he had enjoyed a prolific but pseudonymous life under the name MalwareTech, which he all the same uses today.

However, an online discussion at the developer forum YCombinator tied Hutchins to an older online handle, TouchMe, that had apparently offered to code malware in 2013, when Hutchins would take been xviii or nineteen.

TouchMe was the username of the writer of a blog called TouchMyMalware, which, like MalwareTechBlog, researched malware from a white-hat perspective. There was likewise an associated Twitter account, which was later cleaned out and at present directs readers to MalwareTechBlog.

All the public postings made by TouchMe and TouchMyMalware concern malware enquiry, and the author doesn't announced to be doing anything illegal. Fifty-fifty the alleged offering to lawmaking malware may have been role of research.

"He may have posed as a malware writer on underground forums," tweeted malware researcher Martijn Grootjen, a frequent contributor of Hutchins on Twitter, today. "Many white hat researchers exercise that. Non piece of cake to prove innocence this way."

Adventitious hero

Hutchins accidentally stopped the WannaCry outbreak on May 12 when he tried to "sinkhole" one of the ransomware worm'due south command-and-command servers.

The ransomware was hardcoded to receive instructions from a specific spider web domain, which Hutchins found was unregistered. After he registered the domain and began operating a server on it to capture traffic from WannaCry, the ransomware of a sudden stopped infecting Hutchins' test machines.

Information technology turned out that WannaCry had a built-in "kill switch," possibly to prevent its discovery by malware researchers, who often perform research on isolated virtual machines that mimic the entire internet without actually being connected to it.

UPDATE: The U.S. Attorney for the Eastern District of Wisconsin issued a press release concerning the case, simply it doesn't say much that'south new, other than that the investigation was led past an FBI cybercrime chore force in Milwaukee.

Too, we forgot to credit Joseph Cox of VICE Motherboard for breaking this story. Apologies and kudos.

Scout What Happens When You're Infected by WannaCry
Best Antivirus Software and Apps
How to Protect Your Identity, Personal Data and Property

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has likewise been a dishwasher, fry cook, long-booty driver, code monkey and video editor. He'due south been rooting around in the information-security space for more than than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown upwardly in random TV news spots and even moderated a console discussion at the CEDIA habitation-technology briefing. You lot can follow his rants on Twitter at @snd_wagenseil.