Marcus Hutchins, the security researcher who helped stop the WannaCry attack earlier this year, has pleaded not guilty to charges of creating, selling, and maintaining malware.
Despite prosecutors in the US claiming Hutchins has admitted to creating and distributing the Kronos malware, which harvests bank details from unsuspecting victims, Hutchins’ lawyer Adrian Lobo said his client denies the six charges.
The 23-year-old from Ilfracombe, Devon, who helped kill May’s WannaCry virus which hit the NHS among other companies across the globe, was granted $30,000 (£23,000) bail on Friday but was unable to pay so will remain in detention.
Motherboard first reported news of Hutchins being detained by the FBI on his way home from the DefCon black hat hacking event in Las Vegas last week. It was initially thought Hutchins, who posts online under the pseudonym MalwareTech, had been taken by US Marshals but a spokesperson for the agency said the arrest had been made by the FBI.
Hutchins was charged in connection with a two-year cybercrime investigation in the US into the Kronos malware, according to court filings. This investigation started before the WannaCry outbreak and the two are not said to be related in terms of Hutchins.
The Department of Justice said in a statement that Hutchins “was arrested on August 2, 2017, in Las Vegas, Nevada, after a grand jury in the Eastern District of Wisconsin returned a six-count indictment against Hutchins for his role in creating and distributing Kronos.” Alphr has contacted the DoJ for more information about the counts. A statement about the arrest by the UK’s National Cyber Security Centre explained it is aware of Hutchins’ arrest but is refusing to comment further.
What is Kronos malware?
Kronos malware is a banking Trojan which is spread through email attachments. It is used to steal banking passwords from infected computers and has been configured to infiltrate banking systems in the UK, Canada, Germany, France, Poland among other countries.
Early reports of Kronos emerged in 2014 when an ad was spotted on a Russian cybercriminal forum. The tool was being advertised for $7,000 as part of a package which included free upgrades and bug fixes. Research into the malware found that it is, or at least this early form, was compatible with tools developed for what is probably the most famous banking Trojan, Zeus. In fact, it was said to have been designed to allow cybercriminals who still use Zeus to easily move over to Kronos.
Hutchins is accused of maintaining Kronos with an unnamed accomplice. They are specifically accused of spreading the malware via the Alphabay marketplace from July 2014 and July 2015. Shortly after the Kronos malware was spotted, Hutchins tweeted asking if anyone “had a sample.” Alphabay was shut down last month, along with Hansa, following what was described as a “landmark” international investigation. Both sites were linked with selling malware, stolen data, weapons, drugs, and more illegal substances.
How did Marcus Hutchins stop WannaCry?
Hutchins became a somewhat reluctant “hero” in May this year when he discovered a hidden “kill switch” in the WannaCry ransomware virus that hit more than 300,000 computers, many in the NHS, across 150 countries. He was later reportedly working with the National Cyber Crime Unit of the National Crime Agency, but this hasn’t been confirmed.
I will confess that I was unaware registering the domain would stop the malware until after i registered it, so initially it was accidental.
— MalwareTech (@MalwareTechBlog) May 13, 2017
Marcus Hutchins stopped WannaCry using a URL spotted within the malware’s code. From this long URL, Hutchins discovered the viruses’ domain name inside the malware’s code and registered it with internet services. As WannaCry spread, the virus and its code would repeatedly ping the domain name to see if it was live. All the while it was inactive, the virus would continue to spread. However, once the domain name was registered and activated, WannaCry could no longer spread in the same fashion and at such speeds. Hutchins said at the time he didn’t know for definite that was going to happen until it did.
At the time, many researchers expressed surprise that the hackers would even enable a “kill switch”, making its ransomware vulnerable. Hutchins believes the switch was added so hackers could shield the ransomware from security experts. When analysing the spread of malware, researchers typically test it in “sandbox” environments to trick the particular malware into thinking it’s in the real world. By adding this URL query, the malware would know it was being tricked and avoid being cornered. The cost of registering the domain was just $10.
It didn’t eradicate the virus completely because there are different variants of the malware (with different kill switches), and there is the potential to make more.
Following reports of his detainment, Hutchins was believed to have been taken to the Henderson Detention Center in Nevada on Thursday before being moved to a different, unknown location.