Hero WannaCry Researcher Charged over Links to Kronos Trojan

In-brief: A British researcher who became a hero after he stopped the WannaCry ransomware from spreading globally has been apprehended in Nevada and charged with distributing the Kronos banking trojan in the U.S. between July 2014 and July 2015.

A British researcher who became a hero after he stopped the WannaCry ransomware from spreading globally has been apprehended in Nevada and charged with distributing the Kronos banking trojan in the U.S. between July 2014 and July 2015.

Twenty three year-old Marcus Hutchins and an co-conspirator whose name has not been released are named in a newly unsealed grand jury indictment dated July 12th and issued by the U.S. District Court for the Eastern District of Wisconsin. Hutchins was taken into custody in Las Vegas on Wednesday, according to published reports. Hutchins, who was in Las Vegas attending the Black Hat and DEFCON cyber security conferences, was taken to the Henderson Detention Center in Nevada early on Thursday, but later transferred to another location, according to a report by Motherboard.

A U.S. official who spoke on the condition of anonymity citing the ongoing criminal case confirmed the arrest in Las Vegas to The Security Ledger and said that Hutchins could be arraigned as early as Thursday afternoon in court in Las Vegas. The official said she did not know the identity of Hutchins co-conspirator, whose information was redacted from the unsealed indictment, and could not say whether that person had been taken into custody also.

Hutchins, who was among the first to analyze the WannaCry malware on May 12th, 2017, after the ransomware began spreading rapidly worldwide, infecting scores of National Health Service (NHS) hospitals in the UK, where Hutchins lives. According to a blog post recounting his experiences, Hutchins recognized a hard-coded domain in the code of WannaCrypt, the WannaCry ransomware, had not been claimed and registered it as part of his research. He then set up a simple web site on the domain, unwittingly stopping the spread of WannaCry, which had been programmed to stop propagating when and if requests to the hard-coded domain resolved. Hutchins’ quick actions earned him praise for limiting the spread and damage of WannaCry.

The U.S. official said that the U.S. had been investigating the Kronos malware for years and that the arrest of Hutchins was wholly unrelated to WannaCry. “Kronos was a multi-year investigation that pre-dated WannaCry,” the official said.

While Hutchins achieved hero status for his work corralling WannaCry, his activities in recent years were not all altruistic. According to U.S. authorities, he is the author of the Kronos malware, maintained and updated the software, promoted it online and on at least one occasion sold a copy of the software for $2,000 in digital currency.

He is charged with a criminal conspiracy to distribute software that caused damage to computers, for “knowingly disseminating” technology used for “surreptitious interception of electronic communications,” and other related charges, according to a copy of the indictment.

Hutchins and his MalwareTechBlog (@MalwareTechBlog) are well-known within security circles and publish a wide range of in-depth technical information on malicious software.

The arrest prompted a swift response from fellow security researchers, who raised questions about Hutchins’ arrest and the lack of information on his whereabouts in the hours after he was taken into custody. Eva Galperin, the Director of Cyber Security at the Electronic Frontier Foundation said via Twitter that her organization was trying to contact Hutchins “This is the sort of thing that concerns us a lot,” she wrote.

 

Security Ledger wants to hear your thoughts! Leave a reply.