Marcus Hutchins, the 23-year-old British security researcher who was credited with stopping the WannaCry outbreak in its tracks by discovering a hidden "kill switch" for the malware, has been arrested by the FBI over his alleged involvement in another malicious software targeting bank accounts.
According to an indictment released by the US Department of Justice on Thursday, Hutchins is accused of having helped to create, spread and maintain the banking trojan Kronos between 2014 and 2015.
The Kronos malware was spread through emails with malicious attachments such as compromised Microsoft word documents, and hijacks credentials like internet banking passwords to let its user steal money with ease.
[...] Hutchins, better known online by his handle MalwareTech, had been in Las Vegas for the annual Def Con hacking conference, the largest of its kind in the world. He was at the airport preparing to leave the country when he was arrested, after more than a week in the the city without incident.
Grauniad source: Briton who stopped WannaCry attack arrested over separate malware claims
Also covered by the BBC: NHS cyber-defender Marcus Hutchins charged in US.
Update: Detention quickly turned to arrest and indictment. Also at NPR, Motherboard, and the L.A. Times.
Previously: "Biggest Ransomware Attack in History" Hits Around 100 Countries, Disrupts UK's NHS
WannaCrypt Ransomware Variant -- Lacking Kill Switch -- Seen in Wild [Updated]
Related Stories
NSA-created cyber tool spawns global ransomware attacks
From Politico via Edward Snowden via Vinay Gupta:
Leaked alleged NSA hacking tools appear to be behind a massive cyberattack disrupting hospitals and companies across Europe, Asia and the U.S., with Russia among the hardest-hit countries.
The unique malware causing the attacks - which has spread to tens of thousands of companies in 99 countries, according to the cyber firm Avast - have forced some hospitals to stop admitting new patients with serious medical conditions and driven other companies to shut down their networks, leaving valuable files unavailable.
The source of the world-wide digital assault seems to be a version of an apparent NSA-created hacking tool that was dumped online in April by a group calling itself the Shadow Brokers. The tool, a type of ransomware, locks up a company's networks and holds files and data hostage until a fee is paid. Researchers said the malware is exploiting a Microsoft software flaw.
One or more anti-virus companies may have been hacked prior to WannaCrypt infecting 75000 Microsoft Windows computers in 99 countries. First, anti-virus software like Avast fails to make HTTP connections. Second, five million of ransomware emails are rapidly sent. Although many centralized email servers were able to stem the onslaught, many instances of anti-virus software had outdated virus definitions and were defenseless against the attack. Indeed, successful attacks were above 1%. Of these, more than 1% have already paid the ransom. Although various governments have rules (or laws) against paying ransom, it is possible that ransoms have been paid to regain access to some systems.
Also, file scrambling ransomware has similarities to REAMDE by Neal Stephenson. Although the book is extremely badly written, its scenarios (offline and online) seem to come true with forceful regularity.
Further sources: BBC (and here), Russia Today, DailyFail, Telegraph, Guardian.
Telefónica reportedly affected. NHS failed to patch computers which affected US hospitals in 2016. 16 divisions of the UK's NHS taken offline with aid of NSA Fuzzbunch exploit. The fun of a public blockchain is that ransom payments of £415,000 have been confirmed. Cancellation of heart surgery confirmed. Doctors unable to check allergies or prescribe medication. Patient access to emergency treatment denied in part due to hospital telephone exchange being offline.
It also appears that one of the affected parties refused to answer a Freedom of Information request in Nov 2016 about cyber-security due to impact on crime detection. Similar parties provided responses to the same request.
[Update at 20170515_022452 UTC: Instructions for what to do on each affected version of Windows can be found at: https://www.askwoody.com/2017/how-to-make-sure-you-wont-get-hit-by-wannacrywannacrypt/ -- I've had excellent luck in the past following his advice on when and how to update Windows. Clear, hands-on instructions are a big win in my book. --martyb]
Previously: "Biggest Ransomware Attack in History" Hits Around 100 Countries, Disrupts UK's NHS.
tl;dr: If you have not already patched your Windows computer(s), you may be at risk from a new variant of the WannaCrypt ransomware worm which lacks a kill switch and was seen over the weekend. Sysadmins are preparing for a busy Monday when countless other users return to work and boot up their PC.
WannaCrypt (aka WCry), is a ransomware worm that wreaked havoc across the internet this past weekend. It disabled Windows computers at hospitals, telecoms, FedEx, and banks (among many others). Files on user's machines were encrypted and the worm demanded $300 or $600 worth of Bitcoin to decrypt (depending on how quickly you responded). Reports first surfaced Friday night and were stopped only because a researcher discovered a domain name in the code, which when registered, caused the malware to stop infecting new machines.
We're not out of the woods on this one. Not surprisingly, a variant has been seen in the wild over the weekend which has removed the domain check. Just because you may not have been hit in the initial wave of attacks does not necessarily mean you are immune.
Back in March, Microsoft released updates to Windows to patch vaguely-described vulnerabilities. Approximately one month later, a dump of purported NSA (National Security Agency) hacking tools were posted to the web. The WannaCrypt ransomware appears to be based on one of those tools. Surprisingly, the Microsoft patches blocked the vulnerability that was employed by WannaCrypt.
In a surprising move, Microsoft has just released emergency patches for out-of-mainstream-support versions of Windows (XP, 8, and Server 2003) to address this vulnerability.
Sources: Our previous coverage linked above as well as reports from the BBC Ransomware cyber-attack threat escalating - Europol, Motherboard Round Two: WannaCrypt Ransomware That Struck the Globe Is Back, and Ars Technica WCry is so mean Microsoft issues patch for 3 unsupported Windows versions.
What actions, if any, have you taken to protect your Windows machine(s) from this threat? How up-to-date are your backups? Have you tested them? If you are a sysadmin, how concerned are you about what you will be facing at work on Monday?
Independent journalist Marcy Wheeler has written a summary of the current state of the case against Marcus Hutchins. Marcus is also known online as MalwareTech and came into the spotlight last year for stopping another global outbreak of more Microsoft Windows malware.
In short, she covers the following five points about the case:
- Motion for a Bill of Particulars with respect to CFAA charges [...]
- Challenge to Seventh Count (CFAA) [...]
- Motion to dismiss the whole damn indictment [...]
- Motion to dismiss wiretapping because Congress never intended to charge foreigners with wiretapping and none of the rest of this happened in the United States [...]
- Motion to compel the identity of Randy [...]
Marcus was arrested last year after attending a security conference inside the US.
Earlier on SN:
Marcus Hutchins, WannaCry-Killer, Hit With Four New Charges by the FBI (2018)
Researcher Who Stopped WannaCry Ransomware Detained in US After Def Con (2017)
"Biggest Ransomware Attack in History" Hits Around 100 Countries, Disrupts UK's NHS (2017)
(Score: 4, Informative) by Anonymous Coward on Friday August 04 2017, @02:31PM (4 children)
Since it is a developing story, there are now many articles in the last half day. There will most likely be another wave of articles soon with fresh details once he is allowed an attorney.
(Score: 5, Funny) by Justin Case on Friday August 04 2017, @03:02PM (3 children)
Why should he be allowed an attorney? He was arrested, therefore he is a criminal.
Plus he is doing things we don't understand, so he's probably a terrorist. You don't support rights for terrorists, do you? Do you???
Finally, that "kill switch" was only intended for the controllers of the ransomware. That means he gained unauthorized access to a computer network, and used that access to deprive its masters of huge revenue potential.
Probably circumvented the copyright protection as well. Gitmo is too good for him!
(P.S. If he truly is responsible for having helped to create, spread and maintain a banking trojan, throw the book at him. Just not until he's convicted in open court with a fair trial, please.)
(Score: 0) by Anonymous Coward on Friday August 04 2017, @03:25PM
I'm not sure what's happened to the teaching of English, but "throw the book at them" means to charge someone with as many criminal charges as possible. Sentencing (and punishment) is a completely separate matter.
(Score: 2) by JoeMerchant on Friday August 04 2017, @03:48PM (1 child)
You forgot: he's a foreign national... alien, intruder, un-American, flight risk and a weirdo (well, you kinda covered the weirdo bit.)
🌻🌻 [google.com]
(Score: 0, Troll) by Ethanol-fueled on Saturday August 05 2017, @12:14AM
The White in him saved the internet, the Black in him committed computer crimes for money.
Call it a net-zero and release him as a nobody.
(Score: 5, Insightful) by BsAtHome on Friday August 04 2017, @03:26PM (18 children)
First lesson learned: do not travel to the US
Second lesson learned: see first.
This may be called hype or over the top, but it shouldn't have escaped anybody by now that the climate across the pond has become rather bad. The discomforts of immigration, TSA and security theater should make the risks of traveling to the US obvious to us all. The IETF already changed venue, it may be prudent for others to follow suit rather sooner than later.
(Score: 5, Insightful) by FatPhil on Friday August 04 2017, @03:46PM (8 children)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 3, Funny) by PiMuNu on Friday August 04 2017, @03:57PM (3 children)
Ironically, the phrase "SJW signalling" is in itself "alt-right signalling". But by writing this, I am surely performing "SJW signalling" and "alt-right signalling". Proof that alt-right are SJWs!
(Score: 1, Insightful) by Anonymous Coward on Friday August 04 2017, @06:26PM
Close. The alt-right and SJWs are both authoritarian followers.
(Score: 0) by Anonymous Coward on Friday August 04 2017, @09:25PM
Proof that alt-right are SJWs!
And vice versa!
(Score: 2) by Phoenix666 on Saturday August 05 2017, @01:09AM
Dammit, I always get lost between the second and third iteration of these recursive rectal-cranial inversions...
Washington DC delenda est.
(Score: 4, Informative) by DeathMonkey on Friday August 04 2017, @05:04PM (3 children)
Tourism to the U.S. Has Been in Decline Since Trump Took Office [nbcnews.com]
You reap what you sow...
(Score: 2) by FatPhil on Friday August 04 2017, @06:53PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 0) by Anonymous Coward on Saturday August 05 2017, @12:49AM (1 child)
Its been on the decline since GWB.
(Score: 3, Insightful) by caffeine on Saturday August 05 2017, @02:44AM
Perhaps it is related to requiring visitors to be fingerprinted to enter the country? That was a GWb initiative from memory.
(Score: 0) by Anonymous Coward on Friday August 04 2017, @04:04PM
More like "First lesson learned: don't touch the banks" because they're a higher class of criminal and they will destroy you.
(Score: 2) by epitaxial on Friday August 04 2017, @05:26PM
Maybe you should read some of the articles before typing. He was arrested in connection with a previous strain of ransomware. Also by strange coincidence the bitcoin wallets for the ransom payments were emptied after his arrest.
(Score: 2) by iWantToKeepAnon on Friday August 04 2017, @08:40PM (1 child)
"Happy families are all alike; every unhappy family is unhappy in its own way." -- Anna Karenina by Leo Tolstoy
(Score: 4, Insightful) by Justin Case on Friday August 04 2017, @09:36PM
Yeah that's all fine until that random day you get a ruler who thinks it's OK to grab strangers by the pussy.
I know, a crazy, contrived example, but just on the outlandish chance that it should happen in some alternate universe, would that now make pussy-grabbers "right" and grab-resisters "wrong"?
(Stop sucking authority's cock, useful idiot.)
(Score: 3, Informative) by frojack on Friday August 04 2017, @09:32PM (2 children)
And of course, the mere fact that he was arrested in the US means defacto that he must be innocent, right BsAtHome?
Had he been arrested in France, or Russia, there's at least a chance he was guilty, but not if he was arrested in the US.
No, you are mistaken. I've always had this sig.
(Score: 2) by takyon on Saturday August 05 2017, @04:11AM
If you are arrested for hacking in Russia, you are either anti-Putin, hacked the wrong Russian target, or didn't pay off the right people. It is a completely avoidable arrest for a hacker.
As has already been noted, traveling to the U.S. is your sin if you are a "security researcher". It's punishment for being stupid enough to set foot on U.S. soil (or even an ally with an extradition agreement).
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by Lester on Saturday August 05 2017, @10:56AM
Didn't USA know anything about the crime until he landed in USA? USA could have contacted with UK to run an investigation together. There are many international cybercrime investigations, pedophiles etc. I often read news like "In an international operation X men were arrested in Y countries". Why did USA keep secret the investigation until he came into USA? The first answer comes to my mind is: The have no convincing proofs to demand extradition, but USA will accept more loose courts and government proofs. Are they making up the case because they want to catch him for other reasons, like Julian Assange?.
That's sad to say form a country that once was considered the paradigm of liberty and the empire of law.
That's the current reputation of USA. Instead of complaining, it should wonder what has done to get it. I hope the conclusion is not "libertarian propaganda" or something like that.
On the other hand, you are right. Too soon to have an opinion.
(Score: 0) by Anonymous Coward on Saturday August 05 2017, @12:50AM (1 child)
(Score: 0) by Anonymous Coward on Saturday August 05 2017, @07:22PM
oh, stfu with your "law".
(Score: 4, Insightful) by Anonymous Coward on Friday August 04 2017, @03:27PM (1 child)
Since the US makes it a habit to arrest foreign attendees
of DEFCON, perhaps foreigners should consider meeting in a place that is has less risk to their freedom.
(Score: 2) by etherscythe on Friday August 04 2017, @03:33PM
.GOV is just demonstrating a security vulnerability in attendees: you're expected to be somewhere, you can therefore be targeted nearby! Don't be mad because they co-opted the spirit of the event...
"Fake News: anything reported outside of my own personally chosen echo chamber"
(Score: 2) by looorg on Friday August 04 2017, @03:48PM (3 children)
There used to be a competition at Defcon called 'spot the fed', don't know if that is still a thing. But it is clear that Hutchins didn't pay enough attention and failed. With that in mind then perhaps this is just the feds alternative - spot the hack, the winner or spotee (or whatever we should call them) will get to enjoy the wonders of 24/7 accommodations free on Uncle Sam - which may or may not include having your picture taken, a spiffy coverall in some easy to spot and hard to avoid colour, extreme physical contact and probing and many other gifts.
Back to the article. So if what is said is true then perhaps his actions to stop WannaCry wasn't all altruistic but instead a matter of trying to get rid of the competition?
(Score: 4, Insightful) by nobu_the_bard on Friday August 04 2017, @05:26PM
WannaCry was in May 2017. The alleged events were 2014 and 2015. Maybe he decided to get out of the malware spreading business before he got caught (or just matured a bit - he would have been about 20 during the alleged events) and moved to the other side of the equation.
(Score: 0) by Anonymous Coward on Friday August 04 2017, @05:39PM
No, AFAIK "spot the fed" has nothing to do with avoiding them (with the exception of not saying anything incriminating). Spotting the fed would not prevent him from getting caught at the airport (unless he was going to slip out of the country through another means).
(Score: 2) by frojack on Friday August 04 2017, @09:47PM
Why would it matter if he knew how to spot the fed?
It was a July 12 indictment. DEF CON 25 on was July 27-30,
They were waiting, warrant in hand, for him to show up for two weeks.
They probably sought the indictment the minute he signed up for DefCon.
His arrest was a certainty as soon as his plane was wheels down in the US.
He knows what he did, or didn't do in relation to the Kronos Malware.
He also probably knew he was being looked at. Word gets around. He came anyway.
Once you decide to walk into the trap it doesn't matter any more if you know what a fed looks like.
No, you are mistaken. I've always had this sig.
(Score: -1, Troll) by Anonymous Coward on Friday August 04 2017, @04:09PM (1 child)
Don't ever do any favors for anyone ever. All people are ungrateful niggers who will fuck you up the ass.
(Score: -1, Troll) by Anonymous Coward on Friday August 04 2017, @04:50PM
Some are niggers gonna fuck you up the ass, others are honkies gonna lynch your nigger neck.
(Score: 0) by Anonymous Coward on Friday August 04 2017, @06:11PM (8 children)
The claim that Hutchins spotted a hidden kill switch in WannaCry always sounded fishy. Perhaps he had some other familiarity with that code.
(Score: 4, Insightful) by Anonymous Coward on Friday August 04 2017, @06:31PM (5 children)
AFAIK, the claim wasn't that he spotted it, but that he accidentally activated it. Apparently, he registered the domain that WannaCry was pinging which somehow stopped it from working. You don't need any familiarity with the code to run Wireshark and register a domain.
(Score: 2, Interesting) by Anonymous Coward on Friday August 04 2017, @07:05PM (4 children)
You don't need familiarity. But knowing more about the code than you let on would certainly help you be first to register the domain, emerge as a internet security hero, and rake in some business.
(Score: 0) by Anonymous Coward on Friday August 04 2017, @07:34PM (3 children)
If you wanted to make money out of the security gig, why would you say, you oopsed into it?
Seems counter productive.
Doesn't really sell your skills to say "I was messing about with it and it fell apart, lol”
(Score: 0) by Anonymous Coward on Friday August 04 2017, @07:56PM (1 child)
Because you had to act fast to get the domain, which didn't leave time to plausibly deconstruct the code. The main goal is to get your name in the news.
(Score: 2) by frojack on Friday August 04 2017, @10:22PM
You don't have to deconstruct the code, you just have to know wireshark.
I imagine he might have an extensive tool set since this is what he did for a living.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Friday August 04 2017, @08:17PM
If this was "legitimate" malware, why did the authors include such a dumb kill switch? You would use public-key cryptography and keep the private key secret.
(Score: 3, Insightful) by FakeBeldin on Friday August 04 2017, @09:12PM (1 child)
Perhaps </wild speculation>, but that has nothing to do with why he was detained.
He was detained in suspicion of connection to a banking trojan (Kronos).
Just to be clear: WannaCry was ransomware. Ransomware is not a banking trojan.
I also saw (can't find link now) a comment by a security chap stating that some of the things a security guy fighting malware would do in the normal course of events could look a lot like being a bad guy to someone not seeing the whole picture. For example, asking for a sample of a piece of malware -- kind of essential if you want to analyse it for weaknesses,... or if you want to buy it.
(Score: 1, Interesting) by Anonymous Coward on Friday August 04 2017, @09:49PM
Sure, it's all speculation. But it's also strange that so many WannaCry bitcoins moved [cointelegraph.com] right after Hutchins' arrest. If you read the grand jury indictment [npr.org], it seems like the feds nailed someone else for Kronos, and he/she is pointing the finger at Hutchins as the author. Hero syndrome [wikipedia.org] is a thing.
(Score: 0) by Anonymous Coward on Saturday August 05 2017, @07:26PM
"Hutchins is accused of having helped to create, spread and maintain the banking trojan Kronos between 2014 and 2015."
so what, you stupid pigs? now working on security related software is a crime because someone else, somewhere uses it for illegal purposes?