As Marcus Hutchins was on his way home to the UK after attending Def Con and Black Hat in Las Vegas, NV, the FBI arrested him. This event sparked immediate internet outcry, especially among the cybersecurity community, as Hutchins was better known as MalwareTech and had just made cybersecurity fame by stopping the WannaCry ransomware outbreak a few months prior. So, why did the FBI arrest a newly famous cybersecurity expert?
A look into the indictment that was unsealed as part of Marcus’s arrest provides the first clues. In the copy dated to August 2017, the same month as the arrest, the FBI leveled six charges against Marcus and a partner whose name was redacted. Those charges included the creation of the Kronos banking trojan. The investigation into Kronos itself began two or three years before the arrest. Most of the charges relate to the laws around computer crimes, naturally enough. The first charge in the indictment, however, is a charge of conspiracy.
The indictment claims that Hutchins and his partner conspired to create, advertise and sell the malware known as Kronos, all of which are violations of the Computer Fraud & Abuse Act (CFAA). This first charge also alleged that Hutchins alone created the Kronos malware and that his partner was brought in specifically to act as a middleman for the advertising and sale of the malware. A video posted in July of 2014 by Hutchins’s partner demonstrated the proof of concept for Kronos and advertised the malware for $3,000 USD.
The second charge brought against Hutchins and his partner was for violating a section of the Electronic Communications Protection Act (ECPA) that dealt with advertisement as a means of intercepting electronic, wire or oral communications.
The third charge was related to the same section, except that it specified the distribution of such means. It was the same for the fourth charge, which specified the sale of such means. It’s interesting to note here that the law is broad enough to apply equally to keyloggers, malware or even more analog methods of interception.
The fifth and sixth charges listed in this early indictment were for unauthorized interception of communications (also in the ECPA) and for the transmission of something in violation of the CFAA. The fifth charge seems to be alleging that by creating the Kronos malware, Hutchins and his partner were also able to collect the data that Kronos was designed to interact with. Meanwhile, the sixth charge boils down to alleging that by uploading Kronos and sending it to their buyers, Hutchins and his partner violated CFAA.
These six charges were enough for the FBI to gain a warrant for Hutchins’s arrest and imprisonment while the pre-trial pieces fell into place. Sometime between the arrest and Hutchins’s guilty plea filed in April of 2019, four additional charges were added, which seem to be widely regarded by cyber law writers online as spurious attempts to keep Hutchins imprisoned in the United States.
Kronos, in brief, is a banking trojan, a kind of malware that is designed to steal credentials for sale and use in accessing bank accounts for purposes of fraud and theft. Early reports of Kronos started popping up in the United States in 2015, and according to the later sentencing memorandum by Hutchins’ prosecution, the trojan was an upgraded form of another piece of malware called the “UPAS kit” that had originally been developed in 2012. A Cybersecurity and Infrastructure Security Agency (CISA) report included in the sentencing memorandum notes that hundreds of Kronos alerts were coming in every month on U.S. state and local government systems.
It’s noted by the judge for this case that the FBI’s attempt to quantify the loss and damages caused by Kronos failed. Kronos’s world-spanning spread means that it’s just too difficult to track the actual financial impact across borders, especially in countries that don’t have the same tracking capabilities as the United States or the United Kingdom might.
WannaCry: Discovery and Defanging
In order to understand the sentencing, it’s important to take into account Hutchins’s work with WannaCry. The WannaCry malware is a form of ransomware, a type of malware that is designed to encrypt the target system and then demand ransom (usually in BitCoin) in order to gain the decryption key. In May of 2017, WannaCry made the news for encrypting the systems of 16 major London hospitals and locking staff out. The ransomware actors demanded $300 in BitCoin as ransom to regain access to the systems. The hospitals were left unable to access medical records, causing many of the hospitals to cancel appointments. Other targeted systems included but were not limited to the rail system in Germany, government departments of Russia and companies FedEx, Telefonica, and Renault.
The WannaCry malware took advantage of a known vulnerability in Microsoft Windows called EternalBlue, which was an exploit that researchers believe the NSA developed specifically to break through Windows security. Microsoft released patches for EternalBlue a few months prior to the WannaCry outbreak; depending on the patch cycle of a company or organization, however, it’s very possible that the patch had not yet been applied.
Within a few hours of the ransomware outbreak hitting the news, Hutchins was actively analyzing the sample he had received from another researcher. One of the core parts of analyzing malware is to look at human-readable strings that may be contained within the code such as commands, URLs or filenames. Hutchins quickly found a URL during his analysis, and when he checked to see if it was registered, the domain wasn’t. So, he promptly registered it and put the information aside for later. According to a blog post that MalwareTech wrote on this, part of his usual work is to find these sorts of domains and register them with the intent of sinkholing botnets and other malware for data collection and research purposes.
Analysis of WannaCry continued, but by early afternoon Eastern time, other researchers had noted that the registration of the domain name had effectively defanged the malware. With the domain name registered, WannaCry’s propagation mechanism no longer worked, and further research showed that this also prevented new systems from being encrypted by the malware. Hutchins confirmed this with his own sample, and he noted in his blog post that the domain’s presence in the malware code was likely an attempt to evade sandboxes. If a query to the domain came back as registered, the malware would quit without executing the payload.
Completely unintentionally, Hutchins had stopped the WannaCry outbreak. The domain has since been handed off to Cloudflare, according to TechCrunch, and hasn’t gone down since.
It wasn’t all roses, though. As the weekend continued, researchers had already detected two new variants, only one of which was stoppable with a similar method. Patching the affected systems remained the only true solution to preventing WannaCry.
Sentencing and Release
In April of 2019, Hutchins’s defense filed his guilty plea with the court. In it, he pleaded guilty to two of 10 charges: Conspiracy to violate Title 18 §1030, better known as the CFAA, and a violation of Title 18 §2512 specific to the advertisement of the Kronos malware. The other eight charges, mostly relating to further violations of the CFAA and the ECPA, were to be dropped as part of the plea deal.
The sentencing memorandum filed by the prosecution pushed hard for prison terms and tried to use the impact of Kronos to justify that. The memorandum also argued that harsh punishment of Hutchins would serve as a deterrent to future malware writers and sellers. On the flip side, friends, colleagues and peers of Hutchins sent letters in support of him, arguing against a harsh sentence on the basis of the good he was capable of.
Sentencing hearing notes indicate that the sentencing guidelines for the case of USA v. Marcus Hutchins are as follows: up to 14 months imprisonment, up to three years supervised release and a maximum $40,000 fine. The government objected to this and tried again to justify a higher fine based on the sales of Kronos. In the end, however, the judge declined.
As part of the reasoning provided to the court for that decision, the judge directly compared Kronos’s impact with WannaCry. In short, it could be said that the net positive impact of stopping WannaCry vastly outweighed the harm caused by sales of Kronos. The end result is that the judge agreed with the sentencing guidelines and noted that because the case dragged on, Hutchins had been imprisoned for two years already, so he officially sentenced Marcus Hutchins to time served plus one year of probation within the United States.
The day his probation ended, Hutchins posted a celebratory tweet:
My probation officially ends today. So thankful for everyone who supported me during my case, and to the judge for seeing things the way he did. I was convinced i'd be spending the next few years in prison, but instead I was allowed to continue my security work.— MalwareTech (@MalwareTechBlog) July 25, 2020
Without his work on WannaCry, however, it’s possible that Hutchins’s case would have ended very differently.
Documents submitted to the court and available to the public can be found here.