Data Loss Prevention (DLP) , Fraud Management & Cybercrime , Governance & Risk Management

WannaCry 'Hero' Pleads Not Guilty, Allowed Back Online

Marcus Hutchins Can Work, But Not Touch WannaCry's Sinkhole
WannaCry 'Hero' Pleads Not Guilty, Allowed Back Online
Marcus Hutchins, pictured July 26 while attending the Black Hat conference in Las Vegas. (Photo: NorthSec)

The British security researcher credited with stopping the WannaCry ransomware outbreak pleaded not guilty Monday to charges that he developed and sold a type of malicious software that steals online banking credentials.

See Also: Defining a Detection & Response Strategy

Marcus Hutchins, 23, pleaded not guilty on six counts. He will remain free after posting $30,000 bond, but he must wear a GPS location-monitoring device. He can also travel to Los Angeles, the headquarters of his employer, Kryptos Logic, and use the internet. But authorities will keep his U.K. passport.

"There are a lot of people I'd like to thank for amazing support over the past 11 days, which I will do when I get a chance to publish my blog," Hutchins writes in two tweets on Twitter. "I'm still on trial, still not allowed to go home, still on house arrest; but now I am allowed online. Will get my computers back soon."

Hutchins was a respected but relatively anonymous computer security researcher writing quite technical tweets under the handle @malwaretechblog. That changed in May when he was researching the WannaCry ransomware outbreak (see WannaCry Ransomware Outbreak Spreads Worldwide).

Hutchins accidently discovered a so-called "kill switch" in the ransomware - a domain name encoded in WannaCry's code. Hutchins registered the domain, then discovered later that WannaCry would stop running on a computer if the domain was live.

Hutchins then redirected the domain to a "sinkhole," or another domain with instructions on how to remove the remains of the ransomware (see WannaCry Outbreak: Microsoft Issues Emergency XP Patch).

His good deed dissolved his tenuous anonymity. Hutchins gracefully handled a flood of media attention, suddenly becoming the person who single-handedly halted the worst mass ransomware attack on record. More than 300,000 computers in 150 countries were infected.

One restriction imposed by the court on Hutchins is that he cannot access the server that serves as WannaCry's sinkhole, according to the arraignment document.

Kronos Author?

Hutchins was arrested at McCarren International Airport in Last Vegas on Aug. 2 after attending the Black Hat and Defcon security conferences. Prosecutors in federal court in Wisconsin accused him of having a role in creating Kronos, a type of online banking malware.

According to the indictment, Hutchins "created" the Kronos malware. A co-defendant, whose name is redacted from the indictment, allegedly sold a version of Kronos in June 2015 on the now-defunct AlphaBay market for $2,000 in virtual currency. AlphaBay was an online bazaar for mostly illegal goods that was recently shut down by law enforcement (see Darknet Marketplace AlphaBay Offline Following Raids).

Hutchins had his first appearance in federal court in Las Vegas on Aug. 4. At that hearing, Assistant U.S. Attorney Dan Cowhig said "in his interview following his arrest, Mr. Hutchins admitted that he was the author of the code that became the Kronos malware and admitted that he had sold that code to another," according to a transcript posted online by the publication Vice.

Cowhig went on to say that the U.S. government will present evidence of chat logs that allegedly show Hutchins agreeing to split the proceeds of the sale of Kronos with an associate. The logs also allegedly show that Hutchins "complains about the amount of money that he received for the sale of the banking trojan."

The associate "is the person from whom the law enforcement agents purchased the Kronos Trojan on AlphaBay as specified in the indictment," the transcript says.

Co-Defendant Leaked?

The identity of Hutchins' co-defendant has not been publicly released, and it's unknown if the person has been arrested. But Hutchins' court file showed what might be a new surname affiliated with the indictment.

Documents related to U.S. federal court cases are indexed online on PACER, which is short for Public Access to Court Online Records. When looking up a case, PACER shows a summary, extracting the surnames of defendants. It also shows the criminal case number, when the case was originally filed and the date of the last document filed.

Although the case was tagged as "sealed" earlier - the term for when information related to a case has been deemed too sensitive to release - on Monday it showed this: 2:17-cr-00124-JPS-NJ All Defendants USA v. Tran et al.

The format for cases is usually USA v. [defendant surname]. If that is indeed the last name of Hutchins' co-defendant, it would be a leak. But it is possible that "Tran" might have been generated in error. The last two documents in Hutchins' Nevada file in Pacer are titled "Transmittal" and "Transcript."

October Trial

Hutchins is scheduled for trial on Oct. 23, according to his arraignment document. He is represented by Brian Klein and Marcia Hoffman, an attorney who is special counsel for the Electronic Frontier Foundation.

In a video taken outside federal court Monday in Milwaukee, Hoffman characterized Hutchins as "a brilliant young man and a hero."

"He is going to vigorously defend himself against these charges, and when the evidence comes to light, we're confident that he will be fully vindicated," she says in the video, posted on Twitter by Vice.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.