Marcus Hutchins | |
---|---|
Born | 1994 (age 29–30) Bracknell, England |
Other names | MalwareTech |
Occupation | Computer security researcher |
Known for | Discovering WannaCry kill switch |
Website | malwaretech |
Marcus Hutchins (born 1994), also known online as MalwareTech, is a British computer security researcher known for stopping the WannaCry ransomware attack. [1] [2] He is employed by cybersecurity firm Kryptos Logic. [3] [4] Hutchins is from Ilfracombe in Devon. [5]
Hutchins is the elder son of Janet Hutchins, a Scottish nurse, and Desmond Hutchins, a Jamaican social worker. Around 2003, when Hutchins was nine years old, the parents moved the family from urban Bracknell, near London, to rural Devon. [6] Hutchins had shown early aptitude with computers and learned simple hacking skills early on such as bypassing security on school computers to install video game software. [6] In addition, he spent time learning to be a surf lifeguard. [6]
He became involved with an online forum that promoted malware development, more as a means to show off their skills to each other rather than for nefarious purposes. When he was about 14 years old, he created his own contribution, a password stealer based on Internet Explorer's AutoFill feature, which was met with approval by the forum. He spent much of his time with this community to the extent his school work began to fail. [6] When the school's systems were compromised, the school authorities claimed Hutchins was the culprit. Though he denied any involvement, school authorities permanently suspended him from using the computers at school, which further pushed Hutchins to skip school more often and spend more time in the malware forums. [6]
At around this time, the original malware forums had been closed, and Hutchins transferred to another hacker community, HackForums. In this new forum, members were expected to show more skill by demonstrating possession of a botnet. Hutchins, 15 years old at the time, successfully created an 8,000-computer botnet for HackForums by tricking BitTorrent users into running his fake files to take control of their machines. [6] From this exploit, Hutchins saw financial opportunities for his hacking skills, though at the time he did not feel these were tied to any type of cybercrime, as he stated in a 2020 interview. [6] These activities included setting up "ghosted" web hosting for others on the HackForums for "all illegal sites" except child porn, and created custom malware, often based on evaluating how others' rootkits operated. [6]
According to Hutchins in later interviews and in his plea agreement, when he was around 16, having gained a reputation in hacking circles for his custom malware, he was approached by an online entity he knew only as "Vinny", who asked him to write a well-maintained, multifaceted rootkit that could be sold on multiple hacker marketplaces, with Hutchins to be paid half of the profits of each sale. Hutchins agreed, and by mid-2012, had completed writing UPAS Kit, named after the poisonous upas tree. [6] During this period, Hutchins had once complained in his conversations with Vinny about the lack of good weed in the country. Vinny asked for his address, which Hutchins gave, and later on his 17th birthday, he received a package full of various recreational drugs. [6] Sales of UPAS Kit earned Hutchins thousands of dollars through bitcoin, allowing him to drop out of school and live a comfortable life, though he kept the nature of his work secret from his family. [6]
Vinny shortly came back to Hutchins to ask him to write UPAS Kit 2.0, specifically adding keylogging and web inject for browser form pages. At this point, Hutchins recognized these features were likely for targeting financial transactions on bank websites, and thus he would be enabling cybercrime if he wrote the update. [6] Hutchins told Vinny that he refused to write such code, but Vinny held him over the fact he knew his date of birth and address from his prior gift of recreational drugs and was willing to give that to the FBI if Hutchins did not cooperate. [6] Hutchins reached an agreement to add in the keylogging to UPAS Kit 2.0 but left out anything to do with web inject, which took another nine months to complete.
After this, Vinny told him that he'd had hired another programmer to update UPAS Kit with the web injects, and now wanted Hutchins and this programmer to work together to combine the code to a single package. Though he was ethically torn on the decision, Hutchins opted to continue working with Vinny to at least make sure he got paid for the work that he did already do, though procrastinated as much as he could. [6] The new code was completed by June 2014, and as Vinny started selling it to the dark web he renamed UPAS Kit 2.0 to Kronos, based on the mythological Greek Titan. [6]
Hutchins had entered community college [lower-alpha 1] and was struggling between completing his last year of work and the fixes to Kronos demanded by Vinny, further complicated with a drug addiction he gained while working on Kronos. [6] During this time, he met a person he knew as "Randy" online through hacking forums. Randy, who was based in Los Angeles, had sought a banking rootkit like Kronos, which Hutchins did not mention, but led to longer talks to learn that Randy had more philanthropic goals. To help Randy, Hutchins offered to help him with trading bitcoin. However, a power failure one night caused Hutchins to lose more than US$5,000 of Randy's bitcoin, and in exchange, Hutchins revealed his connection to Kronos and offered a free copy to Randy. After they had completed that deal, Hutchins realized the mistake he had made in revealing this to a stranger, and started to fear he would be approached by law enforcement. [6]
Hutchins graduated from community college in 2015 and dropped his drug addiction cold turkey. He put off requests from Vinny for updates to Kronos claiming he was busy with schoolwork, until soon the requests stopped as well as any further payments from Vinny. [6] After several months of dread, he decided to start an anonymously written blog on deep analysis of hacks that he called MalwareTech, based on what he had learned evaluating others' rootkits and his own work on UPAS Kit and Kronos, though he spoke nothing of his connection to these rootkits. [6] As new rootkits appeared, Hutchins began reverse engineering those and writing the details on MalwareTech, such as the Kelihos and Necurs botnet, and wrote his own botnet tracking service that could join the botnet and monitor what operations the controllers of the botnets were doing. [6] His writings drew the interest of Kryptos Logic's CEO Salim Neino, who offered the writer a job.
Hutchins accepted; while still working from Ilfracombe, he would reverse engineer new botnets and provide the detailed information to Kryptos Logic while writing on the high-level functionality he had discovered to MalwareTech, while Kryptos Logic would monitor the botnets for ongoing cybersecurity threats. [6] Through this relationship, Hutchins' reputation via his MalwareTech identity grew, being called a "reversing savant" by a former NSA hacker, though only a few associates at Kryptos knew of his true identity. [6] Hutchins and Kryptos Logic were instrumental in stopping one offshoot of the Mirai botnet/distributed denial of service (DDoS) attack in 2016 that had hit Lloyds Bank, [7] [8] as Hutchins had been able to plead to the hacker behind it, once he had tracked him down, with his own experiences to convince him to stop the botnet. [6]
The WannaCry ransomware attack had started around 12 May 2017; using an exploit in Microsoft Windows' Server Message Block, it quickly spread from its initial point of injection believed to be in North Korea to over 230,000 computers in 150 countries within the day. Computers infected were seemingly locked out from use and could be unlocked only if the user sent a quantity of Bitcoin to a given account. [9] [10]
Hutchins had become aware of WannaCry the afternoon of 12 May, and though he had been on vacation, he began reverse engineering the code from his bedroom. He discovered that the malware was tied to an odd-looking domain name, suggesting the malware would be part of a command-and-control structure common to botnets, but to his surprise, the domain name was not registered. He quickly registered the domain and set up servers at Kryptos Logic within it to act as honeypots, allowing them to track the infected computers. While the WannaCry worm continued to spread over the next few hours, security researchers found that because Hutchins had registered the domain name when he did, WannaCry would not execute further, effectively becoming the worm's killswitch. [6] [11] Hutchins and Kryptos, along with the UK's National Cyber Security Centre, spent the next several days maintaining the honeypot servers from additional DDoS attacks, some restarted by ongoing Mirai botnets as to make sure the killswitch remained active while Microsoft and other security workers rushed to patch the exploit in the Server Message Block and issue it to end users. [6] [12] [13] A separate effort from French cybersecurity researchers found a method to unlock and decrypt affected computers without having to pay the ransom. [14]
Hutchins' work, as MalwareTech, to stop WannaCry, was highly praised, but this led to the press figuring out Hutchins' identity behind MalwareTech in the days that followed. [15] [16] Hutchins tried to avoid the press including the more-invasive tabloids who had published his name and address tied to the MalwareTech name, [17] though did agree to a single Associated Press interview under his real name, trying to defuse the "hero" perception he had been given. [18] In this coverage, he kept his past history quiet, simply stating that he got his job with Kryptos Logic based on his software skills and MalwareTech blog hobbies he developed during school. [17] He gained a type of a celebrity status within the cybersecurity world for his actions against WannaCry, and plans were made for him to attend the 2017 DEF CON cybersecurity conference in Las Vegas that August. [6]
On 3 August 2017, Hutchins was arrested by the FBI as he was preparing to return to England from DEF CON on six hacking-related federal charges in the U.S. District Court for the Eastern District of Wisconsin for creating and spreading Kronos in 2014 and 2015. [19] [20] [21] Based on documents obtained by Vice through Freedom of Information Act requests, the FBI had tied Hutchins to Kronos after they had seized the assets of AlphaBay in July 2017, where they found evidence of at least one sale of Kronos. [22] The FBI had obtained copies of his conversations with Randy from another dark web server seizure prior to AlphaBay to prove his connection to the software, [22] which he confessed to while questioned. [6]
Hutchins was kept in a Las Vegas jail overnight after calling Neino about his plight. Neino alerted his own associates, which set off a chain of alerts across the cybersecurity community about Hutchins' situation, though many mistakenly believed that the arrest was due to the WannaCry attacks. A large number of cybersecurity workers and hackers rallied to his aid to help make Hutchins' bail, though as some of the contributions included stolen credit cards and bitcoin, it raised further suspicions on Hutchins' activities; ultimately, Tarah Wheeler and her husband Deviant Ollam were able to front the bail money and help find Hutchins a place in Los Angeles to live as he was barred from leaving the country. [6]
At his arraignment, he pleaded not guilty to the charges, and was put under house arrest in Los Angeles, initially with strict curfew limits and GPS monitoring, but these were lifted after a few months. [23] [24] Hutchins had intended his "not guilty" to be used as part of a plea bargain with the FBI, rather than to deny any involvement with Kronos, though some in the hacker community took this as his denial, and vocally fought for Hutchins' release on this claim. [6]
In early 2018, the FBI began to negotiate with Hutchins as they desired information he had on Vinny and several other hackers that he knew, offering to reduce his sentence to a zero-prison term. Hutchins could not provide any significant information about Vinny, and did not want to reveal information on the other hackers, refusing the offer. [6] The FBI added four charges to his indictment by June 2018, which Hutchins was told by his lawyers was in response to refusing their offer. [25]
On 19 April 2019 Hutchins pleaded guilty to two of the ten charges, conspiring to commit wire fraud, as well as distributing, selling, promoting, and advertising a device used to intercept electronic communications. [26] His statement included the quote "I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes." [27] Hutchins faced up to five years in prison and $250,000 in fines for the two charges. [28] On 26 July 2019, Judge Joseph Peter Stadtmueller sentenced Hutchins to time served and one year of supervised release, recognizing that Hutchins had "turned the corner" from using his skills for criminal purpose into beneficial uses well before he had faced justice. [29] [6]
According to a 2020 Wired profile, Hutchins stated that while he preferred to stay in Los Angeles, he expected following the year of supervised release he would be deported back to the United Kingdom, as he had long overstayed his travel visa. [6]
Cybercrime encompasses a wide range of criminal activities that are carried out using digital devices and/or networks. These crimes involve the use of technology to commit fraud, identity theft, data breaches, computer viruses, scams, and expanded upon in other malicious acts. Cybercriminals exploit vulnerabilities in computer systems and networks to gain unauthorized access, steal sensitive information, disrupt services, and cause financial or reputational harm to individuals, organizations, and governments.
Ransomware is a type of cryptovirological malware that permanently blocks access to the victim's personal data unless a ransom is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.
Trustwave is an American cybersecurity subsidiary of The Chertoff Group. It focuses on providing managed detection and response (MDR), managed security services (MSS), database security, and email security to organizations around the globe.
ZeroAccess is a Trojan horse computer malware that affects Microsoft Windows operating systems. It is used to download other malware on an infected machine from a botnet while remaining hidden using rootkit techniques.
The CryptoLocker ransomware attack was a cyberattack using the CryptoLocker ransomware that occurred from 5 September 2013 to late May 2014. The attack utilized a trojan that targeted computers running Microsoft Windows, and was believed to have first been posted to the Internet on 5 September 2013. It propagated via infected email attachments, and via an existing Gameover ZeuS botnet. When activated, the malware encrypted certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware's control servers. The malware then displayed a message which offered to decrypt the data if a payment was made by a stated deadline, and it threatened to delete the private key if the deadline passes. If the deadline was not met, the malware offered to decrypt data via an online service provided by the malware's operators, for a significantly higher price in bitcoin. There was no guarantee that payment would release the encrypted content.
GameOver ZeuS (GOZ), also known as peer-to-peer (P2P) ZeuS, ZeuS3, and GoZeus, is a Trojan horse developed by Russian cybercriminal Evgeniy Bogachev. Created in 2011 as a successor to Jabber Zeus, another project of Bogachev's, the malware is notorious for its usage in bank fraud resulting in damages of approximately $100 million and being the main vehicle through which the CryptoLocker ransomware attack was conducted, resulting in millions of dollars of losses. At the peak of its activity in 2012 and 2013, between 500,000 and 1 million computers were infected with GameOver ZeuS.
Monero is a cryptocurrency which uses a blockchain with privacy-enhancing technologies to obfuscate transactions to achieve anonymity and fungibility. Observers cannot decipher addresses trading Monero, transaction amounts, address balances, or transaction histories.
Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them between 2010 and 2021. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.
Tarah Marie Wheeler is an American technology and cybersecurity author, public speaker, computer security professional, and executive. She is currently CEO of Red Queen Dynamics and Senior Fellow of Global Cyber Policy at the Council on Foreign Relations, and she is the author of Women in Tech.
The WannaCry ransomware attack was a worldwide cyberattack in May 2017 by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. It propagated by using EternalBlue, an exploit developed by the United States National Security Agency (NSA) for Windows systems. EternalBlue was stolen and leaked by a group called The Shadow Brokers a month prior to the attack. While Microsoft had released patches previously to close the exploit, much of WannaCry's spread was from organizations that had not applied these, or were using older Windows systems that were past their end-of-life. These patches were imperative to cyber security, but many organizations did not apply them, citing a need for 24/7 operation, the risk of formerly working applications breaking because of the changes, lack of personnel or time to install them, or other reasons.
EternalBlue is computer exploit software developed by the U.S. National Security Agency (NSA). It is based on a vulnerability in Microsoft Windows that, at the time, allowed users to gain access to any number of computers connected to a network. The NSA had known about this vulnerability for several years but had not disclosed it to Microsoft yet, since they planned to use it as a defense mechanism against cyber attacks. In 2017, the NSA discovered that the software was stolen by a group of hackers known as the Shadow Brokers. Microsoft was informed of this and released security updates in March 2017 patching the vulnerability. While this was happening, the hacker group attempted to auction off the software, but did not succeed in finding a buyer. EternalBlue was then publicly released on April 14, 2017.
Petya is a family of encrypting malware that was first discovered in 2016. The malware targets Microsoft Windows–based systems, infecting the master boot record to execute a payload that encrypts a hard drive's file system table and prevents Windows from booting. It subsequently demands that the user make a payment in Bitcoin in order to regain access to the system.
A series of powerful cyberattacks using the Petya malware began on 27 June 2017 that swamped websites of Ukrainian organizations, including banks, ministries, newspapers and electricity firms. Similar infections were reported in France, Germany, Italy, Poland, Russia, United Kingdom, the United States and Australia. ESET estimated on 28 June 2017 that 80% of all infections were in Ukraine, with Germany second hardest hit with about 9%. On 28 June 2017, the Ukrainian government stated that the attack was halted. On 30 June 2017, the Associated Press reported experts agreed that Petya was masquerading as ransomware, while it was actually designed to cause maximum damage, with Ukraine being the main target.
Kronos was a type of banking Windows malware first reported in 2014. It was sold for $7,000.
Hack Forums is an Internet forum dedicated to discussions related to hacker culture and computer security. The website ranks as the number one website in the "Hacking" category in terms of web-traffic by the analysis company Alexa Internet. The website has been widely reported as facilitating online criminal activity, such as the case of Zachary Shames, who was arrested for selling keylogging software on Hack Forums in 2013 which was used to steal personal information.
REvil was a Russia-based or Russian-speaking private ransomware-as-a-service (RaaS) operation. After an attack, REvil would threaten to publish the information on their page Happy Blog unless the ransom was received. In a high profile case, REvil attacked a supplier of the tech giant Apple and stole confidential schematics of their upcoming products. In January 2022, the Russian Federal Security Service said they had dismantled REvil and charged several of its members.
Ryuk is a type of ransomware known for targeting large, public-entity Microsoft Windows cybersystems. It typically encrypts data on an infected system, rendering the data inaccessible until a ransom is paid in untraceable bitcoin. Ryuk is believed to be used by two or more criminal groups, most likely Russian, who target organizations rather than individual consumers.
On May 7, 2021, Colonial Pipeline, an American oil pipeline system that originates in Houston, Texas, and carries gasoline and jet fuel mainly to the Southeastern United States, suffered a ransomware cyberattack that impacted computerized equipment managing the pipeline. The Colonial Pipeline Company halted all pipeline operations to contain the attack. Overseen by the FBI, the company paid the amount that was asked by the hacker group within several hours; upon receipt of the ransom, an IT tool was provided to the Colonial Pipeline Company by DarkSide to restore the system. However, the tool required a very long processing time to restore the system to a working state.