FBI Arrest WannaCry Kill Switch Creator in Vegas

In a surprising turn of events, the FBI have arrested Marcus Hutchins, the WannaCry kill switch creator, in Las Vegas for allegedly creating and distributing the Kronos malware to steal banking logins from victims’ computers.

Hutchins, from Ilfracombe in Devon, who goes by the name of Malware Tech, became well-known earlier this year when he managed to find a kill switch to the WannaCry cyberattack that targeted countries such as the U.K., the U.S., Russia, Spain, France and Taiwan after a flaw was exploited in Microsoft Windows.

The flaw, known as EternalBlue, was a leaked National Security Agency (NSA) tool that hacker group Shadow Brokers had dumped online earlier this year. While a patch for it had been released by Windows, organizations running on older versions of Windows such as XP were failing to install the patch, leaving them vulnerable.

The cyberattack, which started in London, saw the U.K.’s National Health Service (NHS) affected by the ransomware. In England, 47 NHS trusts had issues while 13 NHS organizations in Scotland were also targeted.

However, 23-year-old Hutchins discovered a kill switch for the malware after he registered a domain name used by the malware to prevent it spreading. Labelled a hero, it was reported that the cyber expert was working with the U.K.’s Government Communication Headquarters (GCHQ), a British intelligence and security organization, to prevent another cyberattack.

Banking Malware

Now, though, in a new turn of events, Hutchins was arrested at Las Vegas airport on his return to the U.K. after attending the Def Con and Black Hat events by the FBI.

According to a statement  from the U.S. Department of Justice (DoJ), it said:

Marcus Hutchins … a citizen and resident of the United Kingdom, was arrested in the United States on 2 August, 2017, in Las Vegas, Nevada, after a grand jury in the Eastern District of Wisconsin returned a six-count indictment against Hutchins for his role in creating and distributing the Kronos banking Trojan.

The indictment focuses on his involvement of the creation of Kronos and the alleged advertising and selling of it on Internet forums such as the now-defunct dark web market AlphaBay, from July 2014 to July 2015.

The indictment , which was dated 12 July, also lists a second name; however, that has yet to be made public.

People on social media have come out claiming that Hutchins is being framed:

 

 

Yesterday, it was reported that the WannaCry bitcoin ransom had been moved after a Twitter bot @actual_ransom, which was set up to monitor WannaCry’s bitcoin addresses, detected movement.

However, if found guilty, Hutchins could face up to 40 years in prison, according to one U.S. lawyer.

Speaking to The Telegraph , Tor Ekeland, a U.S. lawyer who specializes in defending alleged cyber criminals, said:

The maximum statutory sentence he could face is decades, roughly 40 years. Would he get that? I doubt it, it would be a bizarre outcome. Is it possible? It sure is.

What is Kronos?

Kronos, which is a type of malware known as a Trojan, made its first appearance in July 2014 when it was advertised on a Russian underground forum for $7,000. Designed to disguise itself as legitimate software, Kronos was marketed as a way for hackers to steal bank login details.

According to the DoJ, Kronos has been ‘configured to exfiltrate user credentials associated with banking systems located in Canada, Germany, Poland, France, and the United Kingdom, among others countries.’

Featured image from Shutterstock.