Remember the reluctant WannaCry hero?
WannaCry was ransomware that made big headlines in mid-2017 for two important reasons.
First, it was a true computer worm, or virus, that automatically propagated itself to the next guy, and the next guy…
…and so on, meaning that although it drew attention to itself very quickly, it was nevertheless able to spread far and fast.
SophosLabs estimated that it infected 200,000 computers in 150 countries within four days of showing up in the wild.
Second, WannaCry’s spreading mechanism used a exploit code known as ETERNALBLUE, allegedly developed by the US National Security Agency for secret intelligence-gathering purposes.
That exploit, along with many others, was subsequently stolen in a data breach at the NSA, offered for sale for a while at an outrageous price, and finally dumped for anyone to use for free around the start of 2017.
Microsoft pushed out a patch at the start of 2017 that effectively immunised everybody who applied it, but those who neglected or declined that update ended up at risk.
Enter our hero
Amongst the WannaCry panic, a youngster in the UK calmly analysed the virus and quickly spotted what turned out to be a “kill switch” in its programming.
He found a specific, weirdly named server in the code.
For reasons we shall probably never know, the crooks who wrote WannaCry hadn’t purchased the domain name for this server, so the youngster quietly registered the domain himself.
It turned out that if the ransomware could connect to this server, it would let you off and not scramble your files.
But if the call-home failed then the ransomware attack went ahead and you ended up facing a $300 extortion fee to get your files back.
In other words, when our soon-to-be-hero set up a webserver using the name he’d just registered, he turned on WannaCry’s safety valve.
Activating that “kill switch” almost certainly saved many innocent users from those pay-$300-in-Bitcoin-right-now demands and prevented plenty of global heartache.
At first, our hero kept a low profile, but he was soon identified by the UK media – to an understandably warm welcome – as Marcus Hutchins.
His disarming likeability made his initial reticence seem like little more than youthful shyness, but a more serious reason for him to have avoided the spotlight soon appeared.
Pitched suddenly into cybersecurity stardom, Hutchins was invited to attend the 2017 DEF CON hacker convention, so he jetted off to Las Vegas, Nevada, where the event is held.
Unfortunately for Hutchins, US law enforcement, in the form of the FBI, already had their eyes on him; indeed, it seems he’d been a “person of interest” to them for a while, despite his youth (he had just turned 23 at the time of his DEF CON trip).
The FBI had formed the opinion that Hutchins had not only written malware as a youngster but also sold it on, knowing that the purchasers wanted it for criminal purposes.
Writing viruses might not itself be a crime, in the US at least, but using malware to attack computers, steal data and make money is another matter.
Anyway, in the week or so that Hutchins was in Nevada, the Feds got their paperwork together, and at the last moment – apparently while he was waiting for his flight home at McCarran airport in Las Vegas – they showed up to arrest Hutchins and take him into custody.
Presumption of innocence
The initial reaction from many in the cybersecurity community was an efflux of scorn and hatred against American law enforcement.
Even amongst those who knew him only in passing or via his online presence, Hutchins was a hero who’d spent his own money on helping other people, so he was very widely assumed to be innocent, and the charges to be a pile of rot.
Investigative journalist Brian Krebs admits that he too wanted to believe in Hutchins’s innocence, but figured that he’d better dig into Hutchins’s background a bit before forming an opinion.
After three weeks of “joining the dots”, Krebs published a piece in which he said:
At first, I did not believe the charges against Hutchins would hold up under scrutiny. But as I began to dig deeper into the history tied to dozens of hacker forum pseudonyms, email addresses and domains he apparently used over the past decade, a very different picture began to emerge.
Admission of guilt
Hutchins pleaded not guilty at the outset of his case and managed to get bail, but had to hand over his passport and stay in the US.
And so things stood until last week, when Hutchins himself tweeted:
Statement About My Legal Case malwaretech.com/public-stateme…—
MalwareTech (@MalwareTechBlog) April 19, 2019
The article linked to by the tweet is short and simple:
As you may be aware, I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security. I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.
This isn’t the typical sort of mea culpa we’ve seen in the past from cybercriminals.
Hutchins isn’t trying to blame his victims for not patching, for example; or to blame the operating system vendors for writing buggy code; or to blame the world in general for not paying attention to bug reports in the first place; or claiming that cyberattacks don’t really count because they don’t hurt anyone like violent crime does.
We’re aware, of course, that the words and structure of this terse and carefully formed statement were probably devised by Hutchins’s lawyers as a formal requirement of his plea arrangement…
…but in this case, we’re inclined to believe him.
He hasn’t been sentenced yet, so we can’t tell you what effect, if any, this statement will have.
Apparently the maximum jail time allowed for his offences is five years, but a lot of people in the cybersecurity community seem to be rooting for Hutchins to be treated leniently, even though he’s now officially a convicted cybercriminal.
We’re not expecting Hutchins to get away with a suspended jail term or a fine followed immediately by deportation to the UK, however effective such a sentence might sound.
After all, the US courts may want to establish a clear disincentive for other youngsters who are toying with the idea of a “career” that involves attacking the online lives of innocent victims with malware.
So we’re guessing that he’ll go to prison to serve some sort of custodial sentence, although we can’t see him getting a full five-year stretch, and given his guilty plea and his public admission of wrongdoing, we hope he doesn’t.
Hutchins does seem genuinely remorseful, and has even taken to Twitter with some wise advice for those following in his footsteps:
There's misconception that to be a security expert you must dabble in the dark side. It's not true. You can learn e… twitter.com/i/web/status/1…—
MalwareTech (@MalwareTechBlog) April 20, 2019
Have your say
What do you think he’ll get?
And what do you think he deserves, given that he’s now convicted of making and selling malware for criminal purposes?
Tell us in the comments below.