WannaCry Hero Arrested on Kronos Malware Charges

In a stunning twist, U.S. authorities this week arrested a British cyber-researcher credited with stopping the spread of the WannaCry ransomware virus on charges he helped develop and deploy the Kronos banking trojan that attacked financial institutions around the world in 2014.

Following a two-year investigation, a federal grand jury in Wisconsin last month handed down a six-count indictment against Marcus Hutchins, a resident and citizen of the UK who operated under the name “Malwaretech,” according to U.S. Attorney Gregory Haansted, who oversees the Eastern District of Wisconsin.

Hutchins was arrested Wednesday at the McCarran International Airport in Las Vegas, where he had been attending the Def Con hacking conference. The charges include one count of conspiracy to commit computer fraud and abuse, three counts of distributing and advertising an electronic communication interception device, one count of endeavoring to intercept electronic communications, and one count of attempting to access a computer without authorization.

Origin Story

Hutchins created the Kronos malware, prosecutors have alleged.

A video showing the functionality of the Kronos banking trojan was posted to a publicly available website in July 2014, according to a copy of a sealed indictment the U.S. District Court posted July 12.

A defendant, whose name is blacked out, used the video to show how Kronos worked, the indictment says. A defendant, again with the name blacked out, offered to sell the Kronos banking trojan for US$3,000.

Defendants whose names were blacked out updated the Kronos malware early 2015, according to the indictment. In April of that year, a defendant with a name blacked out allegedly advertised the malware on the AlphaBay market forum.

In June 2015, a version of the Kronos malware was sold on the forum for $2,000 in digital currency. In July 2015, a defendant with the name blacked out offered “cryptying” services for Kronos — that is, computer code used to shield the malware from antivirus software, the indictment states.

Kronos was an ongoing threat; in late 2016, the Kelihos botnet was observed trying to load Kronos using an email phishing campaign. A Russian national, Peter Yuryevich Levashov, 36, was arrested in Barcelona this April on U.S. federal charges related to his alleged operation of Kelihos.

The Justice Department last month announced that AlphaBay, which is considered the largest criminal marketplace on the dark Web, was shut down following an international investigation. Alpha Bay had been used to sell everything from fentanyl and heroin to weapons, chemicals, stolen identification documents and hacking tools.

Authorities last month arrested Alexandre Cazes, a Canadian national living in Thailand, on charges he helped create and administer the site, but he reportedly took his own life while in Thai custody.

Arrest Fallout

Hutchins this spring was hailed as an international hero after he located the kill switch to end the WannaCry ransomware attack that had locked up thousands of computers across the globe.

However, his arrest does not appear to be directly related to WannaCry, said Mark Nunnikhoven, vice president of cloud security at Trend Micro.

The current case is particularly interesting because the charges indicate the arrest is based on the creation of Kronos, not its use, he said.

“Basically, it’s saying that the only possible use of the software was malicious,” Nunnikhoven told the E-Commerce Times.

Additional activity has been detected related to the WannaCry ransomware attack, specifically that the bitcoin wallet used in the attack had been emptied, noted James Pleger, managing director of global threat intelligence at Kudelski Security.

“This came as a bit of a surprise, considering that many criminals try to cash out as quickly as possible,” he told the E-Commerce Times.

The delay may have been related to the scrutiny investigators placed on the attack early on, Pleger said — and on a more ominous note, added that it may indicate that the same hackers could be ready for a new attack using different methods.

A spokesperson for the U.S. attorney in Wisconsin was not immediately available for comment. The FBI referred all questions on the case to the DoJ.

David Jones is a freelance writer based in Essex County, New Jersey. He has written for Reuters, Bloomberg, Crain's New York Business and The New York Times.

1 Comment

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

E-Commerce Times Channels