U.K. Researcher Who Stopped WannaCry Indicted in U.S. The indictment, filed on July 11 in Wisconsin District Court, says that 'Defendant Marcus Hutchins created the Kronos malware,' alongside another person.
This story originally appeared on PCMag
A researcher who played a role in halting the spread of the WannaCry ransomware has been indicted by U.S. authorities for allegedly creating the Kronos malware with another individual.
As Motherboard reports, U.K.-based researcher Marcus Hutchins, known online as MalwareTech, was arrested in Las Vegas this week, where he was attending the Black Hat and Defcon security conferences.
The indictment, filed on July 11 in Wisconsin District Court, says that "Defendant Marcus Hutchins created the Kronos malware," alongside another person, whose name has been redacted from the filing. Between July 2014 and July 2015, the two "intentionally cause[d] damage without authorization to 10 or more protected computers," it says.
A spokeswoman for the FBI's Nevada office referred PCMag to the Department of Justice, which did not immediately respond to a request for comment.
Hutchins made headlines in May when he stopped the spread of the WannaCry by accident. He noticed the ransomware "queried an unregistered domain, which I promptly registered." But WannaCry looks to connect to that unregistered domain. If it can't connect, "it ransoms the system," MalwareTech explained. If it connects to the domain, though, "the malware exits" and the system is not compromised. After the registration, WannaCry connected to the domain and was stopped in its tracks.
According to the indictment, Hutchins's alleged co-conspirator posted a video that demonstrated how the Kronos malware worked on July 13, 2014. The person then offered to sell the Kronos banking trojan for $3,000 "on an internet forum."
Hutchins reportedly helped this person update the Kronos malware in February 2015, after which it was advertised for sale on the (now-defunct) AlphaBay dark web forum. In June 2015, it sold for about $20,000 in digital currency, the indictment says.
As some have pointed out online, Hutchins requested a Kronos sample on the day the video in question went up.
Anyone got a kronos sample?
— MalwareTech (@MalwareTechBlog) July 13, 2014
Fellow researcher Andrew Mabbitt, who traveled to Las Vegas with Hutchins and several other colleagues, says he refuses to believe the charges. "He spent his career stopping malware, not writing it," Mabbitt says of Hutchins.
Mabbitt says he will be "crowdfunding legal fees soon." The Electronic Frontier Foundation, which often steps in to assist with cases like this, tweeted that it is "deeply concerned about security researcher Marcus Hutchins' arrest. We are looking into the matter, and reaching out to Hutchins."
