Transcript: Marcus Hutchins: An Controversial Hero
It was May 12, 2017 and something strange was happening online. In the early morning hours, a new ransomware started spreading in Asia. Without anyone clicking on a phishing link or opening a malicious email, thousands of computers were suddenly hijacked.
“Oops, your files have been encrypted!” reads an ominous message on every compromised computer’s screen: Pay 300 dollars in seven days – or lose your files forever. From Asia, the malware quickly spread to 150 countries all across the globe. More than two hundred thousand computers were attacked within hours. WannaCry made its debut on the world stage.
A ransomware/worm hybrid, it somehow duplicated itself and spread from one computer to another within seconds. Among the organizations hit hard by the malware were FedEx, Telefonica, Renault, and the Russian government. In the United Kingdom, a particularly vulnerable target was hit hard: the National Health Service, or NHS. The U.K’s national health provider’s servers were infected, which paralyzed several major hospitals in the London metropolitan area. Hundreds of primary care organizations and GP practices were affected. Whole computers were encrypted, appointments and surgeries had to be postponed – an unprecedented attack on the fragile NHS. As the Independent put it back then – “Large-scale hack plunges hospitals across England into chaos”.
One doctor said to Sky News that “the hackers had stopped access to everything, including patients’ medical records. […] It could be potentially life-threatening.”
Prime Minister Theresa May went on TV. “This is not targeted at the NHS, it’s an international attack and a number of countries and organizations have been affected”, she stated, trying to assure the British people that everything was under control. It did little to ease the panic.
The Rise of Marcus Hutchins
He called himself MalwareTech. Born and raised in England, living in various sleepy small towns, Marcus Hutchins had a natural knack for everything electronic. He once managed to break through his school’s computers restrictions by utilizing a weakness in Microsoft Word that allowed him to run Visual Basic code using the word processor.
Later, Hutchins attended a local technical school, but he quickly found out that the school had nothing to offer him in terms of computer-science studies. Hutchins’s knowledge and skills continued to grow exponentially. After all, he had the best tutor: the internet.
But Marcus’s petty adventures on the internet brought him to the social circles of black and grey hat hackers. Talking to strangers on MSN forums, he started creating his own malwares – like a password stealer that broke into the Internet Explorer AutoFill tool. Speaking years later with WIRED magazine, Hutchins said his motivations were not harmful or even mindful: “I just thought, this is a cool thing I’ve made”.
Hutchins was later suspended from school for allegedly initiating a cyber-attack on the institution’s servers. The more he was being drawn into the ghostly world of online hackers – the less attention he was giving his family, social circles – and academic life. On HackForums, a community of small-time hackers and up-to-no-good teenagers, he started writing malware for money. Not anything really dangerous – until he met a person who called himself Vinny.
Vinny hired Marcus to write a Rootkit for him – a type of malware designed to provide the attacker with continued access to a computer, while concealing its existence from the user and other system processes. As you can imagine, writing a rootkit takes a considerable amount of skill and intimate knowledge of the operating system it targets – so the fact that Marcus managed to create a working rootkit when he was just 15 years old – speaks volumes about his abilities.
The rootkit – named UPAS Kit – took nine months of work. Hutchins built the tool – and Vinny, his new, secretive partner sold it online to other hackers and malignant parties. Hutchins received a 50 percent commission on all profits, paid in BitCoin.
One interesting incident – told by Hutchins in his interview with WIRED – took place during their partnership. When Hutchins complained about the quality of marijuana sold in his part of England – Vinny asked for his date of birth and address. Without giving it too much thought, Hutchins gave him his real name and address. Vinny then sent him a special present for his 17th birthday: a box filled with a collection of recreational drugs like weed, ecstasy and mushrooms. Marcus didn’t think much of it back then: he actually found the gift appealing. But this incident proved disastrous for the young hacker’s life.
Some time later, Vinny asked for a new, improved version of UPAS – one that included Web injection capacities: the ability to manipulate the content of websites shown to the rootkit victims. This was much more serious and dangerous than anything Hutchins worked on before – as the most common use of such a technique is banking fraud. It is used to deceive people into giving away their bank login details and authorizing money transfers without their consent.
“I never knew definitively what was happening with my code,” said Hutchins in his interview with WIRED. “But now it was obvious. This would be used to steal money from people. This would be used to wipe out people’s savings”. That was a moral boundary that Hutchins wasn’t willing to cross. He wrote to Vinny: “I’m not fucking working on a banking Trojan”.
But this is when his rookie mistake came back to haunt him. Marcus didn’t know Vinny’s true identity – they never met in the real world – but Vinny had his. Vinny blackmailed him, threatening to reveal his true identity and turn him in to the authorities.
Hutchins partially caved in and agreed to build this new version of UPAS – without the web injection capacities. This malware, which was eventually marketed as KRONOS, named after the murderous Greek Titan, went online in June 2014.
A Step Toward the Light Side
Hutchins decided he had enough with the Dark Side. His troubling incident with Vinny caused him to turn his life around. He tried to apply for a job at the GCHQ – the British equivalent of the NSA. While the vetting process and the background check went on without a definitive answer – Marcus started entertaining himself by tracking botnets, groups of hijacked computers used by hackers for DDoS attacks or other illegal activities.
He started using his unique skills to reverse engineer botnets: examining them and mapping their weaknesses in order to track and derail their advance. “I was never trying to make a career out of it,” he said. “I was just kind of bored.”
The GCHQ job fell through, but in 2015 Marcus managed to catch the attention of Salim Neino, the CEO of Kryptos Logic – a cyber-security company based in Los Angeles. Neino offered Marcus a job – to which the young hacker agreed without hesitation.
“He was extremely talented,” Neino said in a later interview. “You can teach certain things, but in computer security, raw talent is almost irreplaceable”.
Marcus quickly rose through the ranks of Kryptos Logic – and at a certain point even had two employees working under him. He was positively having the time of his life, as evident in his Tweets from his period – such as: “My first question upon waking up and seeing the clock said 9:30 was ‘a.m. or p.m.?’ #DreamJob”.
While working at Kryptos Logic, Hutchins made some good friends but he also made some powerful enemies.
One of his most important projects at Kryptos was tracking Mirai – a highly-effective botnet malware that can take over linux-based devices and turn them into bots. For example, one botnet using the malware once shut down Liberia’s only fiber cable and took down the entire country’s internet access.
At some point, Mirai’s source code was published online, thus getting into the hands of many different black hat hackers. But Hutchins managed to track Mirai and put an end to several botnet schemes – probably making more than a few people more than a bit angry…
Yet at this point in our story, Hutchins was still anonymous. Writing online about his adventures in the cyber trade, Hutchins was only known publicly by his alias: MalwareTech. He operated – and still does to this day – a personal blog and a prolific twitter account – but except for a few trusted friends, no one knew his true identity.
Shutting Down WannaCry
Then came May 12, 2017. WannaCry stormed the World Wide Web: Billions of dollars were destroyed, hundreds of organizations were crippled.
“I woke up at around 10 AM and checked onto the UK cyber threat sharing platform where I had been following the spread of the Emotet banking malware, something which seemed incredibly significant until today. […] There were a few of your usual posts about various organisations being hit with ransomware, but nothing significant…yet. I ended up going out to lunch with a friend, meanwhile the WannyCry ransomware campaign had entered full swing.
When I returned home at about 2:30, the threat sharing platform was flooded with posts about various NHS systems all across the country being hit, which was what tipped me off to the fact this was something big. […]I was quickly able to get a sample of the malware with the help of Kafeine, a good friend and fellow researcher.”
Hutchins was well experienced with reverse engineering botnets – so surgically examining this new malware was exactly his cup of tea. He allowed the ransomware to encrypt a virtual machine on his computer and realized something strange: before doing any harm to its target computer, WannaCry tried to connect to a very long Gibberish-like domain name.
“Upon running the sample in my analysis environment I instantly noticed it queried an unregistered domain, which I promptly registered.”
Hutchins wasn’t trying to stop WannaCry: registering domains connected to active malware infections was a regular procedure at Kryptos Logic, in order to track the spread of a malware. In fact, wrote Huchins in his blog post, it was something he did on an almost daily basis.
But then, something weird happened. A few seconds after the new domain went online, a colleague from a different security company reached out to him, asking if Hutchins could send him a sample of the malware, since his sample wasn’t working: it wasn’t trying to infect other computers anymore.
“As curious as this was, I was pressed for time and wasn’t able to investigate, because now the sinkhole servers were coming dangerously close to their maximum load.”
After Hutchins took care of the servers, he asked a fellow employee to look into the worm’s code and check for something or other.
“After about 5 minutes the employee came back with the news that the registration of the domain had triggered the ransomware – meaning we’d encrypted everyone’s files.”
Hutchins panicked. Did he just accidentally seal the fate of hundreds of thousands of computers all over the world?
But, no. A few minutes later it turned out that actually, the exact opposite had happened: WannaCry was stopped. The ransomware still infected new computers, but did not encrypt their data and did not demand ransom payments. Once this ransom domain name was online, the malware didn’t proceed with its malicious plan.
Marcus Hutchins saved the day: less than 8 hours after it took over the world and infected over 300 thousand computers – WannaCry was stopped. Hutchins wrote a blog post, summarizing what he knew about the malware and how he stopped, and end it with –
“Now, I should probably sleep.”
An Old Enemy, and A New One
His rest was short-lived.
As I mentioned earlier, Hutchins made some people very angry when reverse-engineered and stopped several Mirai botnets, before he joined Kryptos Logic. This person or persons now found a way to get their revenge.
Suddenly, a Mirai botnet started a coordinated DDoS attack on the domain name Hutchins registered. The clear intention of this attack was to get the domain name offline – and bring WannaCry back to life. The implications could have been severe: since the malware kept infecting new computers, all it needed was a brief moment online to encrypt millions of already infected computers.
The first DDoS attack was a small one – Hutchins barely noticed it at first. Then came a second, bigger one – and then a third, and a fourth, each one bigger than its predecessor. At first, Hutchins countered with a simple solution: turning on the server’s caching option, which enabled it to handle a much higher load. But by the fifth attack, the servers were being hit by a digital flood: 20 gigabits of information per second. The pressure on Hutchins was tremendous: he was practically the only one standing between WannaCry’s masters and many thousands of potential victims. For almost a week, he didn’t sleep more than three consecutive hours.
Luckly, the U.K. National Cyber Security Center and Amazon agreed to host Hutchins’s domain, thereby providing it with a solid infrastructure that would allow it to withstand all DDoS attacks.
We still don’t know what was the purpose of the built-in weakness in WannaCry that allowed Hutchins to stop it. Some argue that this was an intended kill switch that allowed the perpetrators to stop the malware should it get out of hand. Others, like Hutchins himself, believe that the malware’s strange behavior derived from its anti-detection mechanisms. Perhaps WannaCry shut itself down in order to evade detection – in a fateful miscalculation by the ransomware/worm hybrid.
Kaspersky Lab later showed links between WannaCry and a North-Korean-affiliated hacker group, while linguistic analysis of the ransomware showed clear Chinese and Korean influences. Other researchers found metadata that linked the malware to Korean time zones. Microsoft, the United Kingdom and U.S. authorities finally reached the conclusion that North Korea and the Kim regime created the worm. Later, the U.S. Department of Justice indicted a North Korean national, Park Jin-Hyok, for involvement in the attack.
All around the world, people were eager to learn more about the young hacker who destroyed WannaCry. The media started looking into MalwareTech’s true identity.
Two days after the WannaCry attack, Hutchins woke up to discover his picture on the front page of an English newspaper. He tried avoiding the press, climbing over his house’s back wall to escape the reporters who camped outside his home.
“I knew 5 minutes of fame would be horrible but honestly I misjudged just how horrible…. British tabloids are super invasive,” Hutchins tweeted. He later added: “Tabloids don’t care about the story, they care about every detail of the person behind it and will go to extreme lengths to find out”. For example, a journalist offered one of his friends money for Marcus’ girlfriend’s name and phone number.
But still, for all the unpleasant sides of this new found fame – it’s not bad being a hero. The Daily mail called him “the Virus Hero”, The Sun used the phrase “22-year-old Brit computer genius”, NBC News used the headline “Marcus Hutchins Saved the United States” – while the Independent preferred the more heroic “Saved The World”.
And so, Marcus Hutchins was prepared to sail off into the sunset and live happily ever after. But something else happened. To use a quote from the wonderful film Magnolia: “We might be through with the past, but the past ain’t through with us”.
The FBI
After WannaCry was stopped, Marcus Hutchins became the guy who saved the day. The accidental hero who slayed the big bad WannaCry dragon and saved the world. It was quite an achievement for a person of humble background like him. Moreover, it was the ultimate redemption for the black hat hacker who wrote malwares for a living just a couple of years prior.
So a couple of months later he travelled to the place where he’d be most adored, most appreciated and most popular: DEFCON, the famed cyber security conference in Las Vegas. It wasn’t Hutchins’ first visit to DEFCON: he was there the year before – but this time was different. Hutchins was now famous, and this accidental fame it turns out, drew the attention of the FBI. When the Bureau’s investigators ran his name through their databases, they immediately discovered his past actions. Thus, Hutchins’ visit to Las Vegas became a golden opportunity for the FBI to seize Marcus – a British citizen – without having to ask the British government for his extradition to the US.
And so, while waiting to board the flight home at the Vegas Vegas Airport, he was approached by FBI agents – and arrested on counts of conspiracy to commit computer fraud and abuse – relating to his prior online partnership with Vinny and the creation of the KRONOS malware.
A Moral Dilemma
Naturally, Hutchins’s arrest made the headlines, and almost immediately a heated debate rose within the security community. Should the criminal-turned-hero be punished for his past crimes?
Opinions were very divided. Tarah Wheeler, one of Hutchins’ closest supporters, said in an interview with Wired magazine –
“We are all morally complex people. For most of us, anything good we ever do comes either because we did bad before or because other people did good to get us out of it, or both”.
There are plenty of examples of young people who managed to turn their life around. Frank Abagnale is a well known one: his was the story upon which the Spielberg film “Catch Me If You Can” was based. According to his own account, Abagnale impersonated a doctor, a lawyer and a jet pilot. He also conned vast amounts of money from big corporations. Abagnale later became a consultant to several banks and helped them lead their counter-fraud efforts. But he was only rehabilitated after serving two years in prison. Danny Trejo served time in almost every penitentiary in the state of California for robbing stores – before becoming an actor, famous for his portrayal of ‘tough guys’ on the big screen.
This dilemma is especially prevalent in cyber security, where many white hat hackers and security professionals started their careers as trouble-making script kiddies or even black hat hackers. Among the more famous examples are Kevin Mitnik, who served five years in prison before becoming a security consultant, and Robert Morris Jr. who crashed the Internet in the 1988 with his Morris Worm – and went on to become a successful and well-respected professor, and even co-founded Y-Combinator, an influential venture capital funding firm.
There’s little doubt that black-hat hackers who turn to the Light Side bring with them some very valuable and important knowledge and experience. In some cases, the good these reformed criminals do outweighs the bad they did in their past lives – and their new line of work certainly benefits society more than spending time behind bars.
But what about the victims of KRONOS rootkit? don’t they deserve some justice for all the damage and hardship they suffered at the hands of Hutchins’ malware?
When Brain Krebs, the well known journalist, wrote on his blog that he is “rooting for him to beat the charges”, several readers were very crossed. For example, one commented that –
“Some people are outraged he has been arrested or would like a token slap on the wrist… what would these same people want if it was their bank accounts drained? Or are these supporters using the bank of mum and dad, so have no concept of working hard for a living to pay bills, which you can’t if someone steels it using purchased software from this guy?”
Another reader added –
“no kidding, peoples work 40+ years saving money to retire to afford food, housing and some medical, only to get robbed and have to live in poverty due to punks like this. It’s not a crime against computers- it’s theft from lots of people. To which the punishment should fit the crime. If some old couple offs some kid that cleaned them out, my pity won’t be for the thief.”
It’s not an easy question to answer. I’m not sure we have an answer to this question, nor that a clear answer even exists. In a story where the gallant hero was complicit in a banking fraud, it is clear that it’s not black and white. For his part, Hutchins wrote on his Twitter account –
“I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.”
After a night in a Vegas jail, people in the hacker community rushed to his defense. Some tweeted in protest of the Department of Justice decision; others even raised money to have him released on bail.
The question of Marcus Hutchins’s fate stretched over more than a year of legal fighting. Finally, Hutchins agreed to a plea deal: he pleaded guilty to two charges and left his sentencing to the judge’s discretion – without a prosecution recommendation. On his blog, Hutchins wrote that he regrets his past actions and accepts full responsibility.
But in the courthouse, the judge said something outstanding. Addressing Hutchins, the judge said:
“It’s going to take the people like you with your skills to come up with solutions because that’s the only way we’re going to eliminate this entire subject of the woefully inadequate security protocols”.
Taking into account Marcus’s contribution to the world and the fact that he had already turned the corner, the judge sentenced him to time served – without any further prison sentence or fine. The judge explained that Hutchins’ later deeds in the public’s service outweighed his past felonies.
What Marcus himself had to say after his sentence? Well, the flamboyant hacker took to Twitter – his natural habitat – and commented ironically about the media headlines, claiming: “The “Hacker who killed WannaCry spared jail” headlines are super unfortunate. For readers who don’t know what WannaCry is, it reads like I murdered some rapper”.