Back in May, the ransomware WannaCry began infecting critical infrastructure across Europe and in the United States, rising to 230,000 infected machines in 150 countries within a day of its release. The infection was stopped in its tracks when a cybersecurity researcher with Kryptos Logic, Marcus Hutchins (aka MalwareTech), registered a domain that functioned as a sort of kill switch, turning the malware off before it encrypted user data and locked down the system.
Hutchins apparently traveled to the United States to attend the Defcon 2017 conference, which ran from July 27 to 30 at Caesar’s Palace in Nevada. He was arrested on Thursday by the FBI. (Initially it was reported he was held by the US Marshals, but this appears to have been inaccurate.) The FBI has filed a formal indictment against Hutchins, alleging that he and an unnamed co-conspirator (whose name has been redacted from the filing) “knowingly conspired and agreed with each other to commit an offense against the United States.”
Hutchins is accused of creating a banking trojan known as Kronos in 2014. His unnamed co-conspirator appears to have been responsible for documenting and marketing the product by posting YouTube videos and offering to sell it via online forums. The malware was designed and marketed as being capable of stealing banking credentials by sending infected individuals to fake websites.
Later, in 2015, the redacted co-conspirator offered “cryptying [sic, likely “crypting”] services for Kronos. A crypting service takes malware, checks to see if current antivirus tools are detecting it properly, and then attempts to obfuscate the malware code to evade that detection. If you’ve ever used a service like VirusTotal to see whether an application was malicious, this is the opposite — a crypting service takes an infected file and attempts to ensure it isn’t detected, rather than certifying whether a file is actually clean.
The indictment states the Kronos malware was offered on the recently closed AlphaBay website and notes one sale of the software, for $ 2,000. According to a 2014 story at Threat Post (via Vice), Kronos was offered for $ 7,000, when the software was apparently in pre-order. The same post notes that the malware went “a step beyond” and came packaged with a Ring 3 rootkit.
The concept of security protection rings is fundamental to how both Linux and Windows protect data and limit functionality according to what resources an application should have access to. Ring 0 is the kernel and the least-protected space, while Ring 3 is the most tightly protected space. At the time, IBM researchers told Threat Post the following:
By running as a Ring3 rootkit, other processes, including other Trojans, can’t see the elements this Trojan is using: its directories and files, registry entries, and processes. Some financial Trojans look to remove other Trojans that are already running on the infected machine, to allow the new Trojan to steal the information. After all, cyber criminals compete with each other to gain as much information as possible.
There’s a common trope in TV and films regarding various sorts of expert black hats who later swap a black hat for a white one, or at least an intermediate shade of gray. Based on Hutchins’ job and work on stopping WannaCry, that seems to have been what he attempted to do. The FBI, however, has other ideas — and the statute of limitations on Kronos hasn’t exactly expired.