WannaCry Hero Arrested, One of Two Charged with Distribution of Kronos Malware

Marcus Hutchins, aka MalwareTech the WannaCry hero, was arrested and charged with another unnamed individual with creating and distributing the Kronos banking malware.

Marcus Hutchins, the researcher hailed for his work in blunting the WannaCry ransomware outbreak in May, was arrested Wednesday in Las Vegas and charged with creating and distributing the Kronos banking malware.

Hutchins, known online as Malwaretech, is a U.K. citizen and arrived in Las Vegas last week before the Black Hat and DEF CON hacker conferences began.

In the indictment, Hutchins and another individual whose identity has been redacted, are facing charges that they violated the Computer Fraud and Abuse Act. The two are charged with six counts associated with the distribution of the Kronos malware.

The indictment alleges Hutchins created the Trojan in July 2014, and the second individual demonstrated it in a video posted to a public website. The video below was still available on Youtube as of 3 p.m. Eastern time and was posted on July 13, 2014, the same date mentioned in the indictment.


The two are also alleged to have advertised the malware for sale on a number of internet forums, including the recently dismantled AlphaBay market. The Department of Justice alleges the second defendant offered to sell the malware for $3,000 USD in August 2014. The indictment goes on to allege that the pair updated the malware in February 2015, and in April of that year, the second defendant posted it to AlphaBay. The unnamed defendant allegedly sold the malware in June 2015 for $2,000 in cryptocurrency. In July 2015, the second defendant began offering encryption services that would conceal the malware, the indictment said.

In July 2014, IBM reported the advertisement of Kronos on Russia malware forums, and it was billed as having the means of evading detection and analysis.

Kronos is typical banking malware in that it concentrates on stealing users’ credentials by using webinjects mimicking leading banking and financial websites supported across the major browsers. The victims are presented with a phony login page asking for personal information, passwords, ATM PIN numbers and security question details. Kronos, according to IBM, also operated as a Ring3 rootkit and had the ability to disguise itself from other banking Trojans that may compromise the same victim. Some versions of banking malware will attempt to remove competing Trojans.

Hutchins, who works for a U.S. security company called KryptosLogic, was hailed as a hero during the global WannaCry outbreak. His analysis of the ransomware uncovered the now famous hardcoded killswitch domain that the malware beaconed out to. Hutchins’ quick thinking in scooping up the domain for around $10 USD likely spared the U.S. from suffering significant impact at the hands of WannaCry.

WannaCry still, however, spread to more than 200,000 computers in 150 countries, hitting hospitals in the United Kingdom particularly hard, along with large telecommunications companies across Europe and other major manufacturers and enterprises. The malware, however, was not considered particularly sophisticated or interesting, and the inclusion of the killswitch domain remains a mystery to this day.

This story is developing.

Image from Duy Pham Nhat Flickr feed.

Suggested articles