In August 2017, tired and in a haze from a week of parties at the annual Def-Con hacker conference, Marcus Hutchins was arrested at a Las Vegas airport. Only a few months earlier, the British cyber security researcher had been named as the hero who foiled a major ransomware attack. WannaCry infected 200,00 computer systems in more than 150 countries. Its most high-profile victim was the NHS. But in Vegas, the heroic story of the man who stopped WannaCry took an extraordinary turn.
“I was waiting for my flight home, someone in CBP [Customs and Border Protection] uniform approached me and asked my name,” Hutchins recounted in a documentary about his story released last year. “They led me to an interrogation room built into the airport – and it turned out that the guy was actually an FBI agent.”
Then 22, Hutchins was charged with developing and selling malicious code that was incorporated into malware between 2012 and 2015. According to a Sunday Times report in 2017, GCHQ knew that Hutchins would be arrested in the US. Although Hutchins had previously worked with the National Cyber Security Centre, part of GCHQ, it did not warn him.
During the ensuing two-year legal battle, Hutchins was unable to work or to leave the US, staying in Milwaukee and then Los Angeles. Eventually he agreed a plea deal that could have resulted in a ten-year prison sentence, but was released for time served with one year under supervision. At the sentencing the judge placed great emphasis on the work Hutchins had done since creating the malware for which he was arrested, particularly his role in combating WannaCry. In the past, Hutchins has spoken about being a “different person” when he was writing malware as a teenager.
Hutchins, 25, emerged from this cinematic series of events less than a year ago. He is used, he told me via Skype, “to this kind of life”. He is reticent to relive what happened; the attention that WannaCry brought still feels strange. “I really don’t think about it much. It seems like a Black Swan event… I think: that is a thing that happened and something like that may never happen again.
The 2017 attack affected computer systems in one in three NHS trusts and just under one in ten GP clinics. The disruption led to around 19,000 appointments being cancelled in one week, and a total cost of £92m. WannaCry tore through systems running Microsoft Windows, encrypting the contents and demanding payments in bitcoin to unlock them.
At the time, Hutchins was working out of a bedroom at his parents’ house in Devon for Kryptos Logic, a Los Angeles-based cyber security company. In the first few hours of the attack, he noticed that the malware’s code sent a signal to an unregistered website every time it infected a new system. He registered the site and the attacks slowed. Then they stopped.
Hutchins had discovered a “killswitch”, possibly created so that the hackers could bring the attacks to an end if necessary, or just a flaw that was accidentally included in the code. The attackers were not looking to stop, however. They launched a “distributed denial-of-service” attack to try to crash the servers of the newly registered website, starting up the WannaCry attacks again. But they ultimately failed. Hutchins had protected the site by using the cache to handle the higher traffic rather than a live site, which would have been overwhelmed.
Hutchins is due to return to the UK this year, but, ultimately, he plans on finding a way to go back to the US. “I wish I could stay,” he says. “It was definitely a change for the better, despite the mess that brought me here.”
The cyber security researcher comes across as understated and methodical. He is impressively self-taught. He completed a computer course at school, but never went to university. On a gap year – brought about by “bad luck and bad decisions”, as he has written on his blog, Malware Tech – he further developed his skills. It was his blog, which is still active, that first brought him to the attention of firms looking for people with his particular skillset.
WannaCry, Hutchins said, did not really target the NHS: “It went after everything and it just kind of happened.” The way it attacked was unusual. “That was pretty much the first and last time we ever saw a ransomware worm,” he said. A worm is a form of malware that spreads copies of itself from computer to computer without needing to latch on to a piece of software. “If you had the capacity to make a worm, going for ransomware would probably not be your first call. It’s a very crude way to make money.”
The WannaCry attack crossed a line, he said, and is unlikely to inspire copycats. “No one looked at WannaCry and thought, ‘Hey, that’s a good idea, let’s simultaneously piss off every intelligence agency in the world.’” It was a state actor that did it [the UK and US governments have said that North Korea was responsible for the attack] and they still got found out, so I can’t imagine there are criminals out there thinking, ‘This is something we should do’… I think it was someone [who] found a nuclear weapon and decided they were going to rob the convenience store with it.”
The attacks have been attributed to hackers, backed by the North Korean state, who used cyber weapons stolen from the NSA by hackers believed to have connections to Russia. Statebacked attacks are a core element of geopolitical power struggles and non-actor maneuvering. Hutchins describes such attacks as “essentially state-sponsored terrorism, but with cyber crime”.
Coronavirus has ushered in new threats. Virtual private networks (VPNs) have been hit in the past few months by more “opportunistic attackers going for whatever is available”, Hutchins said. “[This is] a big risk now because a lot of companies are using VPNs to get people on to their networks from home.” The other kind of attackers are more targeted, using “very typical spam” such as “your payment has been denied”.
With “semi-targeted ransomware attacks”, hackers mass-infect systems, go through them and pick out businesses to hit – “high-profile targets who would pay more than your average ransomware victim,” Hutchins explained. “A lot of the big financial crime actors have pivoted to that instead of their normal bank fraud.” The targets of such attacks include “pretty much everything you wouldn’t want them to hit: police departments, hospitals, state governments. They’ve even hit a couple of utility providers,” he said. “They’re going after stuff that actually matters.”
How prepared is the average organisation or individual for emerging cyber threats? “Things have definitely got better recently with high-profile attacks making people realise they need to take security seriously, but I still think that everyone is hugely underprepared.”
This article is from Spotlight’s May supplement on cyber security. Click here for the full edition.