Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Cyber Attacks
  • MalwareTech, WannaCry and Kronos – Understanding the Connections
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

MalwareTech, WannaCry and Kronos – Understanding the Connections

5 years ago Ary Widdes
MalwareTech, WannaCry and Kronos – Understanding the Connections

As Marcus Hutchins was on his way home to the UK after attending Def Con and Black Hat in Las Vegas, NV, the FBI arrested him. This event sparked immediate internet outcry, especially among the cybersecurity community, as Hutchins was better known as MalwareTech and had just made cybersecurity fame by stopping the WannaCry ransomware outbreak a few months prior. So, why did the FBI arrest a newly famous cybersecurity expert?

A look into the indictment that was unsealed as part of Marcus’s arrest provides the first clues. In the copy dated to August 2017, the same month as the arrest, the FBI leveled six charges against Marcus and a partner whose name was redacted. Those charges included the creation of the Kronos banking trojan. The investigation into Kronos itself began two or three years before the arrest. Most of the charges relate to the laws around computer crimes, naturally enough. The first charge in the indictment, however, is a charge of conspiracy.

The indictment claims that Hutchins and his partner conspired to create, advertise and sell the malware known as Kronos, all of which are violations of the Computer Fraud & Abuse Act (CFAA). This first charge also alleged that Hutchins alone created the Kronos malware and that his partner was brought in specifically to act as a middleman for the advertising and sale of the malware. A video posted in July of 2014 by Hutchins’s partner demonstrated the proof of concept for Kronos and advertised the malware for $3,000 USD.

The second charge brought against Hutchins and his partner was for violating a section of the Electronic Communications Protection Act (ECPA) that dealt with advertisement as a means of intercepting electronic, wire or oral communications. 

The third charge was related to the same section, except that it specified the distribution of such means. It was the same for the fourth charge, which specified the sale of such means. It’s interesting to note here that the law is broad enough to apply equally to keyloggers, malware or even more analog methods of interception.

The fifth and sixth charges listed in this early indictment were for unauthorized interception of communications (also in the ECPA) and for the transmission of something in violation of the CFAA. The fifth charge seems to be alleging that by creating the Kronos malware, Hutchins and his partner were also able to collect the data that Kronos was designed to interact with. Meanwhile, the sixth charge boils down to alleging that by uploading Kronos and sending it to their buyers, Hutchins and his partner violated CFAA.

These six charges were enough for the FBI to gain a warrant for Hutchins’s arrest and imprisonment while the pre-trial pieces fell into place. Sometime between the arrest and Hutchins’s guilty plea filed in April of 2019, four additional charges were added, which seem to be widely regarded by cyber law writers online as spurious attempts to keep Hutchins imprisoned in the United States.

Kronos’s Relevance

Kronos, in brief, is a banking trojan, a kind of malware that is designed to steal credentials for sale and use in accessing bank accounts for purposes of fraud and theft. Early reports of Kronos started popping up in the United States in 2015, and according to the later sentencing memorandum by Hutchins’ prosecution, the trojan was an upgraded form of another piece of malware called the “UPAS kit” that had originally been developed in 2012. A Cybersecurity and Infrastructure Security Agency (CISA) report included in the sentencing memorandum notes that hundreds of Kronos alerts were coming in every month on U.S. state and local government systems.

It’s noted by the judge for this case that the FBI’s attempt to quantify the loss and damages caused by Kronos failed. Kronos’s world-spanning spread means that it’s just too difficult to track the actual financial impact across borders, especially in countries that don’t have the same tracking capabilities as the United States or the United Kingdom might.

WannaCry: Discovery and Defanging

In order to understand the sentencing, it’s important to take into account Hutchins’s work with WannaCry. The WannaCry malware is a form of ransomware, a type of malware that is designed to encrypt the target system and then demand ransom (usually in BitCoin) in order to gain the decryption key. In May of 2017, WannaCry made the news for encrypting the systems of 16 major London hospitals and locking staff out. The ransomware actors demanded $300 in BitCoin as ransom to regain access to the systems. The hospitals were left unable to access medical records, causing many of the hospitals to cancel appointments. Other targeted systems included but were not limited to the rail system in Germany, government departments of Russia and companies FedEx, Telefonica, and Renault.

The WannaCry malware took advantage of a known vulnerability in Microsoft Windows called EternalBlue, which was an exploit that researchers believe the NSA developed specifically to break through Windows security. Microsoft released patches for EternalBlue a few months prior to the WannaCry outbreak; depending on the patch cycle of a company or organization, however, it’s very possible that the patch had not yet been applied.

Within a few hours of the ransomware outbreak hitting the news, Hutchins was actively analyzing the sample he had received from another researcher. One of the core parts of analyzing malware is to look at human-readable strings that may be contained within the code such as commands, URLs or filenames. Hutchins quickly found a URL during his analysis, and when he checked to see if it was registered, the domain wasn’t. So, he promptly registered it and put the information aside for later. According to a blog post that MalwareTech wrote on this, part of his usual work is to find these sorts of domains and register them with the intent of sinkholing botnets and other malware for data collection and research purposes.

Analysis of WannaCry continued, but by early afternoon Eastern time, other researchers had noted that the registration of the domain name had effectively defanged the malware. With the domain name registered, WannaCry’s propagation mechanism no longer worked, and further research showed that this also prevented new systems from being encrypted by the malware. Hutchins confirmed this with his own sample, and he noted in his blog post that the domain’s presence in the malware code was likely an attempt to evade sandboxes. If a query to the domain came back as registered, the malware would quit without executing the payload.

Completely unintentionally, Hutchins had stopped the WannaCry outbreak. The domain has since been handed off to Cloudflare, according to TechCrunch, and hasn’t gone down since.

It wasn’t all roses, though. As the weekend continued, researchers had already detected two new variants, only one of which was stoppable with a similar method. Patching the affected systems remained the only true solution to preventing WannaCry.

Sentencing and Release

In April of 2019, Hutchins’s defense filed his guilty plea with the court. In it, he pleaded guilty to two of 10 charges: Conspiracy to violate Title 18 §1030, better known as the CFAA, and a violation of Title 18 §2512 specific to the advertisement of the Kronos malware. The other eight charges, mostly relating to further violations of the CFAA and the ECPA, were to be dropped as part of the plea deal.

The sentencing memorandum filed by the prosecution pushed hard for prison terms and tried to use the impact of Kronos to justify that. The memorandum also argued that harsh punishment of Hutchins would serve as a deterrent to future malware writers and sellers. On the flip side, friends, colleagues and peers of Hutchins sent letters in support of him, arguing against a harsh sentence on the basis of the good he was capable of.

Sentencing hearing notes indicate that the sentencing guidelines for the case of USA v. Marcus Hutchins are as follows: up to 14 months imprisonment, up to three years supervised release and a maximum $40,000 fine. The government objected to this and tried again to justify a higher fine based on the sales of Kronos. In the end, however, the judge declined.

As part of the reasoning provided to the court for that decision, the judge directly compared Kronos’s impact with WannaCry. In short, it could be said that the net positive impact of stopping WannaCry vastly outweighed the harm caused by sales of Kronos. The end result is that the judge agreed with the sentencing guidelines and noted that because the case dragged on, Hutchins had been imprisoned for two years already, so he officially sentenced Marcus Hutchins to time served plus one year of probation within the United States.

The day his probation ended, Hutchins posted a celebratory tweet:

My probation officially ends today. So thankful for everyone who supported me during my case, and to the judge for seeing things the way he did. I was convinced i’d be spending the next few years in prison, but instead I was allowed to continue my security work.

— MalwareTech (@MalwareTechBlog) July 25, 2020

Without his work on WannaCry, however, it’s possible that Hutchins’s case would have ended very differently.

Documents submitted to the court and available to the public can be found here.

The post ” MalwareTech, WannaCry and Kronos – Understanding the Connections” appeared first on TripWire

Source:TripWire – Ary Widdes

Tags: Compliance, Exploit, Finance, Goverment, Malware, Microsoft, Ransomware, TripWire

Continue Reading

Previous Unpatched Bug in WiFi Mouse App Opens PCs to Attack
Next PCI DSS 4.0 Is Coming – Are You Ready?

More Stories

  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

Critical n8n Flaw CVE-2026-25049 Enables System Command Execution via Malicious Workflows

5 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

Malicious NGINX Configurations Enable Large-Scale Web Traffic Hijacking Campaign

7 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach

Microsoft Develops Scanner to Detect Backdoors in Open-Weight Large Language Models

18 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

DEAD#VAX Malware Campaign Deploys AsyncRAT via IPFS-Hosted VHD Phishing Files

18 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

China-Linked Amaranth-Dragon Exploits WinRAR Flaw in Espionage Campaigns

21 hours ago [email protected] (The Hacker News)
  • Data Breach

Orchid Security Introduces Continuous Identity Observability for Enterprise Applications

23 hours ago [email protected] (The Hacker News)

Recent Posts

  • Critical n8n Flaw CVE-2026-25049 Enables System Command Execution via Malicious Workflows
  • Malicious NGINX Configurations Enable Large-Scale Web Traffic Hijacking Campaign
  • Microsoft Develops Scanner to Detect Backdoors in Open-Weight Large Language Models
  • DEAD#VAX Malware Campaign Deploys AsyncRAT via IPFS-Hosted VHD Phishing Files
  • China-Linked Amaranth-Dragon Exploits WinRAR Flaw in Espionage Campaigns

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT