Already a global hero at the tender age of 23
THE 23-YEAR-OLD who saved the world from a devastating cyberattack in May was asleep in his bed in the English seaside town of Ilfracombe last week after a night of partying when another online extortion campaign spread across the globe.
Around 6pm on June 27, Marcus Hutchins, a self-taught computer-security researcher and avid surfer, was awakened by a phone call from a colleague telling him another attack was under way.
Dreading a return of the virulent WannaCry malware that he stopped in its tracks the previous month, Hutchins logged on to his computer in the house he shares with his parents and younger brother to scan the latest reports.
By then, more than 80 Ukrainian banks, government agencies and multinational firms including shipping giant AP Moller-Maersk and Russia’s biggest oil company Rosneft had been hit by a ransomware attack spreading like an electronic plague across their networks.
Within 20 minutes, Hutchins later recounted, he got hold of a sample of the malware and was relieved to see it wasn’t another WannaCry, which infected hundreds of thousands of computers in more than 150 countries, but something more targeted and less virulent.
Though both attacks took advantage of flaws in Microsoft Corporation’s Windows operating system to spread their payloads, WannaCry used the internet to propagate itself – each compromised computer would scan and infect another, creating a snowball effect – while the so-called Petya attack was confined to local networks.
Petya appeared bigger at first, because hackers hit Ukrainian software company M.E.Doc and used an automatic update feature to download its malware on to the computers of all users of the software, Hutchins said.
Researchers like Hutchins and his colleagues at Los Angeles-based threat-intelligence firm Kryptos Logic are akin to seismologists, scanning the internet for electronic tremors that could signal the next attack. This time he was only an observer, but on May 12 Hutchins stopped the WannaCry attack that crippled organisations from Britain’s National Health Service to Deutsche Bahn in Germany and Renault factories across Europe.
With a mop of curly hair, baggy jeans, T-shirt and sneakers, Hutchins is an unlikely hero. He rarely leaves rural north Devon, where he has lived since he was 8, and hadn’t travelled abroad until last year. He learned to program computers at 12 and was tracking and disrupting botnet attacks for his own enjoyment before anyone paid him to do so.
Within 20 minutes Hutchins got hold of a sample of the malware.
Hutchins started a blog under the pseudonym MalwareTech while still a teenager and was hired by Kryptos in 2015. He said his parents and friends didn’t even know he had a job until the WannaCry attack.
Hutchins was supposed to be enjoying a week’s holiday, but returning home after a lunch of burgers and cheesy chips with a friend and seeing the carnage WannaCry was inflicting, he couldn’t resist jumping in.
“The fact that so many NHS trusts were being hit at the same time was pretty much unprecedented,” Hutchins said in an interview a few weeks after the attack. “That for me was a massive red flag, which showed that this thing was spreading on its own.”
Most ransomware, which encrypts files on a target machine to force its owner to make a payment in exchange for decryption, is spread via e-mail attachments from rogue senders that infect host computers when they’re opened.
Hutchins said he’d expect a handful of people to click on a mass e-mail over a few days, not thousands of employees at scores of medical facilities at the same time.
After analysing a sample of the malware and seeing it spread by exploiting vulnerabilities in Microsoft’s network file-sharing protocols, he realised it was using a cyber weapon allegedly stolen from the US National Security Agency (NSA).
Known as “EternalBlue,” it was part of a cache of sophisticated NSA hacking tools targeting Microsoft software that were obtained by the Shadow Brokers criminal gang last year and leaked on to the internet in April.
Hutchins also noticed a quirk buried deep in the malware code. It tested for the existence of an unregistered nonsensical domain name.
He promptly registered the domain for £8.5 (R146) and redirected all traffic to a server designed to capture malicious data, known as a sinkhole, which would allow him to monitor the progress of the attack.
Although he didn’t realise it at the time, Hutchins had inadvertently triggered the malware’s kill switch. Before infecting and encrypting a computer’s hard drive, WannaCry would query the domain, and as long as it remained unregistered would proceed with the attack.
Now, when the malware checked the domain and found it active, it immediately shut down. About 100 million attempts to infect computers, including more than 7 million in the US, have been mitigated since then, according to Kryptos data.
“At the time, we were just like ‘Yay, we can track it now,’ we didn’t know that we’d stopped it,” Hutchins said. “The minute we registered the domain we were looking at like 5 000 or 6 000 unique systems all connecting, and it went up to 200 000 within an hour. I remember thinking: Holy shit, this is really big.” – Bloomberg
Marcus Hutchins, digital security researcher for Kryptos Logic, on a computer in Ilfracombe, UK. PHOTO: BLOOMBERG