Surfer who thwarted web attack warns culprits will try it again
The 23-year-old who saved the world from a devastating cyberattack in May was asleep in his bed in the English seaside town of Ilfracombe after a night of partying when another online extortion campaign spread across the globe.
Around 6 p.m. on June 27, Marcus Hutchins, a self-taught computer-security researcher and avid surfer, was awakened by a phone call from a colleague telling him another attack was underway. Dreading a return of the virulent WannaCry malware that he stopped in its tracks the previous month, Hutchins logged on to his computer in the house he shares with his parents and younger brother to scan the latest reports.
By then, more than 80 Ukrainian banks, government agencies and multinational firms, including shipping giant A.P. Moller-Maersk, and Russia's biggest oil company, Rosneft, had been hit by a ransomware attack spreading like an electronic plague across their networks.
Within 20 minutes, Hutchins later recounted, he got hold of a sample of the malware and was relieved to see it wasn't another WannaCry, which infected hundreds of thousands of computers in more than 150 countries, but something more targeted and less virulent.
Though both attacks took advantage of flaws in Microsoft's Windows operating system to spread their payloads, WannaCry used the internet to propagate itself — each compromised computer would scan and infect another, creating a snowball effect — while the so-called Petya attack was confined to local networks. Petya appeared bigger at first because hackers hit Ukrainian software company M.E.Doc and used an automatic update feature to download its malware onto the computers of all users of the software, Hutchins said.
Researchers like Hutchins and his colleagues at Los Angeles-based threat-intelligence firm Kryptos Logic are akin to seismologists, scanning the internet for electronic tremors that could signal the next attack. This time he was only an observer, but on May 12 Hutchins stopped the WannaCry attack that crippled organizations from Britain's National Health Service to Deutsche Bahn in Germany and Renault factories across Europe.
With a mop of curly hair, baggy jeans, Tshirt and sneakers, Hutchins is an unlikely hero. He rarely leaves rural north Devon, where he has lived since he was 8, and hadn't traveled abroad until last year. He learned to program computers at 12 and was tracking and disrupting botnet attacks for his own enjoyment before anyone paid him to do so.
Hutchins started a blog under the pseudonym MalwareTech while still a teenager and was hired by Kryptos in 2015. He said his parents and friends didn't even know he had a job until the WannaCry attack.
Hutchins was supposed to be enjoying a week's vacation, but returning home after a lunch of burgers and cheesy chips with a friend and seeing the carnage WannaCry was inflicting, he couldn't resist jumping in.
"The fact that so many NHS trusts were being hit at the same time was pretty much unprecedented," Hutchins said in an interview a few weeks after the attack, drinking Coca-Cola in a hotel bar in Ilfracombe, a picturesque but faded tourist town. "That for me was a massive red flag, which showed that this thing was spreading on its own."
Most ransomware, which encrypts files on a target machine to force its owner to make a payment in exchange for decryption, is spread via email attachments from rogue senders that infect host computers when they're opened. Hutchins said he'd expect a handful of people to click on a mass email over a few days, not thousands of employees at scores of medical facilities at the same time.
After analyzing a sample of the malware and seeing it spread by exploiting vulnerabilities in Microsoft's network file-sharing protocols, he realized it was using a cyberweapon allegedly stolen from the U.S. National Security Agency. Known as "EternalBlue," it was part of a cache of sophisticated NSA hacking tools targeting Microsoft software that were obtained by the Shadow Brokers criminal gang last year and leaked onto the internet in April.