Marcus Hutchins reflects on lessons learned and what the future holds.
Almost seven years since he took the initiative to register a domain and stop the spread of the WannaCry ransomware, Marcus Hutchins now finds himself living in Los Angeles, building a new career as a software engineer with a keen eye on tracing malware outbreaks.
It was in May 2017 where Hutchins became the accidental hero the world needed, as after WannaCry began to spread on 12 May, Hutchins discovered the kill switch domain hardcoded in the malware, registered a domain name for a DNS sinkhole to slow the spread, as the ransomware only encrypted the computer's files if it was unable to connect to that domain.
However his arrest later in 2017, on charges of helping to create, spread and maintain the banking trojan Kronos between 2014 and 2015, cast a shadow over his work earlier in the year, and while he has kept a low profile since, he remains in the US on his own terms.
This week Hutchins appeared, via video link, at the UK Cyber Week conference in London, where he was in conversation with Rik Ferguson, VP of security intelligence at Forescout. Here are some of the parts of their conversation.
On Registering the Domain that Stopped WannaCry
Hutchins said he sees a lot of unregistered domains in malware in his research, and it's often likely they're a command and control server, or something that allows us to get control of the malware. “So whenever I see another registered domain, I just grab it because it could be useful later. It might not give us control, it might just be statistics, but either way there may be value.”
So in the case of the WannaCry domain, it was not until later that he realised it controlled the domain and stopped the spread.
He asked one of his employees (of his job at the time) to go through the code and find out what the domain could do, and it was realising via someone else’s research that WannaCry was reliant on the domain, and the researchers didn’t have to go through reverse engineering or infrastructure of the malware code.
On Having Hacking and Coding Skills
Hutchins admits that he was a malware developer, and learned how to reverse engineer his own code, but he had a personal interest in watching malware spread across the globe by creating an online map which showed every time there was an infection. “I just built that for fun and a bunch of people saw it and thought the map itself was useless, the technology that drives it was good.”
Among the botnets being tracked was Mirai, which Hutchins describes as “kids walking around with the DDoS equivalent of nuclear weapons.”
Eventually Hutchins was working on the detections “until we fell asleep, and then the other person would take over, and we would be working all hours to keep the sinkhole alive.” This led to more and more servers being used in a semi-scalable infrastructure.
“At one point one of our servers got seized by a foreign government as they thought it was the control server for WannaCry” he said, with investigators removing the physical rack. Eventually Cloudflare offered to put the domain on their systems, who were able to absorb the traffic, and WannaCry is still running to this day.
“WannaCry is going to be around for 20 years, so we need that sinkhole to be online.”
On Being Found by the Press
The ‘search for the accidental hero’ led the media to find Hutchins via a string of former addresses, camping out on his front lawn until he spoke to them, and he eventually talked to the Associated Press, “and if I give this one interview, hopefully no one else will want another story.”
Hutchins admitted he is not a public person, and that was the first time he had been interviewed, and he had no preparation for the experience to the point that when asked he forgot his own name due to nerves.
On the 2017 US Trip
After the WannaCry furore had died down, Hutchins and his friends travelled to Las Vegas to attend the DEFCON conference, and as Ferguson said, “you didn’t leave.”
Hutchins called the period both “interesting and traumatic” as public opinion was divided on his actions, “as thousands of people were debating my morality online” and being a private person, he was in the spotlight as people considered actions he had taken in the past.
Ferguson deliberately moved over the whole experience of the trial and remaining in the US, but once the sentence was passed “with time served,” Hutchins said he “just continued my life, and over time people changed their opinion of me.”
Hutchins was also to reclaim access to his MalwareTech blog as he did not have the public keys to the whole website, but was able to update it whilst he was in the US.
From this experience though, Hutchins said the main things were learning about what leads young people into cybercrime, as he said “I went down that path and I almost didn’t come back.” He said he ended up joining a virtual organisation who have a goal of getting kids out of cybercrime and into serious careers.
Also, he said that even if you don’t get sentenced to jail in the US, it is a hard experience. “If I could go back and do a few years in jail, don’t do the court case or the trial, I would have taken that in a heartbeat,” he said.
Instead, he was offered a deal where he would have to “hand in all of my friends to basically walk” and he didn’t want to take that.
On Stepping Away from Social Media
Whilst Hutchins is a private person, the fame of the WannaCry actions brought him a massive online following. However he admits that quitting X/Twitter in recent years improved his mental health.
“Twitter is very insular until you get to 50,000 or 100,000 followers, people just target you for no apparent reason,” he said, realising he didn’t enjoy the imbalance of positive and negative messages. “This wasn’t sustainable so I quit, and I thought I would regret it and honestly three years later, I feel so much better.”
However Hutchins is a user of TikTok, which he acknowledges is a place for influence, but he called the debated element of spyware as “silly,” as TikTok requests the same permissions as many other apps and platforms.
“It’s expanding China into the western sector, something they've been struggling to do, and I don't worry that they would burn down a very influential platform just to steal something like credit card details and photos.”
On the use of AI in Cybersecurity
Ferguson paraphrased Hutchins in saying AI is going to be big “but not in the way that you think it is” and it is “not going to be used for the things that you say.” Hutchins says the temperature on AI has “cooled somewhat as there is a lot less of ‘hackers are going to ruin our economy’, and [the discussions are] a lot more measured now.” He called this the “correct take” as while some systems have advanced, “but a lot of the major ones have actually been going backwards.”
He believes the likes of ChatGPT are not going to be used to write the next WannaCry or NotPetya, and that cybercrime is still a human-oriented field. He said he does use ChatGPT to generate code “I’m a professional programmer and I know what works, but what we see is a lot of hype with comments like this is going to help hackers who can’t code to now write amazing code.”
However he believes the quality of code developed by AI is poor, people do not have the skills to review it, and release it into the wild “and it doesn't work or doesn’t do what they think it does.”
On the Future
Hutchins now lives in west Los Angeles, where the “golden sand, beaches, beautiful weather in the middle of a major city” are his home. Admitting he couldn’t live in a hotel during the case, he got the apartment having seen a lot of the US, but said the main thing he misses about the UK is the reasonable cost of living in his native Devon.
He now works in software engineering, “working on a security-based product” and tracking criminal actors on the side, “as that is my bread and butter and I cannot leave it behind.”
Finally asked by SC Media UK what his plan for the future is, Hutchins said his long term goal is to get enough money so he does not have to work for a living, and just do cybersecurity as a hobby “because that's how it started for me, and it would be kind of this poetic fight back” as he could go back to just being known as MalwareTech.
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.