MalwareTech: Behind the Mask

Posted by · July 14, 2017 7:11 am

Get to Know the Man Who Created the WannaCry Kill Switch

In the weeks following the WannaCrypt ransomware attack and mitigation, the question on every tech user’s mind was, “Who is MalwareTech and how did he find a way to stop this attack?” Known by his twitter handle and his live-action tweets as he uncovered the ransomware strain and tracked its device preference, this 22-year-old from England has been inundated with requests for interviews and speaking engagements. Everyone wants to hear more about the person who created the kill switch that stopped the progression of WannaCry.

News channels have dubbed him an accidental hero, but here at Experts Exchange, we believe there’s no accident; he’s simply a hero. That label brings to mind images of comic book guardians and defenders of the everyday person, and it’s an apt description of this situation. Marcus Hutchins’ work in the WannaCry attack, after all, protected people from threats they could not see, and brings us to a new era of heroes: those who wield their expertise and passion for technology to help people around the world as they face total informational losses unless they pay a hefty sum.

Picture this: Hutchins likes to surf, enjoys pizza, blogs about technology security, and spends his days working for a private threat intel firm based in Los Angeles. But then, in his free time, he dons his proverbial cape and sends newly discovered threat information to the National Cyber Security Centre in the U.K. to prevent new strains of malware, simply because he believes it’s the right thing to do. For those who may wonder if that association was all talk following WannaCry, Hutchins recently dove back into his ransomware protection work, teaming up with the international online tech community to locate a vaccine for the Petya attack.

Like most heroes, Hutchins is not a fan of the limelight. Though he recently sat down with us for an interview, he feels his privacy during the WannaCry press frenzy has been compromised in every possible way. In truly gracious form, however, he is embracing the onslaught of requests for his insight and advice, informing the masses on ways to stay safe online.

In fact, he spent a day in June participating in a Reddit conversation to provide tips on programming languages to learn, how to explore a tech career without a degree, and what techniques to practice to keep skills fresh. He has a plethora of experience in recognizing and combating malware and he’s generous enough to share that information with other tech users.

As a primarily self-taught individual, Hutchins was fascinated by the technical aspects of malware, and dove into understanding rootkits and how they manipulate systems. This led him to reverse engineering and a focus on threat intelligence. Reverse engineering comes in handy in this line of work, as it involves breaking down pieces of software — and code — bit by bit to understand how it works and how it can be replicated, but for good. This knowledge came in handy in creating the kill switch for WannaCry.

In his efforts to explore ransomware technology and components, he opens the malware on a virtual machine to keep the data on his actual computer out of the virus’ reach. Through his reverse engineering techniques, he was able to see the WannaCrypt ransomware error message and the file encryption screen, as well as how the virus was spreading to external IP addresses. As outlined in his blog post on the mitigation of the attack, he proceeded to look for unregistered domains, gathered data on geographical distribution, and searched for vulnerabilities in the ransomware’s code. With that knowledge, he was able to register the domain and prevent the further spread of this virus.

While ransomware continues to be a hot topic in the news, especially with the recent outbreak of Petya, Hutchins said he sees a future shift occurring in ransomware targets, predicting IoT devices as the next wave of security failures in our society.

“As IoT devices become more popular, hackers will find new ways to use them to make money, rather than just for DDoS,” he said.

If this prediction should come to pass, it will be even more important for everyday users to be vigilant in their device security, not just technology personnel. For those in the profession, however, Hutchins encourages investing in top-notch hardware and software, such as VMware Workstation Pro, VSphere, or IDA Pro. He also suggests exploring well-written malware to understand how it works — how it undermines the security of operating systems — and to try and uncover ways to shut it down without losing access to files.

“Once you understand how a piece of malware is working internally, you can look at more proactive ways of blocking it,” Hutchins explained.

And no two ransomware viruses are the same. As this industry and its threats continue to change, so will the expertise of those working to combat the spread of ransomware. Remaining agile in skills and applications, continuous learning, and vigilant practice with existing strains will be even more vital to a tech professional’s ability to protect against future attacks.

Skill, however, is not everything. In Hutchins’ case, a large part of his expertise and success stemmed from his original interest in — and passion for — the topic. He has even explained in other interviews that he was researching ransomware long before he stumbled into his current career path.

In his Reddit interview, he encouraged users looking to explore this line of work to jump right in, saying, “It’s still quite a new industry, so you can’t expect to find books on everything. A lot of learning will just be trying things until something works. I think our sinkhole cluster went through about 30 iterations before I found a setup I was happy with.”

During those 30 iterations (before settling on the appropriate WannaCry kill switch), he relied on friends and colleagues to discuss ideas, test solutions, and discover the domain weakness. The ability to turn to the technology community in these emergent situations is of vital importance to Hutchins — and, in his opinion, it’s important to the security industry as a whole. Working together allows for collaboration and innovation in uncovering better practices and developing new software and tools.

“Even the multibillion-dollar companies use lots of tools and information that originated from the community,” he said.

For those who may remain skeptical, Hutchins’ skills, his passion for stopping these attacks, his insight into how “the other side” operates, and his reliance on expert teammates proves that he comes to the ransomware mitigation table with the perfect makings of a hero.

For more information on Marcus Hutchins and how he combatted WannaCry, stay tuned for our two-part Q&A series.