TrickBot malware learns how to spam, ensnares 250M email addresses

Old bot, new tricks.

TrickBot, a financially motivated malware in wide circulation, has been observed infecting victims’ computers to steal email passwords and address books to spread malicious emails from their compromised email accounts.

The TrickBot malware was first spotted in 2016 but has since developed new capabilities and techniques to spread and invade computers in an effort to grab passwords and credentials — eventually with an eye on stealing money. It’s highly adaptable and modular, allowing its creators to add in new components. In the past few months it’s adapted for tax season to try to steal tax documents for making fraudulent returns. More recently the malware gained cookie stealing capabilities, allowing attackers to log in as their victims without needing their passwords.

With these new spamming capabilities, the malware — which researchers are calling “TrickBooster” — sends malicious from a victim’s account then removes the sent messages from both the outbox and the sent items folders to avoid detection.

Researchers at cybersecurity firm Deep Instinct, who found the servers running the malware spamming campaign, say they have evidence that the malware has collected more than 250 million email addresses to date. Aside from the massive amounts of Gmail, Yahoo, and Hotmail accounts, the researchers say several U.S. government departments and other foreign governments — like the U.K. and Canada — had emails and credentials collected by the malware.

“Based on the organizations affected it makes a lot of sense to get as widely spread as possible and harvest as many emails as possible,” Guy Caspi, chief executive of Deep Instinct, told TechCrunch. “If I were to land on an end point in the U.S. State department, I would try to spread as much as I can and collect any address or credential possible.”

If a victim’s computer is already infected with TrickBot, it can download the certificate-signed TrickBooster component, which sends lists of the victim’s email addresses and address books back to the main server, then begins its spamming operating from the victim’s computer.

The malware uses a forged certificates to sign the component to help evade detection, said Caspi. Many of the certificates were issued in the name of legitimate businesses with no need to sign code, like heating or plumbing firms, he said.

The researchers first spotted TrickBooster on June 25 and was reported to the issuing certificate authorities a week later which revoked the certificates, making it more difficult for the malware to operate.

After identifying the command and control servers, the researchers obtained and downloaded the 250 million cache of emails. Caspi said the server was unprotected but “hard to access and communicate with” due to connectivity issues.

The researchers described TrickBooster as a “powerful addition to TrickBot’s vast arsenal of tools,” given its ability to move stealthily and evade detection by most antimalware vendors, they said.

T-Mobile quietly reported a sharp rise in police demands for cell tower data

T-Mobile has reported a small decline in the number of government data requests it receives, according to its latest transparency report, quietly published this week.

The third-largest cell giant in the U.S. reported 459,989 requests during 2018, down by a little over 1 percent on the year earlier. That includes an overall drop in subpoenas, court orders, and pen registers and trap and trace devices used to record the incoming and outgoing callers; however, the number of search warrants issues went up by 27 percent and wiretaps increased by almost 3 percent.

The company rejected 85,201 requests, an increase of 7 percent on the year prior.

But the number of requests for historical call detail records and cell site information, which can be used to infer a subscriber’s location, has risen significantly.

For 2018, the company received 70,224 demands for historical call data, up by more than 9 percent on the year earlier.

Historical cell site location data allows law enforcement to understand which cell towers carried a call, text message or data, and therefore a subscriber’s historical real-time location at any given particular time. Last year the U.S. Supreme Court ruled that this data was protected and required a warrant before a company is forced to turn it over. The so-called “Carpenter” decision was expected to result in a fall in the number of requests made because the bar to obtaining the records is far higher.

T-Mobile did not immediately respond to a request asking what caused the increase.

Screen Shot 2019 07 12 at 1.24.52 PM

Call records requests by police. (2017 above, 2018 below). Source: T-Mobile.

The cell giant also reported that that the number of tower dumps went up from 4,855 requests in 2017 to 6,184 requests in 2018, an increase of 27 percent.

Tower dumps are particularly controversial because these include information for all subscribers whose calls, messages and data went through a cell tower at any given time. That can include the data of hundreds or thousands of innocent subscribers at any time.

Although T-Mobile says it requires a court order or a search warrant, the Carpenter decision does not affect police accessing data obtained from tower dumps.

T-Mobile currently has 81.3 million customers as of its last earnings call. The company is currently in the middle of a merger with Sprint for $26.5 billion. The Justice Department is reviewing the bid, but several states are looking to block the deal entirely.

FEC says political campaigns can now get discounted cybersecurity help

In a long awaited decision, the Federal Elections Commission will now allow political campaigns to appoint cybersecurity helpers to protect political campaigns from cyberthreats and malicious attackers.

The FEC, which regulates political campaigns and contributions, was initially poised to block the effort under existing rules that disallow campaigns to receive discounted services for federal candidates because it’s treated as an “in kind donation.”

For now the ruling allows just one firm, Area 1 Security, which brought the case to the FEC, to assist federal campaigns to fight disinformation campaigns and hacking efforts, both of which were prevalent during the 2016 presidential election.

Campaigns had fought in favor of the proposal, fearing a re-run of 2016 in the upcoming presidential and lawmaker elections in 2020.

FBI director Christopher Wray said last in April that the recent disinformation efforts were “a dress rehearsal for the big show in 2020.”

In an opinion published Thursday, the FEC said the rules would be relaxed because Area 1 “would offer these services in the ordinary course of business and on the same terms and conditions as offered to similarly situated non-political clients.” In other words, political campaigns are not given a special deal but are offered the same price as others on its lowest tier of service.

Several other companies, like Facebook and Google-owned Jigsaw, have already offered free services to campaigns to fight disinformation and foreign hacking efforts.

However many political campaigns still are not taking basic security precautions, researchers found.

A spokesperson for Area 1 did not return a request for comment.

It’s not just you, Twitter is down

Twitter is currently down across the web.

At about 2:45 pm ET, the desktop and mobile site were down, displaying a “Something is technically wrong” error. The app was also not working.

At the time of writing, Twitter’s status page confirmed there was an “active incident,” adding: “We are currently investigating dependencies for Twitter data. Scope of affected APIs is undetermined at this time.”

A spokesperson for Twitter did not immediately comment.

We’ll have more when we get it.

More on Twitter:

Apple has pushed a silent Mac update to remove hidden Zoom web server

Apple has released a silent update for Mac users removing a vulnerable component in Zoom, the popular video conferencing app, which allowed websites to automatically add a user to a video call without their permission.

The Cupertino, Calif.-based tech giant told TechCrunch that the update — now released — removes the hidden web server, which Zoom quietly installed on users’ Macs when they installed the app.

Apple said the update does not require any user interaction and is deployed automatically.

The video conferencing giant took flack from users following a public vulnerability disclosure on Monday by Jonathan Leitschuh, in which he described how “any website [could] forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission.” The undocumented web server remained installed even if a user uninstalled Zoom. Leitschuh said this allowed Zoom to reinstall the app without requiring any user interaction.

He also released a proof-of-concept page demonstrating the vulnerability.

Although Zoom released a fixed app version on Tuesday, Apple said its actions will protect users both past and present from the undocumented web server vulnerability without affecting or hindering the functionality of the Zoom app itself.

The update will now prompt users if they want to open the app, whereas before it would open automatically.

Apple often pushes silent signature updates to Macs to thwart known malware — similar to an anti-malware service — but it’s rare for Apple to take action publicly against a known or popular app. The company said it pushed the update to protect users from the risks posed by the exposed web server.

Zoom spokesperson Priscilla McCarthy told TechCrunch: “We’re happy to have worked with Apple on testing this update. We expect the web server issue to be resolved today. We appreciate our users’ patience as we continue to work through addressing their concerns.”

More than four million users across 750,000 companies around the world use Zoom for video conferencing.

What CISOs need to learn from WannaCry

In 2017 — for the first time in over a decade — a computer worm ran rampage across the internet, threatening to disrupt businesses, industries, governments and national infrastructure across several continents.

The WannaCry ransomware attack became the biggest threat to the internet since the Mydoom worm in 2004. On May 12, 2017, the worm infected millions of computers, encrypting their files and holding them hostage to a bitcoin payment.

Train stations, government departments, and Fortune 500 companies were hit by the surprise attack. The U.K.’s National Health Service (NHS) was one of the biggest organizations hit, forcing doctors to turn patients away and emergency rooms to close.

Earlier this week we reported a deep-dive story into the 2017 cyberattack that’s never been told before.

British security researchers — Marcus Hutchins and Jamie Hankins — registered a domain name found in WannaCry’s code in order to track the infection. It took them three hours to realize they had inadvertently stopped the attack dead in its tracks. That domain became the now-infamous “kill switch” that instantly stopped the spread of the ransomware.

As long as the kill switch remains online, no computer infected with WannaCry would have its files encrypted.

But the attack was far from over.

In the days following, the researchers were attacked from an angry botnet operator pummeling the domain with junk traffic to try to knock it offline and two of their servers were seized by police in France thinking they were contributing to the spread of the ransomware.

Worse, their exhaustion and lack of sleep threatened to derail the operation. The kill switch was later moved to Cloudflare, which has the technical and infrastructure support to keep it alive.

Hankins described it as the “most stressful thing” he’s ever experienced. “The last thing you need is the idea of the entire NHS on fire,” he told TechCrunch.

Although the kill switch is in good hands, the internet is just one domain failure away from another massive WannaCry outbreak. Just last month two Cloudflare failures threatened to bring the kill switch domain offline. Thankfully, it stayed up without a hitch.

CISOs and CSOs take note: here’s what you need to know.

Flaws in hospital anesthesia and respiratory devices allow remote tampering

Security researchers have found a vulnerability in a networking protocol used in popular hospital anesthesia and respiratory machines, which they say if exploited could be used to maliciously tamper with the devices.

Researchers at healthcare security firm CyberMDX said that the protocol used in the GE Aestiva and GE Aespire devices can be used to send commands if they are connected to a terminal server on the hospital network. Those commands can silence alarms, alter records — and can be abused to change the composition of aspirated gases used in both the respirator and the anesthesia devices, the researchers say.

Homeland Security released an advisory on Tuesday, saying the flaws required “low skill level” to exploit.

“The devices use a proprietary protocol,” said Elad Luz, CyberMDX’s head of research. “It’s pretty straightforward to figure out the commands.”

One of those commands forces the device to use an older version of the protocol — which is still present in the devices to ensure backwards compatibility, said Luz. Worse, none of the commands requires any authentication, he said.

“On every version, you can first send a command to request to change the protocol version to the earliest one, and then send a request to change gas composition,” he said.

“As long as the device is ported to the network through a terminal server, anyone familiar with the communication protocol can force a revert and send a variety of illegitimate commands to the machine,” he said.

In other words, the devices are far safer if they’re not connected to the network.

CyberMDX disclosed the vulnerabilities to GE in late October 2018. GE said versions 7100 and 7900 of the Aestiva and Aespire models are affected. Both models are deployed in hospitals and medical facilities across the U.S.

GE spokesperson Amy Sarosiek told TechCrunch: “After a formal risk investigation, we have determined that this potential implementation scenario does not introduce clinical hazard or direct patient risk, and there is no vulnerability with the anesthesia device itself.”

GE said it based its assessment of no risk to patient care on international healthcare safety standards and testing maximum variation in parameter modification from the disclosed concern. “Our assessment does not lead us to believe there are patient safety issues,” the spokesperson said.

The company declined to say how many devices are affected but that the ability to modify gas composition is no longer available on systems sold after 2009.

It’s the second set of vulnerabilities in as many months released by CyberMDX. In June the research firm found vulnerabilities in a widely used medical infusion pump.

Mozilla blocks spy firm DarkMatter from Firefox citing ‘significant risk’ to users

Firefox maker Mozilla said it will not trust certificates from surveillance maker DarkMatter, ending a months-long effort to be whitelisted by the popular browser.

Months earlier, the United Arab Emirates-based DarkMatter had asked Mozilla to formally trust its root certificates in the Firefox certificate store, a place in the browser reserved for certificate authorities that are trusted and approved to issue HTTPS certificates. Mozilla and other browser makers use this store to know which HTTPS certificates to trust, effectively allowing these certificate authorities to confirm a website’s identity and certify that data going to and from it is secure.

But a rogue or malicious certificate authority could allow the interception of encrypted internet traffic by faking or impersonating websites.

DarkMatter has a history of controversial and shady operations, including developing malware and spyware to be used in surveillance operations, as well as the alleged targeting of journalists critical of the company. Just weeks ago, Reuters reported that the Emirati company — which employs former U.S. National Security Agency hackers — targeted several media personalities and dissidents at the behest of the Arab monarchy.

But the company has a clean record as a certificate authority, putting Mozilla in a tough spot.

Either Mozilla could accept DarkMatter’s record as a certificate authority or reject it based off a perceived risk.

As it turns out, the latter won.

“Our foremost responsibility is to protect individuals who rely on Mozilla products,” said said Wayne Thayer, certification authority program manager at Mozilla, in a discussion group post on Tuesday. He added that DarkMatter poses “a significant risk to our users.”

“I believe this framing strongly supports a decision to revoke trust in DarkMatter’s intermediate certificates,” he wrote.

Thayer added that although both sides of DarkMatter’s business were taken into account, the browser maker cited a core Mozilla principle — “individuals’ security and privacy on the internet are fundamental and must not be treated as optional” — as a reason to reject the proposal.

Mozilla said it would also distrust six intermediary certificates in the meanwhile.

DarkMatter did not respond to a request for comment Tuesday.

Marriott to face $123 million fine by UK authorities over data breach

The U.K. data protection authority said it will serve hotel giant Marriott with a £99 million ($123M) fine for a data breach that exposed up to 383 million guests.

Marriott revealed last year that its acquired Starwood properties had its central reservation database hacked, including five million unencrypted passport numbers and eight million credit card records. The breach dated back to 2014 but was not discovered until November 2018. Marriott later pulled the hacked reservation system from its operations.

The U.K.’s Information Commissioner’s Office (ICO) said its investigation found that Marriott “failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.”

The breach affected about 30 million residents of European Union, according to the ICO, which confirmed the proposed fine in a statement Tuesday.

But Marriott said it “has the right to respond” before a fine is imposed and “intends to respond and vigorously defend” its position.

“We are disappointed with this notice of intent from the ICO, which we will contest,” said Marriott’s chief executive Arne Sorenson, in a statement. “Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database.”

Under the new GDPR regime, the ICO has the right to fine up to four percent of a company’s annual turnover.  Given Marriott made about $3.6 billion in revenue during 2018, the ICO’s fine represents about 3 percent of the company’s global revenue.

The ICO said Marriott will be given an opportunity to discuss the proposed findings and sanctions.

“The ICO will consider carefully the representations made by the company and the other concerned data protection authorities before it takes its final decision,” said the U.K. data protection authority.

The proposed Marriott fine comes hot on the heels of a record fine imposed of $230 million by the ICO on Monday following the British Airways data breach. The airline confirmed about 500,000 customers had their credit cards skimmed over a three week period between August and September 2018.

Researchers said a credit card stealing group known as Magecart was to blame.

The sinkhole that saved the internet

It was late afternoon on May 12, 2017. Two exhausted security researchers could barely unpack the events of what had just happened.

Marcus Hutchins and Jamie Hankins, who were working from their homes in the U.K. for Los Angeles-based cybersecurity company Kryptos Logic, had just stopped a global cyberattack dead in its tracks. Hours earlier, WannaCry ransomware began to spread like wildfire, encrypting systems and crippling businesses and transport hubs across Europe. It was the first time in a decade a computer worm began attacking computers on a massive scale. The U.K.’s National Health Service (NHS) was one of the biggest organizations hit, forcing doctors to turn patients away and emergency rooms to close.

Hours after the disruption began to break on broadcast news networks, Hutchins — who at the time was only known by his online handle @MalwareTech — became an “accidental hero” for inadvertently stopping the cyberattack.

The internet, still reeling from the damage, had gotten off lightly. The two researchers, at the time both in their early 20s, had saved the internet from a powerful nation-state attack launched by an enemy using hacking tools developed by the West.

But the attack was far from over.

Hutchins and Hankins knew if the kill switch went down, the malware would pick up where it left off, infecting thousands of computers every minute. Puffy eyed and sleep deprived, they knew the domain had to stay up at all costs. The researchers fended off several attacks from an angry operator of a botnet trying to knock the domain offline with junk internet traffic. And, at one point, law enforcement seized two of their servers from a datacenter in France amid confusion that the domain was helping to spread WannaCry and not preventing it.

With the pressure on but running on empty, Hankins — who was also only pseudonymously known as @2sec4u — fought to stay awake, and would fall asleep on his couch where he worked for hours at a time, laptop still open, only to be jolted awake by messages on Slack or Skype, which the researchers used to talk.

Every time he heard an alert, he feared the kill switch had gone offline.

“Being responsible for this thing that’s propping up the NHS? Fucking terrifying,” Hankins told TechCrunch. “The last thing you need is the idea of the entire NHS on fire.”

“It was probably the most stressful thing happen to me,” he said.

 

‘I think we can stop it’

U.K. news networks began rolling coverage of the cyberattack hours after it began on May 12. Hankins had the television on in the background.

The chyrons reported disruption at several major London hospitals. Staff were locked out of their computer stations, files were encrypted, and their screens were demanding a ransom with a timer ticking down. The NHS had declared a major incident. Telecoms giant Telefonica was also hit, as well as shipping giant FedEx, car maker Renault, Germany’s rail system and several Russian government departments.

British prime minister Theresa May called it an “international cyberattack,” one the government seemed powerless to stop.

WannaCry was spreading from computer to computer, a feature not seen in ransomware before. Blame quickly fell on hacking tools developed by the National Security Agency that had been stolen and published on the web for anyone to use weeks earlier. One such exploit, DoublePulsar, backdoored vulnerable computers, while another, EternalBlue, was used to deliver and spread the ransomware inside a network.

Microsoft released patches for the hacking tools months earlier. The many who had not patched saw their systems go down, one after the other.

“It was just indiscriminately wiping things out,” Hutchins said.

wannacry mid image

(The countdown and ransom window when WannaCry infects a computer. Image: file photo)

By registering the domain, Hutchins had “sinkholed” the ransomware, allowing him to capture and dispose of malicious internet traffic. It was not unusual for Hutchins to find and register a domain found in a malware sample. As part of his botnet and malware tracking efforts he would often take control of unregistered domains — assuming they were a malware control server — to see how far and fast the malware was spreading. The end goal was to direct the malicious traffic into a void to identify victims and prevent further infections.

With one domain down, Hutchins suspected the malware could jump to another and asked Hankins to look. It’s not uncommon for malware to generate new domains to try to evade detection.

“Holy shit, I think we can stop it,” Hankins responded.

By 6:30 p.m., there was a frenetic discussion in the researchers’ Slack room, trying to understand what the domain Hutchins had registered actually did. But it took the researchers close to an hour to understand the complex but short fragment of the malware’s code that contained the domain Hutchins sinkholed.

“We were very much looking at an if-else statement,” Hankins told me, speaking of the stress in the moment. “It was incredibly hard to think because if we fucked this up it would have been worse.”

For a few minutes the researchers panicked, thinking the domain registration was causing the infections. They went back and forth analyzing the code, unsure if they should keep the domain up or not, fearing they were making matters worse. Then the eureka moment hit. The ransomware would only detonate its payload if the domain did not exist.

“If the domain is reachable it won’t infect — I think,” Hankins wrote.

“You are causing me to have the longest anxiety attack ever,” Hutchins replied. “I think I’m gonna be sick.”

Hankins said the stress of the situation made analyzing the code much more difficult. The news played in the background, adding to the constant pressure.

“It took us 45 minutes to look at this code,” he said. “From a reverse-engineering point of view this is not complicated.”

His Fitbit data showed at one point his heart rate was averaging about 140 beats per minute — the equivalent of intense exercise — while he was sitting at his desk.

Data collected from the kill switch showed it prevented the ransomware triggering on about a million infections in just two days. The figure was likely far higher, not including the vast, unknown number of affected computers under a single internet-connected central server. The world had not seen a computer worm spread with such tenacity since the likes of Blaster and Mydoom in the early 2000s.

“I didn’t think it was a big deal until I started seeing the requests and how many organizations were infected,” said Hutchins. He described how “cognitive distance” helped to keep him focused on the issue and not the damage or human cost that was caused by WannaCry.

Hutchins only wanted an insight into the malware campaign. He did not know that registering the domain hours earlier would stop the ransomware from spreading and encrypting.

Hutchins quickly became known as an “accidental hero.”

Under attack

By 7 a.m. the two researchers were back talking on Slack. An hour later, the kill switch was under attack.

Mirai, a powerful botnet made up of hundreds of thousands of hijacked Internet of Things devices and responsible for the “largest ever” distributed denial-of-service attack, began pummeling the kill switch domain with a deluge of junk internet traffic. Months earlier the botnet targeted Dyn, a critical networking company, knocking it offline — and major tech brands reliant on its service — by overloading it with too much internet traffic. In a separate incident the botnet also knocked Liberia offline, a small coastal African nation, by flooding its single undersea fiber cable with internet traffic.

Before WannaCry, Mirai was one of the many botnets under the watch of the researchers. Each time the botnet struck, a dedicated Twitter account would tweet out the target.

It was their turn to be targeted by the botnet.

“We were quite public in tracking Mirai,” said Hankins. “They weren’t fans of us.”

The kill switch held its ground by automatically scaling up the number of Amazon-hosted servers to absorb as much of the traffic as possible. Mirai was hitting the sinkhole hard but the server stayed up.

“We were being hammered,” said Hankins.

Kryptos Logic’s chief executive Salim Neino was in regular contact with the researchers but largely left them to manage the situation themselves. In the late evening, Hankins briefed his boss on the events.

“You’re saying [if] our sinkhole dies those devices get infected?” asked Neino.

“Yes,” Hankins responded.

“Who is watching this?” asked Neino.

“The entire world,” Hankins replied.

“Marcus and I had never dealt with a real-time incident for that long,” Hankins said as he looked back at the Slack messages from the end of the second day after WannaCry hit. “We didn’t have anyone guiding us. You see all these very senior network defenders and companies with all this experience. Meanwhile Marcus landed this very important domain and now we’re at the heart of this global disaster.”

As the internet breathed a sigh of relief thinking the danger was over, most had no idea that any downtime would result in devastating consequences. Even though the ransomware was no longer encrypting files, the now-dormant malware still posed a risk if the kill switch went offline — or if an infected computer or network could no longer communicate with the kill switch. Other attackers were fast to reengineer WannaCry to change the kill switch domain, but other security researchers quickly sinkholed new variants, reducing the spread of the ransomware.

Many thought the researchers were “going to fuck this up,” said Hankins.

Doxxed

After having been awake for more than 30 hours since the attack, Hutchins eventually got some sleep. The next morning, he woke up to find his face plastered on the front of the Sunday editions of the British tabloid newspapers. The media had found him.

Some reporters called Hutchins a “hero,” while others worked unscrupulously to uncover his identity. Given his work uncovering and researching malware and criminal botnets, Hutchins only ever went by his online handle, MalwareTech. Only a trusted few knew both his handle and his name.

Hutchins said he was not expecting a media swarm.

He had not left his room in days, his head down trying to understand more about the scope and impact of the malware. He said reporters came to his house; his parents told him they were camped out on his front lawn.

He did not fear for his safety but was frustrated by the attention. “I’m just unhappy with trying to help clear up Friday’s mess with the doorbell going constantly,” he tweeted.

Unwavered, Hutchins stayed at his desk and continued to work. “I’ve been replying to [direct messages] for three hours,” Hutchins told Hankins in a Slack message about the deluge of press inquiries and support from fellow security researchers. “Still can’t see the bottom.”

2017 06 06 NHS

(Several U.K. National Health Service hospitals were knocked offline by the WannaCry attack. Image: Getty Images)

The media’s obsession with Hutchins did not go away. Notwithstanding his role in registering the kill switch, he was also an active tweeter, quickly becoming the public face of WannaCry and its ongoing developments.

Determined to know more about the secretive then-22-year-old, reporters contacted his friends, turned up at their houses, and offered them money for information.

The security community was furious. His allies took to Twitter to denounce efforts to dox Hutchins. It’s not uncommon for security researchers to go by pseudonyms or online handles. So much so, even the U.K. National Cyber Security Center recognize him as “MalwareTech” as his byline in a post on the organization’s blog.

Now with his identity out, Hutchins knew it would be easier for criminal groups to target him for his previous unrelenting work to uncover their malicious online operations. But in the midst of fighting off a multitude of threats targeting the kill switch, he feared the unwanted attention would distract him from his current work.

“It was a huge problem,” he told me. While the media swarmed his friends and family, the researchers were still battling attacks and efforts to knock the kill switch offline.

“I don’t work well with that kind of attention,” said Hutchins. “I can deal with stress, but attention is not something I’m very good with.”

“Having like a million journalists all over you for weeks on end? It’s not fun,” he said.

Later that day Hankins went out and bought all of the Sunday newspapers for Hutchins as a keepsake.

Hutchins absorbed most of the media attention. But Hankins, whose real-name was also not public at the time of the WannaCry attack and only in recent months began to use his real-world name with his Twitter account, feared his identity would also be uncovered.

“I was worried [reporters] were going to turn up my place next,” Hankins told me. He said how he devised a plan in the event that reporters also found his home address.

“My plan was instead of going out the front door where the journalists would have been to go through my side door and then out the back — which had like a back street — and a friend would pick me up in their car and I’d go and stay with them,” he explained.

But even with the attention Hutchins said he did not regret his role in stopping WannaCry. “I probably would have tried to hide a bit better,” he joked. “But yeah, I did not really enjoy any of this.”

The cavalry arrives

The following day on Monday, Britain went back to work for the first time since the cyberattack.

Many businesses had fallen victim to WannaCry, and their systems were offline. Others whose systems had not yet been ransomed had no idea their systems were also infected. The kill switch was the only thing preventing another outbreak. The U.K.’s National Health Service was on high alert in anticipation of a “second spike,” amid ongoing disruption across the organization. U.K. authorities had joined the global manhunt for the attackers behind the attack days earlier.

But when the researchers weren’t being hit by a barrage of attacks, they knew that the cumulative pressure, exhaustion, and lack of sleep was untenable.

“I wasn’t desperate to hand it off,” Hutchins admitted. “I wanted to keep control of it.” He feared handing it off would make it far more difficult to identify and notify businesses and government organizations infected but not yet ransomed by WannaCry.

“But I came to the realization that there is a huge personal risk of me doing this,” he said. “It was a week of just pure dread every time a server went down. It was more logical just to hand it off and then get some sleep.”

Hankins told TechCrunch that several companies offered to host the kill switch but the researchers were cautious of trusting anyone. “For us it was vital to keep it alive, but for others it was an opportunity to get on this huge press cycle,” he said.

The duo knew people at Cloudflare, a security and networking giant, and reached out for help. The internet company provides many services like domain registration and protection against distributed denial-of-service attacks.

Hutchins and Hankins approached Cloudflare two days after WannaCry hit, said Justin Paine, Cloudflare’s director of trust and safety. Chief executive Matthew Prince had already given Paine the go-ahead to give the researchers what they need, offering its suite of services for free.

Mirai continued to attack the kill switch with everything it had, Paine said. The rush was on to get the kill switch onboarded and protected as soon as possible.

It had just gone past midnight in the U.K. on May 16th when the handover was completed.

For its part, Cloudflare kept quiet about the arrangement. The company did not put out a press release or blog post acknowledging its part in supporting the kill switch. For most it was an invisible partnership, the only giveaway was that the domain name resolves to a Cloudflare name server, which is not noticeable to internet users.

“We couldn’t have done it without them,” said Hankins.

92-hour week

Two years later, the kill switch has not gone down once.

The ransomware continues to lurk in thousands of networks around the world, ready to encrypt the files on millions of computers, despite patches having been available for the past two years. Hankins said that in June 2019 alone the kill switch prevented about 60 million ransomware detonations.

Hackers working for North Korea were later blamed for the cyberattack.

“After it was confirmed it had been stopped, there was a ‘holy shit’ moment that this was one of the biggest things in recent cyber history,” Hutchins said. “This is the first case of any kind of ransomware worm.”

Hankins worked about 92 hours in five days and slept only a few hours a night, according to his Fitbit data. At one point, U.K. government officials privately reached out to the researchers to offer help but also to check on their well-being, knowing the stress they were under.

“I think we struggled but we did a reasonable job,” he told me.

(One of the mugshots of the North Korean hackers accused of launching the WannaCry attack. Image: Getty Images)

All seemed well until last month when a Cloudflare outage knocked a portion of the internet offline for several hours. The cause was blamed on Verizon (which owns TechCrunch) for mishandling the internet traffic. Cloudflare’s Prince tweeted angrily at the telecom giant.

But the kill switch did not buckle. Hankins tweeted that the outage had not affected the WannaCry kill switch. There were 220,000 attempted WannaCry executions during the outage, he told TechCrunch.

“This wasn’t Cloudflare’s fault nor was there really anything we could do about it,” Hankins tweeted. “Outages and issues happen all the time and sometimes they can be incredibly localized and hard to detect.”

As long as computers are infected with WannaCry and are not patched, data remains at risk — and at the mercy of the kill switch.

“Just remove this shit from your networks please,” he tweeted.

Paine said Cloudflare still receives a handful of requests to take down the domain each year, thinking the domain is spreading WannaCry — not preventing it.

“We have to educate people that it’s the exact opposite of what you really want here,” said Paine. “If we took down that domain it would be a much worse day for you.”

Round two: BlueKeep

In August 2017, three months after the WannaCry attack, Hutchins was arrested by U.S. authorities at McCarren International Airport in Las Vegas as he boarded a plane back to the U.K. on charges of creating malware in his teenage years — unrelated to WannaCry. He pleaded guilty and will be sentenced in late July. His supporters have called for clemency given Hutchins’ more recent and concerted efforts to protect users from security threats.

Hankins, now the head of security and threat intelligence at Kryptos Logic, retains control over the kill switch and provides business and governments access to localized infection data.

Almost exactly two years after WannaCry first hit, a new vulnerability appeared. Nicknamed “BlueKeep” by security researcher Kevin Beaumont, the flaw also had a similar worm-like property to WannaCry, allowing it to spread from computer to computer.

“I was panicking,” Hankins said. The emergence of BlueKeep brought back a lot of emotions from the week that WannaCry hit, he said.

Microsoft released patches but about a million computers were still vulnerable by the time the National Security Agency issued its own rare advisory just weeks later. BlueKeep is seen as one of the most significant threats to vulnerable computers since WannaCry. Although no exploit code has yet been made public, Homeland Security has warned that it is only a matter of time before hackers figure out how to abuse the flaw and launch an attack.

“We saw this once before,” he said. “We need to stop this — but obviously there was fuck all we could do,” he said.

“We’re not getting a kill switch this time.”


Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.