Marcus Hutchins, the WannaCry Hero, Will Not Serve Jail Time

Remember the WannaCry ransomware attack back in 2017? Well, the malware researcher who stopped the ransomware, and became the accidental hero in the entire story, Marcus Hutchins, will not serve jail time.

Marcus Hutchins, who was hailed as a hero for his role in stopping the "WannaCry" virus, was sentenced to time served by US District Judge J.P. Stadtmueller. J. P. Stadtmueller, the presiding judge in the case against Hutchins said that he took into consideration Hutchins’ age at the time of the crime, and the fact that he turned his life around before charges were brought in his decision to not sentence him to any jail time.

Hutchins, 25, served just a few days in jail after being arrested in Las Vegas in 2017, but had been required to stay in the US while his case was pending.

Hutchins spoke briefly Friday, apologising to his victims.

"I deeply regret my conduct and the crimes in which I was involved." Later in his statement he said: "My plan is to continue my work in security but if possible I would like to dedicate more time to teaching the next generation of security experts."

Brian Klein, one of the attorneys representing Marcus Hutchins said, in light of his sentencing, “We are thrilled that the judge recognized Marcus’ very important contributions to keeping the world safe and let him go home a free man today.”

That said, Judge Stadtmueller did mention that Hutchins’ sentencing may bar him from re-entering the United States. Hutchins’ attorney, Klein said, “Without precedent but more than appropriately, the judge encouraged Marcus to seek a pardon.” He also added “We plan to explore those opportunities.”
In a tweet after the hearing, Hutchins said he hopes he's able to return to the US someday.

FBI agents had been investigating Hutchins for years before his arrest. Less than two months after his claim to fame, they arrested him and accused him of creating malware to steal banking passwords.
But Stadtmueller said the crimes Hutchins committed paled to the damage the WannaCry virus did by infecting billions of computers worldwide. He praised Hutchins' "foresight and ability to put in place in a matter of hours a kill switch" to stop the virus.

"It makes the facts of the case that's before the court today virtually pale in comparison," the judge said.

Hutchins was indicted on 10 charges for developing two pieces of malware and lying to the FBI. Prosecutors said Hutchins conspired to distribute the malware — UPAS Kit and Kronos — from 2012 to 2015 and that he sold Kronos to someone in Wisconsin. He also "personally delivered" the software to someone in California, prosecutors said.

Prosecutors in Milwaukee had made no specific sentence recommendation. They also credited Hutchins for his role in stopping the WannaCry virus and for accepting responsibility for his actions during a plea deal in April , but said he still deserved to be punished.

The fact that Hutchins now works to stop malware attacks should not diminish the seriousness of what he did, prosecutors insisted.

"Like a man who spent years robbing banks, and then one day came to realize that was wrong, and even worked to design better security systems, he deserves credit for his epiphany. But he still bears responsibility for what he did," prosecutors said.

While his case was pending, prosecutors barred Hutchins from returning home, so he worked as a cybersecurity consultant in California.

He had faced up to 10 years in prison, but presentencing documents from the U.S. Probation Office recommended he serve 14 months at most.

Hutchins initially pleaded not guilty to all charges and was scheduled to go on trial this month. As part of the deal, Hutchins pleaded guilty to two charges for creating Kronos — and an updated version of UPAS — and conspiring to distribute it. In exchange, prosecutors dismissed the other eight charges.

Kronos was "used to infect numerous computers around the world and steal banking information," prosecutors said. But they couldn't provide an exact number of victims, they said, partly because the malware was designed to be undetectable on computers.

However, prosecutors said in their presentencing memo that the impact of the malware Hutchins created are still being felt, noting that "international cyber security firms have reported hundreds of Kronos alerts over the years."

One firm detected Kronos more than 600 times between 2014 and 2019 around the world, prosecutors said.

It's unclear how much Hutchins profited from creating the malware, but in online chats the FBI intercepted on November 2014, Hutchins lamented he had only made $8,000 from five sales. Hutchins said he thought he would be making around $100,000 annually by selling Kronos with one of his conspirators, who was named in the indictment only by his aliases, "Vinny," ''VinnyK" and "Aurora123."