WEBVTT 00:00:00.000 --> 00:00:05.290 [Music] 00:00:10.960 --> 00:00:13.679 a small note before we start 00:00:13.679 --> 00:00:15.599 as much as this video is meant to be a 00:00:15.599 --> 00:00:17.440 storytelling experience 00:00:17.440 --> 00:00:18.960 i have also intended it to be 00:00:18.960 --> 00:00:20.640 educational 00:00:20.640 --> 00:00:22.480 and so i have coupled the story along 00:00:22.480 --> 00:00:23.840 with how some of these attacks and 00:00:23.840 --> 00:00:26.000 technologies work 00:00:26.000 --> 00:00:28.400 this is my first documentary style video 00:00:28.400 --> 00:00:30.800 and so i appreciate any and all feedback 00:00:30.800 --> 00:00:33.120 in the comments below 00:00:33.120 --> 00:00:35.680 i really hope you enjoy and hopefully 00:00:35.680 --> 00:00:38.640 learn a few new things 00:00:40.800 --> 00:00:43.440 right now a crippling cyber attack has 00:00:43.440 --> 00:00:45.039 businesses around the world 00:00:45.039 --> 00:00:47.760 on high alert the ransomware known as 00:00:47.760 --> 00:00:48.719 wannacry 00:00:48.719 --> 00:00:50.399 want to move on to the other developing 00:00:50.399 --> 00:00:51.920 story this morning the global cyber 00:00:51.920 --> 00:00:54.239 attack the national security agency 00:00:54.239 --> 00:00:56.559 developed this software and it's now 00:00:56.559 --> 00:00:57.440 being used by 00:00:57.440 --> 00:00:59.440 criminals around the world to demand 00:00:59.440 --> 00:01:01.760 ransom security experts say this is one 00:01:01.760 --> 00:01:03.280 of the worst and most 00:01:03.280 --> 00:01:05.439 widespread pieces of malware they've 00:01:05.439 --> 00:01:11.990 ever seen 00:01:11.990 --> 00:01:16.550 [Music] 00:01:20.080 --> 00:01:23.040 in may of 2017 a worldwide cyber attack 00:01:23.040 --> 00:01:24.799 by the name of wannacry 00:01:24.799 --> 00:01:27.840 shot for one a crypter impacted over 150 00:01:27.840 --> 00:01:28.720 countries 00:01:28.720 --> 00:01:31.360 and hit around 230 000 computers 00:01:31.360 --> 00:01:32.720 globally 00:01:32.720 --> 00:01:34.560 needless to say it became known as one 00:01:34.560 --> 00:01:36.640 of the biggest ransomware attacks in 00:01:36.640 --> 00:01:38.159 history 00:01:38.159 --> 00:01:40.799 let's start at the very beginning on the 00:01:40.799 --> 00:01:43.119 morning of the 12th of may 2017 00:01:43.119 --> 00:01:45.360 according to akamai a content delivery 00:01:45.360 --> 00:01:46.240 network 00:01:46.240 --> 00:01:48.720 this was the timeline reportedly the 00:01:48.720 --> 00:01:51.200 first case identified originated from a 00:01:51.200 --> 00:01:53.600 southeast asian isp which was detected 00:01:53.600 --> 00:01:55.119 at 7 44 am 00:01:55.119 --> 00:01:58.399 utc over the next hour there were cases 00:01:58.399 --> 00:02:00.240 seen from latin america 00:02:00.240 --> 00:02:02.960 then the continental europe and uk then 00:02:02.960 --> 00:02:03.439 brazil 00:02:03.439 --> 00:02:06.840 and argentinian isps until at 12 39 pm 00:02:06.840 --> 00:02:09.280 utc 74 00:02:09.280 --> 00:02:12.720 of all isps in asia were affected and by 00:02:12.720 --> 00:02:14.800 3 28 pm utc 00:02:14.800 --> 00:02:17.040 the ransomware had taken hold of 65 00:02:17.040 --> 00:02:20.640 percent of latin american isps 00:02:20.640 --> 00:02:22.879 wannacry was spreading and at an 00:02:22.879 --> 00:02:24.640 incredible rate 00:02:24.640 --> 00:02:26.160 prior to this such a quick and 00:02:26.160 --> 00:02:28.640 widespread ransomware was unheard of 00:02:28.640 --> 00:02:31.040 a lot of organizations unable to recover 00:02:31.040 --> 00:02:31.840 their losses 00:02:31.840 --> 00:02:34.640 were forced to permanently shut down 00:02:34.640 --> 00:02:36.160 some had to put a pause on their 00:02:36.160 --> 00:02:38.319 networks and services and reported huge 00:02:38.319 --> 00:02:39.360 losses 00:02:39.360 --> 00:02:42.480 some in millions of dollars the attack 00:02:42.480 --> 00:02:44.720 did not discriminate small to 00:02:44.720 --> 00:02:46.400 medium-sized businesses 00:02:46.400 --> 00:02:48.800 large enterprises the private sector the 00:02:48.800 --> 00:02:50.160 public sector 00:02:50.160 --> 00:02:52.640 railways healthcare banks malls 00:02:52.640 --> 00:02:53.360 ministries 00:02:53.360 --> 00:02:56.560 police energy companies isps and there 00:02:56.560 --> 00:02:57.440 just seemed to be 00:02:57.440 --> 00:03:00.720 no end to the victims within few hours 00:03:00.720 --> 00:03:02.720 it had spread to over 11 countries 00:03:02.720 --> 00:03:04.319 and by the end of the first day of the 00:03:04.319 --> 00:03:06.159 attack the ransomware had been 00:03:06.159 --> 00:03:08.480 encountered in 74 countries 00:03:08.480 --> 00:03:10.319 within thousands and thousands of 00:03:10.319 --> 00:03:12.159 organizations 00:03:12.159 --> 00:03:14.879 and so it begged the question how much 00:03:14.879 --> 00:03:16.640 damage will this really cause over the 00:03:16.640 --> 00:03:17.599 next few days 00:03:17.599 --> 00:03:20.159 or weeks or months if no solution 00:03:20.159 --> 00:03:23.040 presents itself 00:03:23.440 --> 00:03:27.120 your surface has been temporarily 00:03:30.840 --> 00:03:33.280 disconnected 00:03:33.280 --> 00:03:36.239 ransomware works in a very simple manner 00:03:36.239 --> 00:03:38.080 it is the type of malware most commonly 00:03:38.080 --> 00:03:39.920 spread through phishing attacks 00:03:39.920 --> 00:03:41.840 which are essentially emails used to 00:03:41.840 --> 00:03:44.000 trick a user into clicking a link that 00:03:44.000 --> 00:03:45.599 leads them to a website 00:03:45.599 --> 00:03:47.840 where they enter sensitive data or to 00:03:47.840 --> 00:03:50.159 download attachments which if executed 00:03:50.159 --> 00:03:52.239 will infect the computer 00:03:52.239 --> 00:03:54.400 although initially suspected wannacry 00:03:54.400 --> 00:03:56.799 did not originate from a phishing attack 00:03:56.799 --> 00:03:59.680 but we'll get to that once later 00:03:59.680 --> 00:04:01.280 computer is infected 00:04:01.280 --> 00:04:03.040 the ransomware runs an encryption 00:04:03.040 --> 00:04:05.280 process and usually in less than a 00:04:05.280 --> 00:04:06.239 minute 00:04:06.239 --> 00:04:08.799 some or all the files depending on what 00:04:08.799 --> 00:04:10.879 the ransomware is meant to affect in the 00:04:10.879 --> 00:04:12.400 user's computer 00:04:12.400 --> 00:04:14.239 is converted from plain text to 00:04:14.239 --> 00:04:15.840 ciphertext 00:04:15.840 --> 00:04:18.239 plain text is readable or comprehensible 00:04:18.239 --> 00:04:19.120 data 00:04:19.120 --> 00:04:21.120 and ciphertext is unintelligible 00:04:21.120 --> 00:04:22.720 gibberish 00:04:22.720 --> 00:04:24.639 in order to turn this back into plain 00:04:24.639 --> 00:04:27.199 text the user will need what is known as 00:04:27.199 --> 00:04:28.800 a decryption key 00:04:28.800 --> 00:04:30.880 which the attacker promises to provide 00:04:30.880 --> 00:04:34.560 if the user were to pay the ransom 00:04:34.639 --> 00:04:36.880 what makes ransomware so dreadful is 00:04:36.880 --> 00:04:39.360 that once your files have been encrypted 00:04:39.360 --> 00:04:41.040 you can't exactly decrypt it and 00:04:41.040 --> 00:04:42.960 retrieve your data 00:04:42.960 --> 00:04:44.720 well you can but with the current 00:04:44.720 --> 00:04:46.639 technology we have to break common 00:04:46.639 --> 00:04:48.720 encryption algorithms used in ransomware 00:04:48.720 --> 00:04:49.600 attacks 00:04:49.600 --> 00:04:52.800 such as the rsa it would take millions 00:04:52.800 --> 00:04:57.280 to billions to trillions of years 00:04:57.280 --> 00:05:00.410 [Music] 00:05:03.520 --> 00:05:05.440 this is what you'd see if you were to 00:05:05.440 --> 00:05:07.199 become infected with the wannacry 00:05:07.199 --> 00:05:08.639 ransomware 00:05:08.639 --> 00:05:10.160 in addition to this intimidating 00:05:10.160 --> 00:05:12.479 wallpaper your documents 00:05:12.479 --> 00:05:16.160 spreadsheets images videos 00:05:16.160 --> 00:05:18.639 music and most everyday productivity and 00:05:18.639 --> 00:05:21.039 multimedia files become encrypted 00:05:21.039 --> 00:05:22.800 essentially being held hostage till the 00:05:22.800 --> 00:05:26.240 ransom payment has been made 00:05:27.120 --> 00:05:29.199 the wanted crypto 2.0 comes with a set 00:05:29.199 --> 00:05:30.240 of instructions 00:05:30.240 --> 00:05:31.919 and in 28 different languages for 00:05:31.919 --> 00:05:33.680 victims to follow in order to recover 00:05:33.680 --> 00:05:35.199 their files 00:05:35.199 --> 00:05:37.759 the attackers demanded for 300 worth of 00:05:37.759 --> 00:05:38.639 bitcoin 00:05:38.639 --> 00:05:40.560 and after three days would be updated to 00:05:40.560 --> 00:05:42.479 six hundred dollars 00:05:42.479 --> 00:05:44.080 if the payment were to be made seven 00:05:44.080 --> 00:05:45.919 days after the infection the files would 00:05:45.919 --> 00:05:47.680 be recoverable 00:05:47.680 --> 00:05:49.840 however despite this they also go on to 00:05:49.840 --> 00:05:51.759 state that they will return the files 00:05:51.759 --> 00:05:54.800 for free to quote users who are so poor 00:05:54.800 --> 00:05:55.840 that they couldn't pay 00:05:55.840 --> 00:05:58.720 end quote after six months the method of 00:05:58.720 --> 00:05:59.840 payment 00:05:59.840 --> 00:06:02.400 bitcoin 00:06:04.160 --> 00:06:06.400 the reason that attackers chose bitcoin 00:06:06.400 --> 00:06:07.840 was because it is what we know 00:06:07.840 --> 00:06:10.479 as a private cryptocurrency this allows 00:06:10.479 --> 00:06:12.080 the holder of the currency to remain 00:06:12.080 --> 00:06:13.280 anonymous 00:06:13.280 --> 00:06:14.639 though the money could be traced to a 00:06:14.639 --> 00:06:16.560 cryptocurrency wallet which is where the 00:06:16.560 --> 00:06:18.160 currency itself is stored 00:06:18.160 --> 00:06:19.840 it would be exponentially difficult to 00:06:19.840 --> 00:06:21.360 find the owner of the wallet without 00:06:21.360 --> 00:06:24.319 extensive forensic analysis 00:06:24.319 --> 00:06:26.560 this is the reason that bitcoin is used 00:06:26.560 --> 00:06:27.840 widely in the dark web 00:06:27.840 --> 00:06:30.639 to purchase guns drugs and other illegal 00:06:30.639 --> 00:06:32.319 goods and services that for obvious 00:06:32.319 --> 00:06:33.199 reasons 00:06:33.199 --> 00:06:35.039 you would not be able to find on the 00:06:35.039 --> 00:06:48.000 surface web 00:06:48.000 --> 00:06:50.080 problem with wannacry and what made it 00:06:50.080 --> 00:06:51.919 exponentially more dangerous than your 00:06:51.919 --> 00:06:53.280 average ransomware 00:06:53.280 --> 00:06:56.319 was its propagating capabilities 00:06:56.319 --> 00:06:58.240 but to understand this fully we need to 00:06:58.240 --> 00:06:59.840 go back in time a little bit 00:06:59.840 --> 00:07:04.000 to 2016. in august of 2016 the equation 00:07:04.000 --> 00:07:05.680 group suspected to have ties with the 00:07:05.680 --> 00:07:07.520 national security agency's tailored 00:07:07.520 --> 00:07:08.800 operations unit 00:07:08.800 --> 00:07:10.880 and described by kaspersky as one of the 00:07:10.880 --> 00:07:12.880 most sophisticated cyber attack groups 00:07:12.880 --> 00:07:14.080 in the world 00:07:14.080 --> 00:07:15.759 was said to be hacked by a group called 00:07:15.759 --> 00:07:17.680 the shadow brokers 00:07:17.680 --> 00:07:19.919 in this hack disks full of the nsa 00:07:19.919 --> 00:07:22.800 secrets were stolen 00:07:22.800 --> 00:07:25.039 this was bad because the nsa houses what 00:07:25.039 --> 00:07:27.520 we know as nation state attacks 00:07:27.520 --> 00:07:29.759 which are exploits or hacking tools that 00:07:29.759 --> 00:07:31.280 are used to carry out a hack for their 00:07:31.280 --> 00:07:32.479 home country 00:07:32.479 --> 00:07:35.199 against another country the nsa would 00:07:35.199 --> 00:07:37.120 essentially recruit a skilled hacker and 00:07:37.120 --> 00:07:39.280 give them a license to hack 00:07:39.280 --> 00:07:41.199 which means if they did carry it out it 00:07:41.199 --> 00:07:42.560 wouldn't be illegal 00:07:42.560 --> 00:07:44.800 at least in that country and the hacker 00:07:44.800 --> 00:07:47.759 would not be charged 00:07:48.639 --> 00:07:50.639 the danger here is that the nation-state 00:07:50.639 --> 00:07:52.400 tools in itself are usually pretty 00:07:52.400 --> 00:07:53.440 effective 00:07:53.440 --> 00:07:55.120 especially considering they are to be 00:07:55.120 --> 00:07:57.280 used as weapons against entire states 00:07:57.280 --> 00:07:59.840 and countries 00:08:03.599 --> 00:08:05.440 the nsa is said to have discovered a 00:08:05.440 --> 00:08:07.199 multitude of other vulnerabilities in 00:08:07.199 --> 00:08:08.160 the windows os 00:08:08.160 --> 00:08:11.280 as early as 2013 but was speculated to 00:08:11.280 --> 00:08:13.280 have developed exploits secretly and 00:08:13.280 --> 00:08:14.560 stockpile them 00:08:14.560 --> 00:08:16.560 rather than reporting it to microsoft or 00:08:16.560 --> 00:08:18.240 the infosec community 00:08:18.240 --> 00:08:20.000 so that they could weaponize it and 00:08:20.000 --> 00:08:21.919 utilize them in their nation state and 00:08:21.919 --> 00:08:24.560 other attacks 00:08:25.440 --> 00:08:27.199 the shadow brokers would go on to 00:08:27.199 --> 00:08:28.720 auction off some of these tools that 00:08:28.720 --> 00:08:30.000 were developed 00:08:30.000 --> 00:08:32.080 but due to skepticism online on whether 00:08:32.080 --> 00:08:34.080 the hackers really did have files as 00:08:34.080 --> 00:08:36.159 dangerous as they had claimed 00:08:36.159 --> 00:08:37.919 this would essentially go on to become a 00:08:37.919 --> 00:08:40.719 catastrophic failure 00:08:40.719 --> 00:08:42.399 we can talk quite a bit about the shadow 00:08:42.399 --> 00:08:44.800 brokers the story is itself worth 00:08:44.800 --> 00:08:46.720 examining individually and maybe even on 00:08:46.720 --> 00:08:48.080 a separate video 00:08:48.080 --> 00:08:49.760 but let's narrow our focus down to the 00:08:49.760 --> 00:08:51.839 leak that made wannacry possible 00:08:51.839 --> 00:08:54.000 which at that point was the fifth leak 00:08:54.000 --> 00:08:55.760 by the group and was said to be the most 00:08:55.760 --> 00:08:58.640 damaging one yet 00:08:59.360 --> 00:09:02.080 on april 14 2017 the shadow brokers 00:09:02.080 --> 00:09:03.600 would post a tweet that linked to their 00:09:03.600 --> 00:09:05.120 steam blockchain 00:09:05.120 --> 00:09:08.880 on a post titled lost in translation 00:09:08.880 --> 00:09:10.399 this leak contained files from the 00:09:10.399 --> 00:09:12.160 initial failed auction which they now 00:09:12.160 --> 00:09:14.160 decided to release to the public 00:09:14.160 --> 00:09:18.080 for free the description accompanying 00:09:18.080 --> 00:09:19.839 the leaked files doesn't really contain 00:09:19.839 --> 00:09:21.279 much worth noting 00:09:21.279 --> 00:09:23.120 as always the shadow brokers would use 00:09:23.120 --> 00:09:25.040 broken but still somewhat comprehensible 00:09:25.040 --> 00:09:26.399 english 00:09:26.399 --> 00:09:28.480 however this is widely speculated not to 00:09:28.480 --> 00:09:29.839 speak to their proficiency in the 00:09:29.839 --> 00:09:30.640 language 00:09:30.640 --> 00:09:32.160 but rather an attempt to mislead 00:09:32.160 --> 00:09:33.920 analysts and prevent them from yielding 00:09:33.920 --> 00:09:36.240 any results regarding their identity 00:09:36.240 --> 00:09:39.519 characterized by how they type 00:09:39.519 --> 00:09:41.200 the link which has now been taken down 00:09:41.200 --> 00:09:42.800 takes you to an archive filled with a 00:09:42.800 --> 00:09:44.640 number of windows exploits developed by 00:09:44.640 --> 00:09:46.240 the nsa 00:09:46.240 --> 00:09:48.160 it did contain many other valuable tools 00:09:48.160 --> 00:09:49.440 worth examining 00:09:49.440 --> 00:09:51.279 but the ones relevant to our story and 00:09:51.279 --> 00:09:53.040 what made a regular ransomware so 00:09:53.040 --> 00:09:54.160 destructive 00:09:54.160 --> 00:09:56.880 were the payload double pulsar and the 00:09:56.880 --> 00:09:58.560 now infamous exploit used in the 00:09:58.560 --> 00:09:59.839 wannacry attack 00:09:59.839 --> 00:10:05.839 eternal blue 00:10:13.120 --> 00:10:15.440 [Music] 00:10:15.440 --> 00:10:18.800 server message block version 1 or smb v1 00:10:18.800 --> 00:10:20.720 is a network communication protocol 00:10:20.720 --> 00:10:23.519 which was developed in 1983. 00:10:23.519 --> 00:10:25.440 the function of this protocol would be 00:10:25.440 --> 00:10:27.200 to allow one windows computer to 00:10:27.200 --> 00:10:28.720 communicate with another 00:10:28.720 --> 00:10:30.880 and share files and printers on a local 00:10:30.880 --> 00:10:32.399 network 00:10:32.399 --> 00:10:34.880 however smb version 1 had a critical 00:10:34.880 --> 00:10:36.160 vulnerability 00:10:36.160 --> 00:10:39.040 which allowed for what is known as a 00:10:39.040 --> 00:10:41.760 remote arbitrary code execution 00:10:41.760 --> 00:10:43.440 in which an attacker would be able to 00:10:43.440 --> 00:10:45.440 execute whatever code that they'd like 00:10:45.440 --> 00:10:47.680 on their target or victim's computer 00:10:47.680 --> 00:10:48.800 over the internet 00:10:48.800 --> 00:10:51.600 usually with malicious intent the 00:10:51.600 --> 00:10:53.360 function of eternal blue was to take 00:10:53.360 --> 00:10:55.839 advantage of this vulnerability 00:10:55.839 --> 00:10:58.000 essentially i'm going to try and strip 00:10:58.000 --> 00:10:59.519 it down to simplify it as much as 00:10:59.519 --> 00:11:00.800 possible 00:11:00.800 --> 00:11:02.640 when the shadow brokers first leaked the 00:11:02.640 --> 00:11:03.920 nsa tools 00:11:03.920 --> 00:11:05.920 hackers took this opportunity to install 00:11:05.920 --> 00:11:07.519 double pulsar 00:11:07.519 --> 00:11:09.200 which is a tool which opens what we 00:11:09.200 --> 00:11:10.880 commonly know in security 00:11:10.880 --> 00:11:14.000 as a back door backdoors allows hackers 00:11:14.000 --> 00:11:16.560 to create an entry point into the system 00:11:16.560 --> 00:11:18.560 or a network of systems and gain easy 00:11:18.560 --> 00:11:20.880 access later on 00:11:20.880 --> 00:11:22.880 the initial infection of wannacry is not 00:11:22.880 --> 00:11:23.920 known 00:11:23.920 --> 00:11:25.680 but it is speculated that the attackers 00:11:25.680 --> 00:11:27.120 took advantage of the back door to 00:11:27.120 --> 00:11:28.880 deliver the payload 00:11:28.880 --> 00:11:30.399 the payload in this case is the 00:11:30.399 --> 00:11:32.800 ransomware wannacry 00:11:32.800 --> 00:11:34.399 when a computer is infected with 00:11:34.399 --> 00:11:36.160 wannacry oddly 00:11:36.160 --> 00:11:37.440 it then tries to connect to the 00:11:37.440 --> 00:11:39.600 following unregistered domain 00:11:39.600 --> 00:11:41.519 which is basically a random string of 00:11:41.519 --> 00:11:43.360 numbers and letters 00:11:43.360 --> 00:11:45.120 if it cannot establish a connection to 00:11:45.120 --> 00:11:48.000 this domain then the real damage begins 00:11:48.000 --> 00:11:50.880 it scans for port 445 on the network 00:11:50.880 --> 00:11:52.560 which is the port that is used to host 00:11:52.560 --> 00:11:54.079 smb version 1 00:11:54.079 --> 00:11:56.079 and if the port is deemed to be open it 00:11:56.079 --> 00:11:57.600 would then proceed to spread to that 00:11:57.600 --> 00:11:59.680 computer 00:11:59.680 --> 00:12:01.900 this is how it propagated so quickly 00:12:01.900 --> 00:12:03.120 [Music] 00:12:03.120 --> 00:12:04.800 whether the other users in the network 00:12:04.800 --> 00:12:06.560 actually downloaded or clicked on 00:12:06.560 --> 00:12:08.000 anything malicious 00:12:08.000 --> 00:12:10.399 regardless they would be infected and in 00:12:10.399 --> 00:12:12.000 seconds all their data would be 00:12:12.000 --> 00:12:13.140 encrypted 00:12:13.140 --> 00:12:14.399 [Music] 00:12:14.399 --> 00:12:17.360 so the damage came in two parts the 00:12:17.360 --> 00:12:19.120 ransomware that encrypts the data 00:12:19.120 --> 00:12:20.959 and the worm-like component that is used 00:12:20.959 --> 00:12:22.480 to spread the ransomware to any 00:12:22.480 --> 00:12:23.279 connected 00:12:23.279 --> 00:12:25.600 vulnerable devices in the network as a 00:12:25.600 --> 00:12:28.880 result of eternal blue and double pulsar 00:12:28.880 --> 00:12:31.360 the attack only affected windows systems 00:12:31.360 --> 00:12:33.360 mainly targeting windows xp 00:12:33.360 --> 00:12:36.320 vista windows 7 windows 8 and windows 00:12:36.320 --> 00:12:37.519 10. 00:12:37.519 --> 00:12:39.519 however a month prior to the leak by the 00:12:39.519 --> 00:12:42.480 shadow brokers on march 14 2017 00:12:42.480 --> 00:12:44.079 microsoft was made aware of this 00:12:44.079 --> 00:12:45.920 vulnerability after it was publicly 00:12:45.920 --> 00:12:46.800 reported 00:12:46.800 --> 00:12:50.480 almost five years after its discovery 00:12:50.480 --> 00:12:52.320 microsoft then released a critical patch 00:12:52.320 --> 00:12:53.700 to fix this vulnerability 00:12:53.700 --> 00:12:54.920 [Music] 00:12:54.920 --> 00:12:57.040 ms-17010 00:12:57.040 --> 00:12:59.600 however despite the release of the patch 00:12:59.600 --> 00:13:01.519 a significant number of organizations 00:13:01.519 --> 00:13:03.360 never updated their systems 00:13:03.360 --> 00:13:05.680 and unfortunately there were still major 00:13:05.680 --> 00:13:08.000 organizations running windows xp 00:13:08.000 --> 00:13:11.680 or server 2003 these devices were at end 00:13:11.680 --> 00:13:12.959 of support 00:13:12.959 --> 00:13:14.800 which means that even if updates were 00:13:14.800 --> 00:13:16.639 out they would not receive them 00:13:16.639 --> 00:13:18.839 and be completely vulnerable to the 00:13:18.839 --> 00:13:20.800 exploit 00:13:20.800 --> 00:13:22.160 if you want to know more about the 00:13:22.160 --> 00:13:23.760 vulnerability that the eternalblue 00:13:23.760 --> 00:13:24.720 exploited 00:13:24.720 --> 00:13:26.160 it is now logged in the national 00:13:26.160 --> 00:13:27.760 vulnerability database 00:13:27.760 --> 00:13:33.950 as cve 20170144 00:13:33.950 --> 00:13:38.200 [Music] 00:13:47.920 --> 00:13:50.560 marcus hutchins also known online by his 00:13:50.560 --> 00:13:52.320 alias malwa attack 00:13:52.320 --> 00:13:54.320 was a 23 year old british security 00:13:54.320 --> 00:13:56.160 researcher at kryptos logic 00:13:56.160 --> 00:13:59.519 in la after returning from lunch with a 00:13:59.519 --> 00:14:01.839 friend on the afternoon of the attack 00:14:01.839 --> 00:14:03.600 he found himself scouring messaging 00:14:03.600 --> 00:14:04.880 boards where he came across 00:14:04.880 --> 00:14:07.519 news of a ransomware rapidly taking down 00:14:07.519 --> 00:14:09.680 systems in the national health service 00:14:09.680 --> 00:14:13.519 or nhs all over the uk 00:14:13.519 --> 00:14:14.959 hutchins who found it odd that the 00:14:14.959 --> 00:14:17.040 ransomware was consistently affecting so 00:14:17.040 --> 00:14:18.399 many devices 00:14:18.399 --> 00:14:20.320 concluded that the attack was probably a 00:14:20.320 --> 00:14:21.760 computer worm and not just 00:14:21.760 --> 00:14:25.120 a simple ransomware he quickly requested 00:14:25.120 --> 00:14:27.040 one of his friends to pass him a sample 00:14:27.040 --> 00:14:28.160 of the malware 00:14:28.160 --> 00:14:30.000 so that he could examine it and reverse 00:14:30.000 --> 00:14:32.000 engineer it to analyze exactly how it 00:14:32.000 --> 00:14:33.279 worked 00:14:33.279 --> 00:14:34.880 once he had gotten his hands on the 00:14:34.880 --> 00:14:36.320 malware sample 00:14:36.320 --> 00:14:38.079 he had run it using a virtual 00:14:38.079 --> 00:14:40.160 environment with fake files 00:14:40.160 --> 00:14:41.680 and found out that it was trying to 00:14:41.680 --> 00:14:44.480 connect to an unregistered domain 00:14:44.480 --> 00:14:48.079 which we discussed earlier in chapter 4. 00:14:48.079 --> 00:14:49.839 hutchins would go on to register this 00:14:49.839 --> 00:14:51.839 domain for only 10 00:14:51.839 --> 00:14:55.120 and 69 cents which unbeknownst to him 00:14:55.120 --> 00:14:56.839 would actually halt the wannacry 00:14:56.839 --> 00:14:58.560 infection 00:14:58.560 --> 00:15:00.240 he would later admit in a tweet that 00:15:00.240 --> 00:15:02.560 same day that the domain registration 00:15:02.560 --> 00:15:04.079 leading to a pause in the rapid 00:15:04.079 --> 00:15:05.120 infection 00:15:05.120 --> 00:15:08.399 was indeed an accident dubbing marcus 00:15:08.399 --> 00:15:09.120 hutchins 00:15:09.120 --> 00:15:13.839 as the accidental hero 00:15:23.440 --> 00:15:25.680 to hachins taking control of 00:15:25.680 --> 00:15:27.680 unregistered domains was just a part of 00:15:27.680 --> 00:15:28.880 his workflow 00:15:28.880 --> 00:15:30.480 when it came to stopping botnets and 00:15:30.480 --> 00:15:32.320 tracking malware 00:15:32.320 --> 00:15:33.839 this was so that he could get further 00:15:33.839 --> 00:15:35.839 insight into how the malware or botnets 00:15:35.839 --> 00:15:37.440 were spreading 00:15:37.440 --> 00:15:38.959 for those of you unaware of what a 00:15:38.959 --> 00:15:41.199 botnet is it is essentially a group of 00:15:41.199 --> 00:15:42.800 computers that have been hijacked by 00:15:42.800 --> 00:15:44.240 malicious actors 00:15:44.240 --> 00:15:46.160 or hackers in order to be used in their 00:15:46.160 --> 00:15:47.440 attacks to drive 00:15:47.440 --> 00:15:50.560 excess network traffic or steel data 00:15:50.560 --> 00:15:52.399 one computer that has been hijacked is 00:15:52.399 --> 00:15:54.560 called a bot and a network of them 00:15:54.560 --> 00:15:57.680 is called a botnet however 00:15:57.680 --> 00:16:00.399 since as we discussed earlier the attack 00:16:00.399 --> 00:16:02.320 only executes if it's unable to reach 00:16:02.320 --> 00:16:04.639 the domains that it checks for 00:16:04.639 --> 00:16:06.839 think of it as a simple if then 00:16:06.839 --> 00:16:08.160 statement 00:16:08.160 --> 00:16:09.920 if the infection cannot connect to x 00:16:09.920 --> 00:16:12.639 domain then proceed with the infection 00:16:12.639 --> 00:16:16.560 if it can reach x domain stop the attack 00:16:16.560 --> 00:16:18.320 and so the malware being able to connect 00:16:18.320 --> 00:16:20.160 to the domain was known as the kill 00:16:20.160 --> 00:16:21.199 switch 00:16:21.199 --> 00:16:23.199 the big red button that stops the attack 00:16:23.199 --> 00:16:25.839 from spreading any further 00:16:25.839 --> 00:16:28.240 but why would the attackers implement a 00:16:28.240 --> 00:16:30.399 kill switch at all 00:16:30.399 --> 00:16:32.240 the first theory is that the creators of 00:16:32.240 --> 00:16:34.160 wannacry wanted a way to stop the attack 00:16:34.160 --> 00:16:36.480 if it ever got out of hand or had any 00:16:36.480 --> 00:16:38.560 unintentional effects 00:16:38.560 --> 00:16:40.399 the second and the most likely theory 00:16:40.399 --> 00:16:42.320 proposed by hutchins and other security 00:16:42.320 --> 00:16:43.519 researchers 00:16:43.519 --> 00:16:45.360 was that the kill switch was present in 00:16:45.360 --> 00:16:46.800 order to prevent researchers from 00:16:46.800 --> 00:16:49.279 looking into the behavior of monocry 00:16:49.279 --> 00:16:51.120 if it was being executed within what is 00:16:51.120 --> 00:16:52.320 known in security 00:16:52.320 --> 00:16:55.759 as a sandbox a sandbox is usually a 00:16:55.759 --> 00:16:57.519 virtual computer that is used to run 00:16:57.519 --> 00:16:58.800 malware 00:16:58.800 --> 00:17:00.320 it is a contained environment with 00:17:00.320 --> 00:17:02.000 measures that have been taken to not 00:17:02.000 --> 00:17:04.559 infect any important files or spread to 00:17:04.559 --> 00:17:06.480 other networks 00:17:06.480 --> 00:17:08.240 much like what i used in chapter 2 to 00:17:08.240 --> 00:17:10.109 demonstrate the wannacry ransomware 00:17:10.109 --> 00:17:12.160 [Music] 00:17:12.160 --> 00:17:14.240 researchers used these sandboxes to run 00:17:14.240 --> 00:17:16.240 malware and then use tools to determine 00:17:16.240 --> 00:17:18.480 the behavior of the attack 00:17:18.480 --> 00:17:20.240 this is what hutchins did with fake 00:17:20.240 --> 00:17:22.640 files as well 00:17:22.640 --> 00:17:24.559 so the intent behind this kill switch 00:17:24.559 --> 00:17:26.240 was to destroy the ransomware if it 00:17:26.240 --> 00:17:28.960 existed within a sandbox environment 00:17:28.960 --> 00:17:30.720 again since they didn't want researchers 00:17:30.720 --> 00:17:32.480 to be able to analyze exactly how it 00:17:32.480 --> 00:17:34.000 worked 00:17:34.000 --> 00:17:35.919 however since the attackers used a 00:17:35.919 --> 00:17:37.280 static domain 00:17:37.280 --> 00:17:38.960 a domain name that did not change for 00:17:38.960 --> 00:17:41.039 each infection instead of using 00:17:41.039 --> 00:17:43.280 dynamically generated domain names 00:17:43.280 --> 00:17:45.039 like other renditions of this concept 00:17:45.039 --> 00:17:46.480 would usually do 00:17:46.480 --> 00:17:48.400 the wannacry infections around the world 00:17:48.400 --> 00:17:50.240 believed that it was being analyzed in a 00:17:50.240 --> 00:17:51.760 sandbox environment 00:17:51.760 --> 00:17:54.160 and essentially killed itself since 00:17:54.160 --> 00:17:55.679 every single infection was trying to 00:17:55.679 --> 00:17:56.080 reach 00:17:56.080 --> 00:17:58.880 one single hard-coded domain and now 00:17:58.880 --> 00:18:00.720 they could after hutchins had purchased 00:18:00.720 --> 00:18:03.039 it and put it online 00:18:03.039 --> 00:18:05.039 if it had been a randomly generated 00:18:05.039 --> 00:18:06.160 domain name 00:18:06.160 --> 00:18:07.520 then the infection would only have 00:18:07.520 --> 00:18:09.520 removed itself from hutchins's sandbox 00:18:09.520 --> 00:18:10.880 environment 00:18:10.880 --> 00:18:12.400 because the domain he registered would 00:18:12.400 --> 00:18:14.000 be unique to him and would not 00:18:14.000 --> 00:18:17.200 affect anyone else this 00:18:17.200 --> 00:18:20.160 seems to be an amateur mistake so 00:18:20.160 --> 00:18:21.840 amateur in fact that the researchers 00:18:21.840 --> 00:18:23.760 have speculated that maybe the intent of 00:18:23.760 --> 00:18:24.799 the attackers 00:18:24.799 --> 00:18:27.679 was not monetary gain but rather a more 00:18:27.679 --> 00:18:29.039 political intention 00:18:29.039 --> 00:18:31.600 such as to bring shame to the nsa 00:18:31.600 --> 00:18:32.480 however 00:18:32.480 --> 00:18:34.160 to this date there is nothing that 00:18:34.160 --> 00:18:36.000 confirms nor denies the motive 00:18:36.000 --> 00:18:43.840 of the wannacry attack 00:18:50.720 --> 00:18:53.360 the rapid infection had seemed to stop 00:18:53.360 --> 00:18:55.360 but for hutchins or malwater and his 00:18:55.360 --> 00:18:58.640 team the nightmare had only just begun 00:18:58.640 --> 00:19:00.240 less than an hour from when he had 00:19:00.240 --> 00:19:03.120 activated the domain it was under attack 00:19:03.120 --> 00:19:04.880 the motive of the attackers were to use 00:19:04.880 --> 00:19:07.280 the mirai botnet to host a distributed 00:19:07.280 --> 00:19:08.960 denial of service attack 00:19:08.960 --> 00:19:11.440 also known as ddos to shut down the 00:19:11.440 --> 00:19:13.360 domain so that it would be unreachable 00:19:13.360 --> 00:19:16.160 once again and all the halted infections 00:19:16.160 --> 00:19:18.000 would resume 00:19:18.000 --> 00:19:20.000 a ddos attack is usually performed to 00:19:20.000 --> 00:19:21.280 flood a domain with 00:19:21.280 --> 00:19:23.120 junk traffic till it can't handle 00:19:23.120 --> 00:19:25.840 anymore and is driven offline 00:19:25.840 --> 00:19:27.679 the mirai botnet that the attackers were 00:19:27.679 --> 00:19:29.679 employing was previously used in one of 00:19:29.679 --> 00:19:31.760 the largest ever ddos attacks 00:19:31.760 --> 00:19:33.600 and was comprised of hundreds and 00:19:33.600 --> 00:19:35.760 thousands of devices 00:19:35.760 --> 00:19:37.520 the haunting realization that they were 00:19:37.520 --> 00:19:39.360 the wall between a flood of infections 00:19:39.360 --> 00:19:41.120 that was currently being blocked 00:19:41.120 --> 00:19:43.039 slowly dawned on hutchins and the other 00:19:43.039 --> 00:19:46.080 researchers working on the case 00:19:46.080 --> 00:19:47.760 they eventually dealt with the issue by 00:19:47.760 --> 00:19:50.000 taking the site to a cached version 00:19:50.000 --> 00:19:51.760 which was capable of handling a much 00:19:51.760 --> 00:19:55.200 higher traffic load than a live site 00:19:55.200 --> 00:19:57.280 two days after the domain went live the 00:19:57.280 --> 00:19:59.200 data showed that two million infections 00:19:59.200 --> 00:20:00.480 had been halted 00:20:00.480 --> 00:20:02.159 showing us what the extent of the damage 00:20:02.159 --> 00:20:03.760 could have been if it was not for the 00:20:03.760 --> 00:20:07.840 discovery of the kill switch 00:20:25.360 --> 00:20:28.320 marcus hutchins story does not stop here 00:20:28.320 --> 00:20:30.400 he would go on to be named as a cyber 00:20:30.400 --> 00:20:31.760 crime hero 00:20:31.760 --> 00:20:34.159 a title which he didn't enjoy as it 00:20:34.159 --> 00:20:36.880 would bring to him unwanted attention 00:20:36.880 --> 00:20:38.320 people trying to piece together his 00:20:38.320 --> 00:20:40.480 address media camping outside of his 00:20:40.480 --> 00:20:41.360 house 00:20:41.360 --> 00:20:43.440 and in addition to all of this he was 00:20:43.440 --> 00:20:45.039 still under the pressure of the domain 00:20:45.039 --> 00:20:46.840 going offline any minute and wreaking 00:20:46.840 --> 00:20:48.400 havoc 00:20:48.400 --> 00:20:50.400 however he was able to get through these 00:20:50.400 --> 00:20:52.960 weary days and sleepless nights 00:20:52.960 --> 00:20:57.039 only to be thrown back into chaos 00:20:57.200 --> 00:20:59.440 three months after the wannacry attack 00:20:59.440 --> 00:21:01.600 in august of 2017 00:21:01.600 --> 00:21:03.919 marcus hutchins after partying in vegas 00:21:03.919 --> 00:21:05.280 for a week and a half 00:21:05.280 --> 00:21:08.240 during defcon a hacker convention was 00:21:08.240 --> 00:21:10.320 arrested in the airport by the fbi on 00:21:10.320 --> 00:21:12.080 his way back home 00:21:12.080 --> 00:21:13.760 it seemed that hutchins in his teenage 00:21:13.760 --> 00:21:15.360 years had developed a malware named 00:21:15.360 --> 00:21:16.080 kronos 00:21:16.080 --> 00:21:18.720 that would steal banking credentials he 00:21:18.720 --> 00:21:20.240 would go on to sell this malware to 00:21:20.240 --> 00:21:21.919 multiple individuals with the help of 00:21:21.919 --> 00:21:23.440 someone he met online 00:21:23.440 --> 00:21:27.360 named vinnie k kronos is still an 00:21:27.360 --> 00:21:30.880 ongoing threat to banks around the world 00:21:30.880 --> 00:21:32.559 hutchins initially battled the charges 00:21:32.559 --> 00:21:34.320 with a non-guilty plea 00:21:34.320 --> 00:21:36.400 but after a long and exhausting ordeal 00:21:36.400 --> 00:21:38.000 that lasted for years 00:21:38.000 --> 00:21:40.880 in april 2019 he took a plea deal that 00:21:40.880 --> 00:21:42.080 would essentially dismiss 00:21:42.080 --> 00:21:45.120 all but two counts set against him 00:21:45.120 --> 00:21:47.679 conspiracy to defraud the united states 00:21:47.679 --> 00:21:49.280 and actively marketing the kronos 00:21:49.280 --> 00:21:50.799 malware 00:21:50.799 --> 00:21:52.720 he faced the possibility of a maximum 00:21:52.720 --> 00:21:54.960 prison sentence of ten years 00:21:54.960 --> 00:21:56.640 but because of his contribution towards 00:21:56.640 --> 00:21:58.880 wannacry and as the community had 00:21:58.880 --> 00:22:00.480 constantly pointed out 00:22:00.480 --> 00:22:02.240 his active involvement in defending the 00:22:02.240 --> 00:22:04.240 world against cyber attacks 00:22:04.240 --> 00:22:07.520 the judge ruled in his favor he was then 00:22:07.520 --> 00:22:08.159 released 00:22:08.159 --> 00:22:10.840 with zero jail time and is now a free 00:22:10.840 --> 00:22:13.840 man 00:22:26.559 --> 00:22:28.799 as stated before wannacry attack 00:22:28.799 --> 00:22:31.200 impacted over 150 countries 00:22:31.200 --> 00:22:33.919 and approximately 230 000 computers 00:22:33.919 --> 00:22:35.200 globally 00:22:35.200 --> 00:22:37.520 russia was the most severely infected 00:22:37.520 --> 00:22:40.400 with over half the affected computers 00:22:40.400 --> 00:22:43.280 india ukraine and taiwan also suffered 00:22:43.280 --> 00:22:46.400 significant disruption 00:22:48.559 --> 00:22:50.559 the most popular victim to emerge out of 00:22:50.559 --> 00:22:52.159 the attacks were the uk's national 00:22:52.159 --> 00:22:53.280 health service 00:22:53.280 --> 00:22:57.200 or the nhs in the nhs over 70 000 00:22:57.200 --> 00:22:59.039 devices such as computers 00:22:59.039 --> 00:23:02.400 mri scanners devices used to test blood 00:23:02.400 --> 00:23:04.720 theater equipment and over 1200 pieces 00:23:04.720 --> 00:23:09.840 of diagnostic equipment were affected 00:23:10.159 --> 00:23:12.400 approximately the attack cost the nhs 00:23:12.400 --> 00:23:14.480 over 92 million euros 00:23:14.480 --> 00:23:16.080 and globally the cost amounted to 00:23:16.080 --> 00:23:17.919 somewhere between four and eight billion 00:23:17.919 --> 00:23:19.840 dollars 00:23:19.840 --> 00:23:21.200 you'd think that the attackers who 00:23:21.200 --> 00:23:22.720 launched wannacry would have made a 00:23:22.720 --> 00:23:24.400 decent amount considering how many 00:23:24.400 --> 00:23:25.200 countries 00:23:25.200 --> 00:23:28.480 and devices were affected however as of 00:23:28.480 --> 00:23:30.400 june 14 2017 00:23:30.400 --> 00:23:32.640 when the attacks had begun to subside 00:23:32.640 --> 00:23:34.559 they had only made a hundred and thirty 00:23:34.559 --> 00:23:35.120 thousand 00:23:35.120 --> 00:23:36.960 six hundred and thirty four dollars and 00:23:36.960 --> 00:23:38.880 seventy seven cents 00:23:38.880 --> 00:23:41.120 victims were urged not to pay the ransom 00:23:41.120 --> 00:23:42.720 since not only did it encourage the 00:23:42.720 --> 00:23:43.520 hackers 00:23:43.520 --> 00:23:45.279 but it also did not guarantee the return 00:23:45.279 --> 00:23:47.520 of their data due to skepticism of 00:23:47.520 --> 00:23:48.880 whether the attackers could actually 00:23:48.880 --> 00:23:50.320 place the paid ransom 00:23:50.320 --> 00:23:52.880 to the correct victim this was clearly 00:23:52.880 --> 00:23:54.400 evident from the fact that a large 00:23:54.400 --> 00:23:55.360 proportion 00:23:55.360 --> 00:23:57.279 almost all of the affected victims who 00:23:57.279 --> 00:23:58.400 had paid the ransom 00:23:58.400 --> 00:24:04.110 had still not been returned their data 00:24:04.110 --> 00:24:08.910 [Music] 00:24:13.679 --> 00:24:15.360 although initially the prime victims of 00:24:15.360 --> 00:24:17.360 wannacry were said to be windows xp 00:24:17.360 --> 00:24:20.080 clients over 98 of the victims were 00:24:20.080 --> 00:24:21.919 actually running unpatched versions of 00:24:21.919 --> 00:24:23.120 windows 7 00:24:23.120 --> 00:24:25.760 and less than 0.1 percent of the victims 00:24:25.760 --> 00:24:28.240 were using windows xp 00:24:28.240 --> 00:24:29.919 in the case of russia they believed 00:24:29.919 --> 00:24:31.760 updates did more to break their devices 00:24:31.760 --> 00:24:34.240 rather than fix them 00:24:34.240 --> 00:24:35.919 partly due to the fact that a majority 00:24:35.919 --> 00:24:37.679 of people use cracked or pirated 00:24:37.679 --> 00:24:38.960 versions of windows 00:24:38.960 --> 00:24:40.400 which means they wouldn't have received 00:24:40.400 --> 00:24:41.760 the updates which were released by 00:24:41.760 --> 00:24:45.120 microsoft months prior to the attack 00:24:45.120 --> 00:24:46.559 microsoft eventually released the 00:24:46.559 --> 00:24:48.320 updates for systems that were at end of 00:24:48.320 --> 00:24:49.200 support 00:24:49.200 --> 00:24:51.120 including windows xp and other older 00:24:51.120 --> 00:24:53.679 versions of windows 00:24:53.679 --> 00:24:55.520 to this day if the domain that marcus 00:24:55.520 --> 00:24:57.440 hutchins acquired were to go down 00:24:57.440 --> 00:24:59.279 the millions of infections that it has 00:24:59.279 --> 00:25:01.120 at bay would be released 00:25:01.120 --> 00:25:02.960 but possibly ineffective if the 00:25:02.960 --> 00:25:04.640 computers had already applied the patch 00:25:04.640 --> 00:25:07.600 that microsoft released 00:25:07.600 --> 00:25:09.840 eternal blue is still in the wild and 00:25:09.840 --> 00:25:11.440 variants of wannacry have since then 00:25:11.440 --> 00:25:13.279 surfaced like ui wix 00:25:13.279 --> 00:25:15.200 which did not come with a kill switch 00:25:15.200 --> 00:25:16.880 and addressed the bitcoin payment issue 00:25:16.880 --> 00:25:18.480 by assigning a new address for each 00:25:18.480 --> 00:25:20.320 victim to collect payment 00:25:20.320 --> 00:25:21.919 therefore easily allowing to track the 00:25:21.919 --> 00:25:23.919 payment back to the victim 00:25:23.919 --> 00:25:25.840 however since it did not have an 00:25:25.840 --> 00:25:27.760 automatic worm-like functionality that 00:25:27.760 --> 00:25:29.279 wannacry exhibited 00:25:29.279 --> 00:25:32.159 it did not pose much of a threat the 00:25:32.159 --> 00:25:34.880 impact of wannacry is still seen today 00:25:34.880 --> 00:25:36.720 trend micros data clearly indicates that 00:25:36.720 --> 00:25:38.559 wannacry was the most detected malware 00:25:38.559 --> 00:25:40.159 family in 2020 00:25:40.159 --> 00:25:42.240 thanks to its vulnerable nature and 00:25:42.240 --> 00:25:44.159 f-secure reports that the most seen type 00:25:44.159 --> 00:25:46.400 of exploit is against the smb version 1 00:25:46.400 --> 00:25:47.360 vulnerability 00:25:47.360 --> 00:25:49.600 using eternal blue the fact that 00:25:49.600 --> 00:25:51.039 attackers still continue to try and 00:25:51.039 --> 00:25:52.080 exploit this 00:25:52.080 --> 00:25:54.080 must mean that there are organizations 00:25:54.080 --> 00:25:55.919 out there who have not patched against 00:25:55.919 --> 00:26:11.840 this vulnerability 00:26:15.520 --> 00:26:17.840 four years after the attack there is 00:26:17.840 --> 00:26:19.600 still no confirmed identity of the 00:26:19.600 --> 00:26:21.760 creators of the wannacry 00:26:21.760 --> 00:26:23.760 there have been accusations towards the 00:26:23.760 --> 00:26:24.880 lazarus group 00:26:24.880 --> 00:26:27.440 who has strong links to north korea 00:26:27.440 --> 00:26:28.159 however 00:26:28.159 --> 00:26:31.679 this is nothing more than hearsay so 00:26:31.679 --> 00:26:33.520 who is to blame for the catastrophic 00:26:33.520 --> 00:26:35.520 damage of wannacry 00:26:35.520 --> 00:26:37.360 is it the nsa who should not have 00:26:37.360 --> 00:26:39.279 stockpiled exploits without alerting the 00:26:39.279 --> 00:26:40.640 necessary entities about the 00:26:40.640 --> 00:26:42.400 vulnerabilities 00:26:42.400 --> 00:26:43.919 is it the shadow brokers who took 00:26:43.919 --> 00:26:46.320 advantage of this stole and released it 00:26:46.320 --> 00:26:48.000 into the wild 00:26:48.000 --> 00:26:50.400 is it the developers of wannacry or is 00:26:50.400 --> 00:26:52.320 it the fault of microsoft who did not 00:26:52.320 --> 00:26:53.760 identify this vulnerability 00:26:53.760 --> 00:26:56.640 sooner while all of this might be true 00:26:56.640 --> 00:26:58.080 to some extent 00:26:58.080 --> 00:26:59.919 at the end of the day the actions these 00:26:59.919 --> 00:27:01.919 organizations take are largely out of 00:27:01.919 --> 00:27:03.600 the control of the public 00:27:03.600 --> 00:27:05.760 and business owners who are usually the 00:27:05.760 --> 00:27:07.840 victims of the attack 00:27:07.840 --> 00:27:10.240 regardless of what we claim the solution 00:27:10.240 --> 00:27:11.760 is very simple 00:27:11.760 --> 00:27:13.360 make sure we follow the guidelines to 00:27:13.360 --> 00:27:15.440 have our data secured 00:27:15.440 --> 00:27:17.120 the most crucial of it is to have a 00:27:17.120 --> 00:27:18.960 consistent schedule for updating our 00:27:18.960 --> 00:27:20.240 devices 00:27:20.240 --> 00:27:23.279 and to obviously not use outdated 00:27:23.279 --> 00:27:24.720 operating systems that put 00:27:24.720 --> 00:27:26.960 employee and customer data and their 00:27:26.960 --> 00:27:29.360 privacy at huge risks 00:27:29.360 --> 00:27:31.039 when it comes to ransomware the most 00:27:31.039 --> 00:27:32.880 crucial form of defense is frequent 00:27:32.880 --> 00:27:35.200 backup the more frequent it is 00:27:35.200 --> 00:27:37.760 the better less than 50 of ransomware 00:27:37.760 --> 00:27:39.520 payments actually result in the data 00:27:39.520 --> 00:27:41.120 being returned to the victims 00:27:41.120 --> 00:27:42.960 and so needless to say payment should 00:27:42.960 --> 00:27:44.399 not be an option 00:27:44.399 --> 00:27:46.159 lest your goal is to lose money and your 00:27:46.159 --> 00:27:47.760 data as well 00:27:47.760 --> 00:27:49.520 the biggest mistake that organizations 00:27:49.520 --> 00:27:51.760 tend to make is refusing to believe that 00:27:51.760 --> 00:27:53.520 they would be a target 00:27:53.520 --> 00:27:55.360 according to a study by cloudwords in 00:27:55.360 --> 00:27:56.640 2021 00:27:56.640 --> 00:27:58.559 every 11 seconds a company is hit by 00:27:58.559 --> 00:28:00.640 ransomware and a large proportion of 00:28:00.640 --> 00:28:02.240 organizations are small 00:28:02.240 --> 00:28:03.919 to medium-sized businesses that never 00:28:03.919 --> 00:28:06.080 see it coming as they're often found to 00:28:06.080 --> 00:28:07.600 have less than effective security 00:28:07.600 --> 00:28:08.960 strategies in place 00:28:08.960 --> 00:28:10.480 making them ideal targets for such 00:28:10.480 --> 00:28:12.080 attacks 00:28:12.080 --> 00:28:13.440 digital transformation during the 00:28:13.440 --> 00:28:15.360 coronavirus pandemic has started to move 00:28:15.360 --> 00:28:16.960 businesses to the cloud 00:28:16.960 --> 00:28:18.799 and so cyber criminals have now shifted 00:28:18.799 --> 00:28:20.720 their focus to the cloud as well 00:28:20.720 --> 00:28:22.320 giving them an entirely new attack 00:28:22.320 --> 00:28:24.000 surface to work with 00:28:24.000 --> 00:28:26.480 the cost of ransomware is said to top 20 00:28:26.480 --> 00:28:29.039 billion dollars by the end of 2021 00:28:29.039 --> 00:28:32.159 and that is ransomware alone by 2025 00:28:32.159 --> 00:28:33.919 cyber security ventures estimates that 00:28:33.919 --> 00:28:35.840 cyber crime will cost businesses 00:28:35.840 --> 00:28:39.279 10.5 trillion dollars annually 00:28:39.279 --> 00:28:41.279 which would amount to just 2 trillion 00:28:41.279 --> 00:28:43.039 short of china's economy 00:28:43.039 --> 00:28:46.000 the second biggest economy in the world 00:28:46.000 --> 00:28:46.320 we 00:28:46.320 --> 00:28:48.320 are headed towards bigger and more 00:28:48.320 --> 00:28:50.640 destructive attacks than wannacry 00:28:50.640 --> 00:28:53.440 and our most reliable defense is our 00:28:53.440 --> 00:28:54.240 awareness 00:28:54.240 --> 00:28:56.840 and our action to better protect 00:28:56.840 --> 00:29:13.840 ourselves thank you for watching 00:29:16.120 --> 00:29:19.310 [Music] 00:29:24.840 --> 00:29:27.840 me 00:29:30.810 --> 00:29:33.380 [Applause] 00:29:33.380 --> 00:29:43.780 [Music] 00:29:46.770 --> 00:29:51.279 [Music] 00:29:51.279 --> 00:29:53.360 you