[Music]
A small note before we start,
as much as this video is meant to be a
storytelling experience,
I have also intended it to be
educational,
and so, I have coupled the story along
with how some of these attacks and
technologies work
this is my first documentary style video
and so i appreciate any and all feedback
in the comments below
i really hope you enjoy and hopefully
learn a few new things
right now a crippling cyber attack has
businesses around the world
on high alert the ransomware known as
wannacry
want to move on to the other developing
story this morning the global cyber
attack the national security agency
developed this software and it's now
being used by
criminals around the world to demand
ransom security experts say this is one
of the worst and most
widespread pieces of malware they've
ever seen
[Music]
in may of 2017 a worldwide cyber attack
by the name of wannacry
shot for one a crypter impacted over 150
countries
and hit around 230 000 computers
globally
needless to say it became known as one
of the biggest ransomware attacks in
history
let's start at the very beginning on the
morning of the 12th of may 2017
according to akamai a content delivery
network
this was the timeline reportedly the
first case identified originated from a
southeast asian isp which was detected
at 7 44 am
utc over the next hour there were cases
seen from latin america
then the continental europe and uk then
brazil
and argentinian isps until at 12 39 pm
utc 74
of all isps in asia were affected and by
3 28 pm utc
the ransomware had taken hold of 65
percent of latin american isps
wannacry was spreading and at an
incredible rate
prior to this such a quick and
widespread ransomware was unheard of
a lot of organizations unable to recover
their losses
were forced to permanently shut down
some had to put a pause on their
networks and services and reported huge
losses
some in millions of dollars the attack
did not discriminate small to
medium-sized businesses
large enterprises the private sector the
public sector
railways healthcare banks malls
ministries
police energy companies isps and there
just seemed to be
no end to the victims within few hours
it had spread to over 11 countries
and by the end of the first day of the
attack the ransomware had been
encountered in 74 countries
within thousands and thousands of
organizations
and so it begged the question how much
damage will this really cause over the
next few days
or weeks or months if no solution
presents itself
your surface has been temporarily
disconnected
ransomware works in a very simple manner
it is the type of malware most commonly
spread through phishing attacks
which are essentially emails used to
trick a user into clicking a link that
leads them to a website
where they enter sensitive data or to
download attachments which if executed
will infect the computer
although initially suspected wannacry
did not originate from a phishing attack
but we'll get to that once later
computer is infected
the ransomware runs an encryption
process and usually in less than a
minute
some or all the files depending on what
the ransomware is meant to affect in the
user's computer
is converted from plain text to
ciphertext
plain text is readable or comprehensible
data
and ciphertext is unintelligible
gibberish
in order to turn this back into plain
text the user will need what is known as
a decryption key
which the attacker promises to provide
if the user were to pay the ransom
what makes ransomware so dreadful is
that once your files have been encrypted
you can't exactly decrypt it and
retrieve your data
well you can but with the current
technology we have to break common
encryption algorithms used in ransomware
attacks
such as the rsa it would take millions
to billions to trillions of years
[Music]
this is what you'd see if you were to
become infected with the wannacry
ransomware
in addition to this intimidating
wallpaper your documents
spreadsheets images videos
music and most everyday productivity and
multimedia files become encrypted
essentially being held hostage till the
ransom payment has been made
the wanted crypto 2.0 comes with a set
of instructions
and in 28 different languages for
victims to follow in order to recover
their files
the attackers demanded for 300 worth of
bitcoin
and after three days would be updated to
six hundred dollars
if the payment were to be made seven
days after the infection the files would
be recoverable
however despite this they also go on to
state that they will return the files
for free to quote users who are so poor
that they couldn't pay
end quote after six months the method of
payment
bitcoin
the reason that attackers chose bitcoin
was because it is what we know
as a private cryptocurrency this allows
the holder of the currency to remain
anonymous
though the money could be traced to a
cryptocurrency wallet which is where the
currency itself is stored
it would be exponentially difficult to
find the owner of the wallet without
extensive forensic analysis
this is the reason that bitcoin is used
widely in the dark web
to purchase guns drugs and other illegal
goods and services that for obvious
reasons
you would not be able to find on the
surface web
problem with wannacry and what made it
exponentially more dangerous than your
average ransomware
was its propagating capabilities
but to understand this fully we need to
go back in time a little bit
to 2016. in august of 2016 the equation
group suspected to have ties with the
national security agency's tailored
operations unit
and described by kaspersky as one of the
most sophisticated cyber attack groups
in the world
was said to be hacked by a group called
the shadow brokers
in this hack disks full of the nsa
secrets were stolen
this was bad because the nsa houses what
we know as nation state attacks
which are exploits or hacking tools that
are used to carry out a hack for their
home country
against another country the nsa would
essentially recruit a skilled hacker and
give them a license to hack
which means if they did carry it out it
wouldn't be illegal
at least in that country and the hacker
would not be charged
the danger here is that the nation-state
tools in itself are usually pretty
effective
especially considering they are to be
used as weapons against entire states
and countries
the nsa is said to have discovered a
multitude of other vulnerabilities in
the windows os
as early as 2013 but was speculated to
have developed exploits secretly and
stockpile them
rather than reporting it to microsoft or
the infosec community
so that they could weaponize it and
utilize them in their nation state and
other attacks
the shadow brokers would go on to
auction off some of these tools that
were developed
but due to skepticism online on whether
the hackers really did have files as
dangerous as they had claimed
this would essentially go on to become a
catastrophic failure
we can talk quite a bit about the shadow
brokers the story is itself worth
examining individually and maybe even on
a separate video
but let's narrow our focus down to the
leak that made wannacry possible
which at that point was the fifth leak
by the group and was said to be the most
damaging one yet
on april 14 2017 the shadow brokers
would post a tweet that linked to their
steam blockchain
on a post titled lost in translation
this leak contained files from the
initial failed auction which they now
decided to release to the public
for free the description accompanying
the leaked files doesn't really contain
much worth noting
as always the shadow brokers would use
broken but still somewhat comprehensible
english
however this is widely speculated not to
speak to their proficiency in the
language
but rather an attempt to mislead
analysts and prevent them from yielding
any results regarding their identity
characterized by how they type
the link which has now been taken down
takes you to an archive filled with a
number of windows exploits developed by
the nsa
it did contain many other valuable tools
worth examining
but the ones relevant to our story and
what made a regular ransomware so
destructive
were the payload double pulsar and the
now infamous exploit used in the
wannacry attack
eternal blue
[Music]
server message block version 1 or smb v1
is a network communication protocol
which was developed in 1983.
the function of this protocol would be
to allow one windows computer to
communicate with another
and share files and printers on a local
network
however smb version 1 had a critical
vulnerability
which allowed for what is known as a
remote arbitrary code execution
in which an attacker would be able to
execute whatever code that they'd like
on their target or victim's computer
over the internet
usually with malicious intent the
function of eternal blue was to take
advantage of this vulnerability
essentially i'm going to try and strip
it down to simplify it as much as
possible
when the shadow brokers first leaked the
nsa tools
hackers took this opportunity to install
double pulsar
which is a tool which opens what we
commonly know in security
as a back door backdoors allows hackers
to create an entry point into the system
or a network of systems and gain easy
access later on
the initial infection of wannacry is not
known
but it is speculated that the attackers
took advantage of the back door to
deliver the payload
the payload in this case is the
ransomware wannacry
when a computer is infected with
wannacry oddly
it then tries to connect to the
following unregistered domain
which is basically a random string of
numbers and letters
if it cannot establish a connection to
this domain then the real damage begins
it scans for port 445 on the network
which is the port that is used to host
smb version 1
and if the port is deemed to be open it
would then proceed to spread to that
computer
this is how it propagated so quickly
[Music]
whether the other users in the network
actually downloaded or clicked on
anything malicious
regardless they would be infected and in
seconds all their data would be
encrypted
[Music]
so the damage came in two parts the
ransomware that encrypts the data
and the worm-like component that is used
to spread the ransomware to any
connected
vulnerable devices in the network as a
result of eternal blue and double pulsar
the attack only affected windows systems
mainly targeting windows xp
vista windows 7 windows 8 and windows
10.
however a month prior to the leak by the
shadow brokers on march 14 2017
microsoft was made aware of this
vulnerability after it was publicly
reported
almost five years after its discovery
microsoft then released a critical patch
to fix this vulnerability
[Music]
ms-17010
however despite the release of the patch
a significant number of organizations
never updated their systems
and unfortunately there were still major
organizations running windows xp
or server 2003 these devices were at end
of support
which means that even if updates were
out they would not receive them
and be completely vulnerable to the
exploit
if you want to know more about the
vulnerability that the eternalblue
exploited
it is now logged in the national
vulnerability database
as cve 20170144
[Music]
marcus hutchins also known online by his
alias malwa attack
was a 23 year old british security
researcher at kryptos logic
in la after returning from lunch with a
friend on the afternoon of the attack
he found himself scouring messaging
boards where he came across
news of a ransomware rapidly taking down
systems in the national health service
or nhs all over the uk
hutchins who found it odd that the
ransomware was consistently affecting so
many devices
concluded that the attack was probably a
computer worm and not just
a simple ransomware he quickly requested
one of his friends to pass him a sample
of the malware
so that he could examine it and reverse
engineer it to analyze exactly how it
worked
once he had gotten his hands on the
malware sample
he had run it using a virtual
environment with fake files
and found out that it was trying to
connect to an unregistered domain
which we discussed earlier in chapter 4.
hutchins would go on to register this
domain for only 10
and 69 cents which unbeknownst to him
would actually halt the wannacry
infection
he would later admit in a tweet that
same day that the domain registration
leading to a pause in the rapid
infection
was indeed an accident dubbing marcus
hutchins
as the accidental hero
to hachins taking control of
unregistered domains was just a part of
his workflow
when it came to stopping botnets and
tracking malware
this was so that he could get further
insight into how the malware or botnets
were spreading
for those of you unaware of what a
botnet is it is essentially a group of
computers that have been hijacked by
malicious actors
or hackers in order to be used in their
attacks to drive
excess network traffic or steel data
one computer that has been hijacked is
called a bot and a network of them
is called a botnet however
since as we discussed earlier the attack
only executes if it's unable to reach
the domains that it checks for
think of it as a simple if then
statement
if the infection cannot connect to x
domain then proceed with the infection
if it can reach x domain stop the attack
and so the malware being able to connect
to the domain was known as the kill
switch
the big red button that stops the attack
from spreading any further
but why would the attackers implement a
kill switch at all
the first theory is that the creators of
wannacry wanted a way to stop the attack
if it ever got out of hand or had any
unintentional effects
the second and the most likely theory
proposed by hutchins and other security
researchers
was that the kill switch was present in
order to prevent researchers from
looking into the behavior of monocry
if it was being executed within what is
known in security
as a sandbox a sandbox is usually a
virtual computer that is used to run
malware
it is a contained environment with
measures that have been taken to not
infect any important files or spread to
other networks
much like what i used in chapter 2 to
demonstrate the wannacry ransomware
[Music]
researchers used these sandboxes to run
malware and then use tools to determine
the behavior of the attack
this is what hutchins did with fake
files as well
so the intent behind this kill switch
was to destroy the ransomware if it
existed within a sandbox environment
again since they didn't want researchers
to be able to analyze exactly how it
worked
however since the attackers used a
static domain
a domain name that did not change for
each infection instead of using
dynamically generated domain names
like other renditions of this concept
would usually do
the wannacry infections around the world
believed that it was being analyzed in a
sandbox environment
and essentially killed itself since
every single infection was trying to
reach
one single hard-coded domain and now
they could after hutchins had purchased
it and put it online
if it had been a randomly generated
domain name
then the infection would only have
removed itself from hutchins's sandbox
environment
because the domain he registered would
be unique to him and would not
affect anyone else this
seems to be an amateur mistake so
amateur in fact that the researchers
have speculated that maybe the intent of
the attackers
was not monetary gain but rather a more
political intention
such as to bring shame to the nsa
however
to this date there is nothing that
confirms nor denies the motive
of the wannacry attack
the rapid infection had seemed to stop
but for hutchins or malwater and his
team the nightmare had only just begun
less than an hour from when he had
activated the domain it was under attack
the motive of the attackers were to use
the mirai botnet to host a distributed
denial of service attack
also known as ddos to shut down the
domain so that it would be unreachable
once again and all the halted infections
would resume
a ddos attack is usually performed to
flood a domain with
junk traffic till it can't handle
anymore and is driven offline
the mirai botnet that the attackers were
employing was previously used in one of
the largest ever ddos attacks
and was comprised of hundreds and
thousands of devices
the haunting realization that they were
the wall between a flood of infections
that was currently being blocked
slowly dawned on hutchins and the other
researchers working on the case
they eventually dealt with the issue by
taking the site to a cached version
which was capable of handling a much
higher traffic load than a live site
two days after the domain went live the
data showed that two million infections
had been halted
showing us what the extent of the damage
could have been if it was not for the
discovery of the kill switch
marcus hutchins story does not stop here
he would go on to be named as a cyber
crime hero
a title which he didn't enjoy as it
would bring to him unwanted attention
people trying to piece together his
address media camping outside of his
house
and in addition to all of this he was
still under the pressure of the domain
going offline any minute and wreaking
havoc
however he was able to get through these
weary days and sleepless nights
only to be thrown back into chaos
three months after the wannacry attack
in august of 2017
marcus hutchins after partying in vegas
for a week and a half
during defcon a hacker convention was
arrested in the airport by the fbi on
his way back home
it seemed that hutchins in his teenage
years had developed a malware named
kronos
that would steal banking credentials he
would go on to sell this malware to
multiple individuals with the help of
someone he met online
named vinnie k kronos is still an
ongoing threat to banks around the world
hutchins initially battled the charges
with a non-guilty plea
but after a long and exhausting ordeal
that lasted for years
in april 2019 he took a plea deal that
would essentially dismiss
all but two counts set against him
conspiracy to defraud the united states
and actively marketing the kronos
malware
he faced the possibility of a maximum
prison sentence of ten years
but because of his contribution towards
wannacry and as the community had
constantly pointed out
his active involvement in defending the
world against cyber attacks
the judge ruled in his favor he was then
released
with zero jail time and is now a free
man
as stated before wannacry attack
impacted over 150 countries
and approximately 230 000 computers
globally
russia was the most severely infected
with over half the affected computers
india ukraine and taiwan also suffered
significant disruption
the most popular victim to emerge out of
the attacks were the uk's national
health service
or the nhs in the nhs over 70 000
devices such as computers
mri scanners devices used to test blood
theater equipment and over 1200 pieces
of diagnostic equipment were affected
approximately the attack cost the nhs
over 92 million euros
and globally the cost amounted to
somewhere between four and eight billion
dollars
you'd think that the attackers who
launched wannacry would have made a
decent amount considering how many
countries
and devices were affected however as of
june 14 2017
when the attacks had begun to subside
they had only made a hundred and thirty
thousand
six hundred and thirty four dollars and
seventy seven cents
victims were urged not to pay the ransom
since not only did it encourage the
hackers
but it also did not guarantee the return
of their data due to skepticism of
whether the attackers could actually
place the paid ransom
to the correct victim this was clearly
evident from the fact that a large
proportion
almost all of the affected victims who
had paid the ransom
had still not been returned their data
[Music]
although initially the prime victims of
wannacry were said to be windows xp
clients over 98 of the victims were
actually running unpatched versions of
windows 7
and less than 0.1 percent of the victims
were using windows xp
in the case of russia they believed
updates did more to break their devices
rather than fix them
partly due to the fact that a majority
of people use cracked or pirated
versions of windows
which means they wouldn't have received
the updates which were released by
microsoft months prior to the attack
microsoft eventually released the
updates for systems that were at end of
support
including windows xp and other older
versions of windows
to this day if the domain that marcus
hutchins acquired were to go down
the millions of infections that it has
at bay would be released
but possibly ineffective if the
computers had already applied the patch
that microsoft released
eternal blue is still in the wild and
variants of wannacry have since then
surfaced like ui wix
which did not come with a kill switch
and addressed the bitcoin payment issue
by assigning a new address for each
victim to collect payment
therefore easily allowing to track the
payment back to the victim
however since it did not have an
automatic worm-like functionality that
wannacry exhibited
it did not pose much of a threat the
impact of wannacry is still seen today
trend micros data clearly indicates that
wannacry was the most detected malware
family in 2020
thanks to its vulnerable nature and
f-secure reports that the most seen type
of exploit is against the smb version 1
vulnerability
using eternal blue the fact that
attackers still continue to try and
exploit this
must mean that there are organizations
out there who have not patched against
this vulnerability
four years after the attack there is
still no confirmed identity of the
creators of the wannacry
there have been accusations towards the
lazarus group
who has strong links to north korea
however
this is nothing more than hearsay so
who is to blame for the catastrophic
damage of wannacry
is it the nsa who should not have
stockpiled exploits without alerting the
necessary entities about the
vulnerabilities
is it the shadow brokers who took
advantage of this stole and released it
into the wild
is it the developers of wannacry or is
it the fault of microsoft who did not
identify this vulnerability
sooner while all of this might be true
to some extent
at the end of the day the actions these
organizations take are largely out of
the control of the public
and business owners who are usually the
victims of the attack
regardless of what we claim the solution
is very simple
make sure we follow the guidelines to
have our data secured
the most crucial of it is to have a
consistent schedule for updating our
devices
and to obviously not use outdated
operating systems that put
employee and customer data and their
privacy at huge risks
when it comes to ransomware the most
crucial form of defense is frequent
backup the more frequent it is
the better less than 50 of ransomware
payments actually result in the data
being returned to the victims
and so needless to say payment should
not be an option
lest your goal is to lose money and your
data as well
the biggest mistake that organizations
tend to make is refusing to believe that
they would be a target
according to a study by cloudwords in
2021
every 11 seconds a company is hit by
ransomware and a large proportion of
organizations are small
to medium-sized businesses that never
see it coming as they're often found to
have less than effective security
strategies in place
making them ideal targets for such
attacks
digital transformation during the
coronavirus pandemic has started to move
businesses to the cloud
and so cyber criminals have now shifted
their focus to the cloud as well
giving them an entirely new attack
surface to work with
the cost of ransomware is said to top 20
billion dollars by the end of 2021
and that is ransomware alone by 2025
cyber security ventures estimates that
cyber crime will cost businesses
10.5 trillion dollars annually
which would amount to just 2 trillion
short of china's economy
the second biggest economy in the world
we
are headed towards bigger and more
destructive attacks than wannacry
and our most reliable defense is our
awareness
and our action to better protect
ourselves thank you for watching
[Music]
me
[Applause]
[Music]
[Music]
you