1 00:00:00,000 --> 00:00:09,150 [Music] 2 00:00:10,960 --> 00:00:13,679 A small note before we start, 3 00:00:13,679 --> 00:00:15,599 as much as this video is meant to be a 4 00:00:15,599 --> 00:00:17,440 storytelling experience, 5 00:00:17,440 --> 00:00:18,960 I have also intended it to be 6 00:00:18,960 --> 00:00:20,640 educational, 7 00:00:20,640 --> 00:00:22,480 and so, I have coupled the story along 8 00:00:22,480 --> 00:00:23,840 with how some of these attacks and 9 00:00:23,840 --> 00:00:26,000 technologies work 10 00:00:26,000 --> 00:00:28,400 this is my first documentary style video 11 00:00:28,400 --> 00:00:30,800 and so i appreciate any and all feedback 12 00:00:30,800 --> 00:00:33,120 in the comments below 13 00:00:33,120 --> 00:00:35,680 i really hope you enjoy and hopefully 14 00:00:35,680 --> 00:00:38,640 learn a few new things 15 00:00:40,800 --> 00:00:43,440 right now a crippling cyber attack has 16 00:00:43,440 --> 00:00:45,039 businesses around the world 17 00:00:45,039 --> 00:00:47,760 on high alert the ransomware known as 18 00:00:47,760 --> 00:00:48,719 wannacry 19 00:00:48,719 --> 00:00:50,399 want to move on to the other developing 20 00:00:50,399 --> 00:00:51,920 story this morning the global cyber 21 00:00:51,920 --> 00:00:54,239 attack the national security agency 22 00:00:54,239 --> 00:00:56,559 developed this software and it's now 23 00:00:56,559 --> 00:00:57,440 being used by 24 00:00:57,440 --> 00:00:59,440 criminals around the world to demand 25 00:00:59,440 --> 00:01:01,760 ransom security experts say this is one 26 00:01:01,760 --> 00:01:03,280 of the worst and most 27 00:01:03,280 --> 00:01:05,439 widespread pieces of malware they've 28 00:01:05,439 --> 00:01:11,990 ever seen 29 00:01:11,990 --> 00:01:16,550 [Music] 30 00:01:20,080 --> 00:01:23,040 in may of 2017 a worldwide cyber attack 31 00:01:23,040 --> 00:01:24,799 by the name of wannacry 32 00:01:24,799 --> 00:01:27,840 shot for one a crypter impacted over 150 33 00:01:27,840 --> 00:01:28,720 countries 34 00:01:28,720 --> 00:01:31,360 and hit around 230 000 computers 35 00:01:31,360 --> 00:01:32,720 globally 36 00:01:32,720 --> 00:01:34,560 needless to say it became known as one 37 00:01:34,560 --> 00:01:36,640 of the biggest ransomware attacks in 38 00:01:36,640 --> 00:01:38,159 history 39 00:01:38,159 --> 00:01:40,799 let's start at the very beginning on the 40 00:01:40,799 --> 00:01:43,119 morning of the 12th of may 2017 41 00:01:43,119 --> 00:01:45,360 according to akamai a content delivery 42 00:01:45,360 --> 00:01:46,240 network 43 00:01:46,240 --> 00:01:48,720 this was the timeline reportedly the 44 00:01:48,720 --> 00:01:51,200 first case identified originated from a 45 00:01:51,200 --> 00:01:53,600 southeast asian isp which was detected 46 00:01:53,600 --> 00:01:55,119 at 7 44 am 47 00:01:55,119 --> 00:01:58,399 utc over the next hour there were cases 48 00:01:58,399 --> 00:02:00,240 seen from latin america 49 00:02:00,240 --> 00:02:02,960 then the continental europe and uk then 50 00:02:02,960 --> 00:02:03,439 brazil 51 00:02:03,439 --> 00:02:06,840 and argentinian isps until at 12 39 pm 52 00:02:06,840 --> 00:02:09,280 utc 74 53 00:02:09,280 --> 00:02:12,720 of all isps in asia were affected and by 54 00:02:12,720 --> 00:02:14,800 3 28 pm utc 55 00:02:14,800 --> 00:02:17,040 the ransomware had taken hold of 65 56 00:02:17,040 --> 00:02:20,640 percent of latin american isps 57 00:02:20,640 --> 00:02:22,879 wannacry was spreading and at an 58 00:02:22,879 --> 00:02:24,640 incredible rate 59 00:02:24,640 --> 00:02:26,160 prior to this such a quick and 60 00:02:26,160 --> 00:02:28,640 widespread ransomware was unheard of 61 00:02:28,640 --> 00:02:31,040 a lot of organizations unable to recover 62 00:02:31,040 --> 00:02:31,840 their losses 63 00:02:31,840 --> 00:02:34,640 were forced to permanently shut down 64 00:02:34,640 --> 00:02:36,160 some had to put a pause on their 65 00:02:36,160 --> 00:02:38,319 networks and services and reported huge 66 00:02:38,319 --> 00:02:39,360 losses 67 00:02:39,360 --> 00:02:42,480 some in millions of dollars the attack 68 00:02:42,480 --> 00:02:44,720 did not discriminate small to 69 00:02:44,720 --> 00:02:46,400 medium-sized businesses 70 00:02:46,400 --> 00:02:48,800 large enterprises the private sector the 71 00:02:48,800 --> 00:02:50,160 public sector 72 00:02:50,160 --> 00:02:52,640 railways healthcare banks malls 73 00:02:52,640 --> 00:02:53,360 ministries 74 00:02:53,360 --> 00:02:56,560 police energy companies isps and there 75 00:02:56,560 --> 00:02:57,440 just seemed to be 76 00:02:57,440 --> 00:03:00,720 no end to the victims within few hours 77 00:03:00,720 --> 00:03:02,720 it had spread to over 11 countries 78 00:03:02,720 --> 00:03:04,319 and by the end of the first day of the 79 00:03:04,319 --> 00:03:06,159 attack the ransomware had been 80 00:03:06,159 --> 00:03:08,480 encountered in 74 countries 81 00:03:08,480 --> 00:03:10,319 within thousands and thousands of 82 00:03:10,319 --> 00:03:12,159 organizations 83 00:03:12,159 --> 00:03:14,879 and so it begged the question how much 84 00:03:14,879 --> 00:03:16,640 damage will this really cause over the 85 00:03:16,640 --> 00:03:17,599 next few days 86 00:03:17,599 --> 00:03:20,159 or weeks or months if no solution 87 00:03:20,159 --> 00:03:23,040 presents itself 88 00:03:23,440 --> 00:03:27,120 your surface has been temporarily 89 00:03:30,840 --> 00:03:33,280 disconnected 90 00:03:33,280 --> 00:03:36,239 ransomware works in a very simple manner 91 00:03:36,239 --> 00:03:38,080 it is the type of malware most commonly 92 00:03:38,080 --> 00:03:39,920 spread through phishing attacks 93 00:03:39,920 --> 00:03:41,840 which are essentially emails used to 94 00:03:41,840 --> 00:03:44,000 trick a user into clicking a link that 95 00:03:44,000 --> 00:03:45,599 leads them to a website 96 00:03:45,599 --> 00:03:47,840 where they enter sensitive data or to 97 00:03:47,840 --> 00:03:50,159 download attachments which if executed 98 00:03:50,159 --> 00:03:52,239 will infect the computer 99 00:03:52,239 --> 00:03:54,400 although initially suspected wannacry 100 00:03:54,400 --> 00:03:56,799 did not originate from a phishing attack 101 00:03:56,799 --> 00:03:59,680 but we'll get to that once later 102 00:03:59,680 --> 00:04:01,280 computer is infected 103 00:04:01,280 --> 00:04:03,040 the ransomware runs an encryption 104 00:04:03,040 --> 00:04:05,280 process and usually in less than a 105 00:04:05,280 --> 00:04:06,239 minute 106 00:04:06,239 --> 00:04:08,799 some or all the files depending on what 107 00:04:08,799 --> 00:04:10,879 the ransomware is meant to affect in the 108 00:04:10,879 --> 00:04:12,400 user's computer 109 00:04:12,400 --> 00:04:14,239 is converted from plain text to 110 00:04:14,239 --> 00:04:15,840 ciphertext 111 00:04:15,840 --> 00:04:18,239 plain text is readable or comprehensible 112 00:04:18,239 --> 00:04:19,120 data 113 00:04:19,120 --> 00:04:21,120 and ciphertext is unintelligible 114 00:04:21,120 --> 00:04:22,720 gibberish 115 00:04:22,720 --> 00:04:24,639 in order to turn this back into plain 116 00:04:24,639 --> 00:04:27,199 text the user will need what is known as 117 00:04:27,199 --> 00:04:28,800 a decryption key 118 00:04:28,800 --> 00:04:30,880 which the attacker promises to provide 119 00:04:30,880 --> 00:04:34,560 if the user were to pay the ransom 120 00:04:34,639 --> 00:04:36,880 what makes ransomware so dreadful is 121 00:04:36,880 --> 00:04:39,360 that once your files have been encrypted 122 00:04:39,360 --> 00:04:41,040 you can't exactly decrypt it and 123 00:04:41,040 --> 00:04:42,960 retrieve your data 124 00:04:42,960 --> 00:04:44,720 well you can but with the current 125 00:04:44,720 --> 00:04:46,639 technology we have to break common 126 00:04:46,639 --> 00:04:48,720 encryption algorithms used in ransomware 127 00:04:48,720 --> 00:04:49,600 attacks 128 00:04:49,600 --> 00:04:52,800 such as the rsa it would take millions 129 00:04:52,800 --> 00:04:57,280 to billions to trillions of years 130 00:04:57,280 --> 00:05:00,410 [Music] 131 00:05:03,520 --> 00:05:05,440 this is what you'd see if you were to 132 00:05:05,440 --> 00:05:07,199 become infected with the wannacry 133 00:05:07,199 --> 00:05:08,639 ransomware 134 00:05:08,639 --> 00:05:10,160 in addition to this intimidating 135 00:05:10,160 --> 00:05:12,479 wallpaper your documents 136 00:05:12,479 --> 00:05:16,160 spreadsheets images videos 137 00:05:16,160 --> 00:05:18,639 music and most everyday productivity and 138 00:05:18,639 --> 00:05:21,039 multimedia files become encrypted 139 00:05:21,039 --> 00:05:22,800 essentially being held hostage till the 140 00:05:22,800 --> 00:05:26,240 ransom payment has been made 141 00:05:27,120 --> 00:05:29,199 the wanted crypto 2.0 comes with a set 142 00:05:29,199 --> 00:05:30,240 of instructions 143 00:05:30,240 --> 00:05:31,919 and in 28 different languages for 144 00:05:31,919 --> 00:05:33,680 victims to follow in order to recover 145 00:05:33,680 --> 00:05:35,199 their files 146 00:05:35,199 --> 00:05:37,759 the attackers demanded for 300 worth of 147 00:05:37,759 --> 00:05:38,639 bitcoin 148 00:05:38,639 --> 00:05:40,560 and after three days would be updated to 149 00:05:40,560 --> 00:05:42,479 six hundred dollars 150 00:05:42,479 --> 00:05:44,080 if the payment were to be made seven 151 00:05:44,080 --> 00:05:45,919 days after the infection the files would 152 00:05:45,919 --> 00:05:47,680 be recoverable 153 00:05:47,680 --> 00:05:49,840 however despite this they also go on to 154 00:05:49,840 --> 00:05:51,759 state that they will return the files 155 00:05:51,759 --> 00:05:54,800 for free to quote users who are so poor 156 00:05:54,800 --> 00:05:55,840 that they couldn't pay 157 00:05:55,840 --> 00:05:58,720 end quote after six months the method of 158 00:05:58,720 --> 00:05:59,840 payment 159 00:05:59,840 --> 00:06:02,400 bitcoin 160 00:06:04,160 --> 00:06:06,400 the reason that attackers chose bitcoin 161 00:06:06,400 --> 00:06:07,840 was because it is what we know 162 00:06:07,840 --> 00:06:10,479 as a private cryptocurrency this allows 163 00:06:10,479 --> 00:06:12,080 the holder of the currency to remain 164 00:06:12,080 --> 00:06:13,280 anonymous 165 00:06:13,280 --> 00:06:14,639 though the money could be traced to a 166 00:06:14,639 --> 00:06:16,560 cryptocurrency wallet which is where the 167 00:06:16,560 --> 00:06:18,160 currency itself is stored 168 00:06:18,160 --> 00:06:19,840 it would be exponentially difficult to 169 00:06:19,840 --> 00:06:21,360 find the owner of the wallet without 170 00:06:21,360 --> 00:06:24,319 extensive forensic analysis 171 00:06:24,319 --> 00:06:26,560 this is the reason that bitcoin is used 172 00:06:26,560 --> 00:06:27,840 widely in the dark web 173 00:06:27,840 --> 00:06:30,639 to purchase guns drugs and other illegal 174 00:06:30,639 --> 00:06:32,319 goods and services that for obvious 175 00:06:32,319 --> 00:06:33,199 reasons 176 00:06:33,199 --> 00:06:35,039 you would not be able to find on the 177 00:06:35,039 --> 00:06:48,000 surface web 178 00:06:48,000 --> 00:06:50,080 problem with wannacry and what made it 179 00:06:50,080 --> 00:06:51,919 exponentially more dangerous than your 180 00:06:51,919 --> 00:06:53,280 average ransomware 181 00:06:53,280 --> 00:06:56,319 was its propagating capabilities 182 00:06:56,319 --> 00:06:58,240 but to understand this fully we need to 183 00:06:58,240 --> 00:06:59,840 go back in time a little bit 184 00:06:59,840 --> 00:07:04,000 to 2016. in august of 2016 the equation 185 00:07:04,000 --> 00:07:05,680 group suspected to have ties with the 186 00:07:05,680 --> 00:07:07,520 national security agency's tailored 187 00:07:07,520 --> 00:07:08,800 operations unit 188 00:07:08,800 --> 00:07:10,880 and described by kaspersky as one of the 189 00:07:10,880 --> 00:07:12,880 most sophisticated cyber attack groups 190 00:07:12,880 --> 00:07:14,080 in the world 191 00:07:14,080 --> 00:07:15,759 was said to be hacked by a group called 192 00:07:15,759 --> 00:07:17,680 the shadow brokers 193 00:07:17,680 --> 00:07:19,919 in this hack disks full of the nsa 194 00:07:19,919 --> 00:07:22,800 secrets were stolen 195 00:07:22,800 --> 00:07:25,039 this was bad because the nsa houses what 196 00:07:25,039 --> 00:07:27,520 we know as nation state attacks 197 00:07:27,520 --> 00:07:29,759 which are exploits or hacking tools that 198 00:07:29,759 --> 00:07:31,280 are used to carry out a hack for their 199 00:07:31,280 --> 00:07:32,479 home country 200 00:07:32,479 --> 00:07:35,199 against another country the nsa would 201 00:07:35,199 --> 00:07:37,120 essentially recruit a skilled hacker and 202 00:07:37,120 --> 00:07:39,280 give them a license to hack 203 00:07:39,280 --> 00:07:41,199 which means if they did carry it out it 204 00:07:41,199 --> 00:07:42,560 wouldn't be illegal 205 00:07:42,560 --> 00:07:44,800 at least in that country and the hacker 206 00:07:44,800 --> 00:07:47,759 would not be charged 207 00:07:48,639 --> 00:07:50,639 the danger here is that the nation-state 208 00:07:50,639 --> 00:07:52,400 tools in itself are usually pretty 209 00:07:52,400 --> 00:07:53,440 effective 210 00:07:53,440 --> 00:07:55,120 especially considering they are to be 211 00:07:55,120 --> 00:07:57,280 used as weapons against entire states 212 00:07:57,280 --> 00:07:59,840 and countries 213 00:08:03,599 --> 00:08:05,440 the nsa is said to have discovered a 214 00:08:05,440 --> 00:08:07,199 multitude of other vulnerabilities in 215 00:08:07,199 --> 00:08:08,160 the windows os 216 00:08:08,160 --> 00:08:11,280 as early as 2013 but was speculated to 217 00:08:11,280 --> 00:08:13,280 have developed exploits secretly and 218 00:08:13,280 --> 00:08:14,560 stockpile them 219 00:08:14,560 --> 00:08:16,560 rather than reporting it to microsoft or 220 00:08:16,560 --> 00:08:18,240 the infosec community 221 00:08:18,240 --> 00:08:20,000 so that they could weaponize it and 222 00:08:20,000 --> 00:08:21,919 utilize them in their nation state and 223 00:08:21,919 --> 00:08:24,560 other attacks 224 00:08:25,440 --> 00:08:27,199 the shadow brokers would go on to 225 00:08:27,199 --> 00:08:28,720 auction off some of these tools that 226 00:08:28,720 --> 00:08:30,000 were developed 227 00:08:30,000 --> 00:08:32,080 but due to skepticism online on whether 228 00:08:32,080 --> 00:08:34,080 the hackers really did have files as 229 00:08:34,080 --> 00:08:36,159 dangerous as they had claimed 230 00:08:36,159 --> 00:08:37,919 this would essentially go on to become a 231 00:08:37,919 --> 00:08:40,719 catastrophic failure 232 00:08:40,719 --> 00:08:42,399 we can talk quite a bit about the shadow 233 00:08:42,399 --> 00:08:44,800 brokers the story is itself worth 234 00:08:44,800 --> 00:08:46,720 examining individually and maybe even on 235 00:08:46,720 --> 00:08:48,080 a separate video 236 00:08:48,080 --> 00:08:49,760 but let's narrow our focus down to the 237 00:08:49,760 --> 00:08:51,839 leak that made wannacry possible 238 00:08:51,839 --> 00:08:54,000 which at that point was the fifth leak 239 00:08:54,000 --> 00:08:55,760 by the group and was said to be the most 240 00:08:55,760 --> 00:08:58,640 damaging one yet 241 00:08:59,360 --> 00:09:02,080 on april 14 2017 the shadow brokers 242 00:09:02,080 --> 00:09:03,600 would post a tweet that linked to their 243 00:09:03,600 --> 00:09:05,120 steam blockchain 244 00:09:05,120 --> 00:09:08,880 on a post titled lost in translation 245 00:09:08,880 --> 00:09:10,399 this leak contained files from the 246 00:09:10,399 --> 00:09:12,160 initial failed auction which they now 247 00:09:12,160 --> 00:09:14,160 decided to release to the public 248 00:09:14,160 --> 00:09:18,080 for free the description accompanying 249 00:09:18,080 --> 00:09:19,839 the leaked files doesn't really contain 250 00:09:19,839 --> 00:09:21,279 much worth noting 251 00:09:21,279 --> 00:09:23,120 as always the shadow brokers would use 252 00:09:23,120 --> 00:09:25,040 broken but still somewhat comprehensible 253 00:09:25,040 --> 00:09:26,399 english 254 00:09:26,399 --> 00:09:28,480 however this is widely speculated not to 255 00:09:28,480 --> 00:09:29,839 speak to their proficiency in the 256 00:09:29,839 --> 00:09:30,640 language 257 00:09:30,640 --> 00:09:32,160 but rather an attempt to mislead 258 00:09:32,160 --> 00:09:33,920 analysts and prevent them from yielding 259 00:09:33,920 --> 00:09:36,240 any results regarding their identity 260 00:09:36,240 --> 00:09:39,519 characterized by how they type 261 00:09:39,519 --> 00:09:41,200 the link which has now been taken down 262 00:09:41,200 --> 00:09:42,800 takes you to an archive filled with a 263 00:09:42,800 --> 00:09:44,640 number of windows exploits developed by 264 00:09:44,640 --> 00:09:46,240 the nsa 265 00:09:46,240 --> 00:09:48,160 it did contain many other valuable tools 266 00:09:48,160 --> 00:09:49,440 worth examining 267 00:09:49,440 --> 00:09:51,279 but the ones relevant to our story and 268 00:09:51,279 --> 00:09:53,040 what made a regular ransomware so 269 00:09:53,040 --> 00:09:54,160 destructive 270 00:09:54,160 --> 00:09:56,880 were the payload double pulsar and the 271 00:09:56,880 --> 00:09:58,560 now infamous exploit used in the 272 00:09:58,560 --> 00:09:59,839 wannacry attack 273 00:09:59,839 --> 00:10:05,839 eternal blue 274 00:10:13,120 --> 00:10:15,440 [Music] 275 00:10:15,440 --> 00:10:18,800 server message block version 1 or smb v1 276 00:10:18,800 --> 00:10:20,720 is a network communication protocol 277 00:10:20,720 --> 00:10:23,519 which was developed in 1983. 278 00:10:23,519 --> 00:10:25,440 the function of this protocol would be 279 00:10:25,440 --> 00:10:27,200 to allow one windows computer to 280 00:10:27,200 --> 00:10:28,720 communicate with another 281 00:10:28,720 --> 00:10:30,880 and share files and printers on a local 282 00:10:30,880 --> 00:10:32,399 network 283 00:10:32,399 --> 00:10:34,880 however smb version 1 had a critical 284 00:10:34,880 --> 00:10:36,160 vulnerability 285 00:10:36,160 --> 00:10:39,040 which allowed for what is known as a 286 00:10:39,040 --> 00:10:41,760 remote arbitrary code execution 287 00:10:41,760 --> 00:10:43,440 in which an attacker would be able to 288 00:10:43,440 --> 00:10:45,440 execute whatever code that they'd like 289 00:10:45,440 --> 00:10:47,680 on their target or victim's computer 290 00:10:47,680 --> 00:10:48,800 over the internet 291 00:10:48,800 --> 00:10:51,600 usually with malicious intent the 292 00:10:51,600 --> 00:10:53,360 function of eternal blue was to take 293 00:10:53,360 --> 00:10:55,839 advantage of this vulnerability 294 00:10:55,839 --> 00:10:58,000 essentially i'm going to try and strip 295 00:10:58,000 --> 00:10:59,519 it down to simplify it as much as 296 00:10:59,519 --> 00:11:00,800 possible 297 00:11:00,800 --> 00:11:02,640 when the shadow brokers first leaked the 298 00:11:02,640 --> 00:11:03,920 nsa tools 299 00:11:03,920 --> 00:11:05,920 hackers took this opportunity to install 300 00:11:05,920 --> 00:11:07,519 double pulsar 301 00:11:07,519 --> 00:11:09,200 which is a tool which opens what we 302 00:11:09,200 --> 00:11:10,880 commonly know in security 303 00:11:10,880 --> 00:11:14,000 as a back door backdoors allows hackers 304 00:11:14,000 --> 00:11:16,560 to create an entry point into the system 305 00:11:16,560 --> 00:11:18,560 or a network of systems and gain easy 306 00:11:18,560 --> 00:11:20,880 access later on 307 00:11:20,880 --> 00:11:22,880 the initial infection of wannacry is not 308 00:11:22,880 --> 00:11:23,920 known 309 00:11:23,920 --> 00:11:25,680 but it is speculated that the attackers 310 00:11:25,680 --> 00:11:27,120 took advantage of the back door to 311 00:11:27,120 --> 00:11:28,880 deliver the payload 312 00:11:28,880 --> 00:11:30,399 the payload in this case is the 313 00:11:30,399 --> 00:11:32,800 ransomware wannacry 314 00:11:32,800 --> 00:11:34,399 when a computer is infected with 315 00:11:34,399 --> 00:11:36,160 wannacry oddly 316 00:11:36,160 --> 00:11:37,440 it then tries to connect to the 317 00:11:37,440 --> 00:11:39,600 following unregistered domain 318 00:11:39,600 --> 00:11:41,519 which is basically a random string of 319 00:11:41,519 --> 00:11:43,360 numbers and letters 320 00:11:43,360 --> 00:11:45,120 if it cannot establish a connection to 321 00:11:45,120 --> 00:11:48,000 this domain then the real damage begins 322 00:11:48,000 --> 00:11:50,880 it scans for port 445 on the network 323 00:11:50,880 --> 00:11:52,560 which is the port that is used to host 324 00:11:52,560 --> 00:11:54,079 smb version 1 325 00:11:54,079 --> 00:11:56,079 and if the port is deemed to be open it 326 00:11:56,079 --> 00:11:57,600 would then proceed to spread to that 327 00:11:57,600 --> 00:11:59,680 computer 328 00:11:59,680 --> 00:12:01,900 this is how it propagated so quickly 329 00:12:01,900 --> 00:12:03,120 [Music] 330 00:12:03,120 --> 00:12:04,800 whether the other users in the network 331 00:12:04,800 --> 00:12:06,560 actually downloaded or clicked on 332 00:12:06,560 --> 00:12:08,000 anything malicious 333 00:12:08,000 --> 00:12:10,399 regardless they would be infected and in 334 00:12:10,399 --> 00:12:12,000 seconds all their data would be 335 00:12:12,000 --> 00:12:13,140 encrypted 336 00:12:13,140 --> 00:12:14,399 [Music] 337 00:12:14,399 --> 00:12:17,360 so the damage came in two parts the 338 00:12:17,360 --> 00:12:19,120 ransomware that encrypts the data 339 00:12:19,120 --> 00:12:20,959 and the worm-like component that is used 340 00:12:20,959 --> 00:12:22,480 to spread the ransomware to any 341 00:12:22,480 --> 00:12:23,279 connected 342 00:12:23,279 --> 00:12:25,600 vulnerable devices in the network as a 343 00:12:25,600 --> 00:12:28,880 result of eternal blue and double pulsar 344 00:12:28,880 --> 00:12:31,360 the attack only affected windows systems 345 00:12:31,360 --> 00:12:33,360 mainly targeting windows xp 346 00:12:33,360 --> 00:12:36,320 vista windows 7 windows 8 and windows 347 00:12:36,320 --> 00:12:37,519 10. 348 00:12:37,519 --> 00:12:39,519 however a month prior to the leak by the 349 00:12:39,519 --> 00:12:42,480 shadow brokers on march 14 2017 350 00:12:42,480 --> 00:12:44,079 microsoft was made aware of this 351 00:12:44,079 --> 00:12:45,920 vulnerability after it was publicly 352 00:12:45,920 --> 00:12:46,800 reported 353 00:12:46,800 --> 00:12:50,480 almost five years after its discovery 354 00:12:50,480 --> 00:12:52,320 microsoft then released a critical patch 355 00:12:52,320 --> 00:12:53,700 to fix this vulnerability 356 00:12:53,700 --> 00:12:54,920 [Music] 357 00:12:54,920 --> 00:12:57,040 ms-17010 358 00:12:57,040 --> 00:12:59,600 however despite the release of the patch 359 00:12:59,600 --> 00:13:01,519 a significant number of organizations 360 00:13:01,519 --> 00:13:03,360 never updated their systems 361 00:13:03,360 --> 00:13:05,680 and unfortunately there were still major 362 00:13:05,680 --> 00:13:08,000 organizations running windows xp 363 00:13:08,000 --> 00:13:11,680 or server 2003 these devices were at end 364 00:13:11,680 --> 00:13:12,959 of support 365 00:13:12,959 --> 00:13:14,800 which means that even if updates were 366 00:13:14,800 --> 00:13:16,639 out they would not receive them 367 00:13:16,639 --> 00:13:18,839 and be completely vulnerable to the 368 00:13:18,839 --> 00:13:20,800 exploit 369 00:13:20,800 --> 00:13:22,160 if you want to know more about the 370 00:13:22,160 --> 00:13:23,760 vulnerability that the eternalblue 371 00:13:23,760 --> 00:13:24,720 exploited 372 00:13:24,720 --> 00:13:26,160 it is now logged in the national 373 00:13:26,160 --> 00:13:27,760 vulnerability database 374 00:13:27,760 --> 00:13:33,950 as cve 20170144 375 00:13:33,950 --> 00:13:38,200 [Music] 376 00:13:47,920 --> 00:13:50,560 marcus hutchins also known online by his 377 00:13:50,560 --> 00:13:52,320 alias malwa attack 378 00:13:52,320 --> 00:13:54,320 was a 23 year old british security 379 00:13:54,320 --> 00:13:56,160 researcher at kryptos logic 380 00:13:56,160 --> 00:13:59,519 in la after returning from lunch with a 381 00:13:59,519 --> 00:14:01,839 friend on the afternoon of the attack 382 00:14:01,839 --> 00:14:03,600 he found himself scouring messaging 383 00:14:03,600 --> 00:14:04,880 boards where he came across 384 00:14:04,880 --> 00:14:07,519 news of a ransomware rapidly taking down 385 00:14:07,519 --> 00:14:09,680 systems in the national health service 386 00:14:09,680 --> 00:14:13,519 or nhs all over the uk 387 00:14:13,519 --> 00:14:14,959 hutchins who found it odd that the 388 00:14:14,959 --> 00:14:17,040 ransomware was consistently affecting so 389 00:14:17,040 --> 00:14:18,399 many devices 390 00:14:18,399 --> 00:14:20,320 concluded that the attack was probably a 391 00:14:20,320 --> 00:14:21,760 computer worm and not just 392 00:14:21,760 --> 00:14:25,120 a simple ransomware he quickly requested 393 00:14:25,120 --> 00:14:27,040 one of his friends to pass him a sample 394 00:14:27,040 --> 00:14:28,160 of the malware 395 00:14:28,160 --> 00:14:30,000 so that he could examine it and reverse 396 00:14:30,000 --> 00:14:32,000 engineer it to analyze exactly how it 397 00:14:32,000 --> 00:14:33,279 worked 398 00:14:33,279 --> 00:14:34,880 once he had gotten his hands on the 399 00:14:34,880 --> 00:14:36,320 malware sample 400 00:14:36,320 --> 00:14:38,079 he had run it using a virtual 401 00:14:38,079 --> 00:14:40,160 environment with fake files 402 00:14:40,160 --> 00:14:41,680 and found out that it was trying to 403 00:14:41,680 --> 00:14:44,480 connect to an unregistered domain 404 00:14:44,480 --> 00:14:48,079 which we discussed earlier in chapter 4. 405 00:14:48,079 --> 00:14:49,839 hutchins would go on to register this 406 00:14:49,839 --> 00:14:51,839 domain for only 10 407 00:14:51,839 --> 00:14:55,120 and 69 cents which unbeknownst to him 408 00:14:55,120 --> 00:14:56,839 would actually halt the wannacry 409 00:14:56,839 --> 00:14:58,560 infection 410 00:14:58,560 --> 00:15:00,240 he would later admit in a tweet that 411 00:15:00,240 --> 00:15:02,560 same day that the domain registration 412 00:15:02,560 --> 00:15:04,079 leading to a pause in the rapid 413 00:15:04,079 --> 00:15:05,120 infection 414 00:15:05,120 --> 00:15:08,399 was indeed an accident dubbing marcus 415 00:15:08,399 --> 00:15:09,120 hutchins 416 00:15:09,120 --> 00:15:13,839 as the accidental hero 417 00:15:23,440 --> 00:15:25,680 to hachins taking control of 418 00:15:25,680 --> 00:15:27,680 unregistered domains was just a part of 419 00:15:27,680 --> 00:15:28,880 his workflow 420 00:15:28,880 --> 00:15:30,480 when it came to stopping botnets and 421 00:15:30,480 --> 00:15:32,320 tracking malware 422 00:15:32,320 --> 00:15:33,839 this was so that he could get further 423 00:15:33,839 --> 00:15:35,839 insight into how the malware or botnets 424 00:15:35,839 --> 00:15:37,440 were spreading 425 00:15:37,440 --> 00:15:38,959 for those of you unaware of what a 426 00:15:38,959 --> 00:15:41,199 botnet is it is essentially a group of 427 00:15:41,199 --> 00:15:42,800 computers that have been hijacked by 428 00:15:42,800 --> 00:15:44,240 malicious actors 429 00:15:44,240 --> 00:15:46,160 or hackers in order to be used in their 430 00:15:46,160 --> 00:15:47,440 attacks to drive 431 00:15:47,440 --> 00:15:50,560 excess network traffic or steel data 432 00:15:50,560 --> 00:15:52,399 one computer that has been hijacked is 433 00:15:52,399 --> 00:15:54,560 called a bot and a network of them 434 00:15:54,560 --> 00:15:57,680 is called a botnet however 435 00:15:57,680 --> 00:16:00,399 since as we discussed earlier the attack 436 00:16:00,399 --> 00:16:02,320 only executes if it's unable to reach 437 00:16:02,320 --> 00:16:04,639 the domains that it checks for 438 00:16:04,639 --> 00:16:06,839 think of it as a simple if then 439 00:16:06,839 --> 00:16:08,160 statement 440 00:16:08,160 --> 00:16:09,920 if the infection cannot connect to x 441 00:16:09,920 --> 00:16:12,639 domain then proceed with the infection 442 00:16:12,639 --> 00:16:16,560 if it can reach x domain stop the attack 443 00:16:16,560 --> 00:16:18,320 and so the malware being able to connect 444 00:16:18,320 --> 00:16:20,160 to the domain was known as the kill 445 00:16:20,160 --> 00:16:21,199 switch 446 00:16:21,199 --> 00:16:23,199 the big red button that stops the attack 447 00:16:23,199 --> 00:16:25,839 from spreading any further 448 00:16:25,839 --> 00:16:28,240 but why would the attackers implement a 449 00:16:28,240 --> 00:16:30,399 kill switch at all 450 00:16:30,399 --> 00:16:32,240 the first theory is that the creators of 451 00:16:32,240 --> 00:16:34,160 wannacry wanted a way to stop the attack 452 00:16:34,160 --> 00:16:36,480 if it ever got out of hand or had any 453 00:16:36,480 --> 00:16:38,560 unintentional effects 454 00:16:38,560 --> 00:16:40,399 the second and the most likely theory 455 00:16:40,399 --> 00:16:42,320 proposed by hutchins and other security 456 00:16:42,320 --> 00:16:43,519 researchers 457 00:16:43,519 --> 00:16:45,360 was that the kill switch was present in 458 00:16:45,360 --> 00:16:46,800 order to prevent researchers from 459 00:16:46,800 --> 00:16:49,279 looking into the behavior of monocry 460 00:16:49,279 --> 00:16:51,120 if it was being executed within what is 461 00:16:51,120 --> 00:16:52,320 known in security 462 00:16:52,320 --> 00:16:55,759 as a sandbox a sandbox is usually a 463 00:16:55,759 --> 00:16:57,519 virtual computer that is used to run 464 00:16:57,519 --> 00:16:58,800 malware 465 00:16:58,800 --> 00:17:00,320 it is a contained environment with 466 00:17:00,320 --> 00:17:02,000 measures that have been taken to not 467 00:17:02,000 --> 00:17:04,559 infect any important files or spread to 468 00:17:04,559 --> 00:17:06,480 other networks 469 00:17:06,480 --> 00:17:08,240 much like what i used in chapter 2 to 470 00:17:08,240 --> 00:17:10,109 demonstrate the wannacry ransomware 471 00:17:10,109 --> 00:17:12,160 [Music] 472 00:17:12,160 --> 00:17:14,240 researchers used these sandboxes to run 473 00:17:14,240 --> 00:17:16,240 malware and then use tools to determine 474 00:17:16,240 --> 00:17:18,480 the behavior of the attack 475 00:17:18,480 --> 00:17:20,240 this is what hutchins did with fake 476 00:17:20,240 --> 00:17:22,640 files as well 477 00:17:22,640 --> 00:17:24,559 so the intent behind this kill switch 478 00:17:24,559 --> 00:17:26,240 was to destroy the ransomware if it 479 00:17:26,240 --> 00:17:28,960 existed within a sandbox environment 480 00:17:28,960 --> 00:17:30,720 again since they didn't want researchers 481 00:17:30,720 --> 00:17:32,480 to be able to analyze exactly how it 482 00:17:32,480 --> 00:17:34,000 worked 483 00:17:34,000 --> 00:17:35,919 however since the attackers used a 484 00:17:35,919 --> 00:17:37,280 static domain 485 00:17:37,280 --> 00:17:38,960 a domain name that did not change for 486 00:17:38,960 --> 00:17:41,039 each infection instead of using 487 00:17:41,039 --> 00:17:43,280 dynamically generated domain names 488 00:17:43,280 --> 00:17:45,039 like other renditions of this concept 489 00:17:45,039 --> 00:17:46,480 would usually do 490 00:17:46,480 --> 00:17:48,400 the wannacry infections around the world 491 00:17:48,400 --> 00:17:50,240 believed that it was being analyzed in a 492 00:17:50,240 --> 00:17:51,760 sandbox environment 493 00:17:51,760 --> 00:17:54,160 and essentially killed itself since 494 00:17:54,160 --> 00:17:55,679 every single infection was trying to 495 00:17:55,679 --> 00:17:56,080 reach 496 00:17:56,080 --> 00:17:58,880 one single hard-coded domain and now 497 00:17:58,880 --> 00:18:00,720 they could after hutchins had purchased 498 00:18:00,720 --> 00:18:03,039 it and put it online 499 00:18:03,039 --> 00:18:05,039 if it had been a randomly generated 500 00:18:05,039 --> 00:18:06,160 domain name 501 00:18:06,160 --> 00:18:07,520 then the infection would only have 502 00:18:07,520 --> 00:18:09,520 removed itself from hutchins's sandbox 503 00:18:09,520 --> 00:18:10,880 environment 504 00:18:10,880 --> 00:18:12,400 because the domain he registered would 505 00:18:12,400 --> 00:18:14,000 be unique to him and would not 506 00:18:14,000 --> 00:18:17,200 affect anyone else this 507 00:18:17,200 --> 00:18:20,160 seems to be an amateur mistake so 508 00:18:20,160 --> 00:18:21,840 amateur in fact that the researchers 509 00:18:21,840 --> 00:18:23,760 have speculated that maybe the intent of 510 00:18:23,760 --> 00:18:24,799 the attackers 511 00:18:24,799 --> 00:18:27,679 was not monetary gain but rather a more 512 00:18:27,679 --> 00:18:29,039 political intention 513 00:18:29,039 --> 00:18:31,600 such as to bring shame to the nsa 514 00:18:31,600 --> 00:18:32,480 however 515 00:18:32,480 --> 00:18:34,160 to this date there is nothing that 516 00:18:34,160 --> 00:18:36,000 confirms nor denies the motive 517 00:18:36,000 --> 00:18:43,840 of the wannacry attack 518 00:18:50,720 --> 00:18:53,360 the rapid infection had seemed to stop 519 00:18:53,360 --> 00:18:55,360 but for hutchins or malwater and his 520 00:18:55,360 --> 00:18:58,640 team the nightmare had only just begun 521 00:18:58,640 --> 00:19:00,240 less than an hour from when he had 522 00:19:00,240 --> 00:19:03,120 activated the domain it was under attack 523 00:19:03,120 --> 00:19:04,880 the motive of the attackers were to use 524 00:19:04,880 --> 00:19:07,280 the mirai botnet to host a distributed 525 00:19:07,280 --> 00:19:08,960 denial of service attack 526 00:19:08,960 --> 00:19:11,440 also known as ddos to shut down the 527 00:19:11,440 --> 00:19:13,360 domain so that it would be unreachable 528 00:19:13,360 --> 00:19:16,160 once again and all the halted infections 529 00:19:16,160 --> 00:19:18,000 would resume 530 00:19:18,000 --> 00:19:20,000 a ddos attack is usually performed to 531 00:19:20,000 --> 00:19:21,280 flood a domain with 532 00:19:21,280 --> 00:19:23,120 junk traffic till it can't handle 533 00:19:23,120 --> 00:19:25,840 anymore and is driven offline 534 00:19:25,840 --> 00:19:27,679 the mirai botnet that the attackers were 535 00:19:27,679 --> 00:19:29,679 employing was previously used in one of 536 00:19:29,679 --> 00:19:31,760 the largest ever ddos attacks 537 00:19:31,760 --> 00:19:33,600 and was comprised of hundreds and 538 00:19:33,600 --> 00:19:35,760 thousands of devices 539 00:19:35,760 --> 00:19:37,520 the haunting realization that they were 540 00:19:37,520 --> 00:19:39,360 the wall between a flood of infections 541 00:19:39,360 --> 00:19:41,120 that was currently being blocked 542 00:19:41,120 --> 00:19:43,039 slowly dawned on hutchins and the other 543 00:19:43,039 --> 00:19:46,080 researchers working on the case 544 00:19:46,080 --> 00:19:47,760 they eventually dealt with the issue by 545 00:19:47,760 --> 00:19:50,000 taking the site to a cached version 546 00:19:50,000 --> 00:19:51,760 which was capable of handling a much 547 00:19:51,760 --> 00:19:55,200 higher traffic load than a live site 548 00:19:55,200 --> 00:19:57,280 two days after the domain went live the 549 00:19:57,280 --> 00:19:59,200 data showed that two million infections 550 00:19:59,200 --> 00:20:00,480 had been halted 551 00:20:00,480 --> 00:20:02,159 showing us what the extent of the damage 552 00:20:02,159 --> 00:20:03,760 could have been if it was not for the 553 00:20:03,760 --> 00:20:07,840 discovery of the kill switch 554 00:20:25,360 --> 00:20:28,320 marcus hutchins story does not stop here 555 00:20:28,320 --> 00:20:30,400 he would go on to be named as a cyber 556 00:20:30,400 --> 00:20:31,760 crime hero 557 00:20:31,760 --> 00:20:34,159 a title which he didn't enjoy as it 558 00:20:34,159 --> 00:20:36,880 would bring to him unwanted attention 559 00:20:36,880 --> 00:20:38,320 people trying to piece together his 560 00:20:38,320 --> 00:20:40,480 address media camping outside of his 561 00:20:40,480 --> 00:20:41,360 house 562 00:20:41,360 --> 00:20:43,440 and in addition to all of this he was 563 00:20:43,440 --> 00:20:45,039 still under the pressure of the domain 564 00:20:45,039 --> 00:20:46,840 going offline any minute and wreaking 565 00:20:46,840 --> 00:20:48,400 havoc 566 00:20:48,400 --> 00:20:50,400 however he was able to get through these 567 00:20:50,400 --> 00:20:52,960 weary days and sleepless nights 568 00:20:52,960 --> 00:20:57,039 only to be thrown back into chaos 569 00:20:57,200 --> 00:20:59,440 three months after the wannacry attack 570 00:20:59,440 --> 00:21:01,600 in august of 2017 571 00:21:01,600 --> 00:21:03,919 marcus hutchins after partying in vegas 572 00:21:03,919 --> 00:21:05,280 for a week and a half 573 00:21:05,280 --> 00:21:08,240 during defcon a hacker convention was 574 00:21:08,240 --> 00:21:10,320 arrested in the airport by the fbi on 575 00:21:10,320 --> 00:21:12,080 his way back home 576 00:21:12,080 --> 00:21:13,760 it seemed that hutchins in his teenage 577 00:21:13,760 --> 00:21:15,360 years had developed a malware named 578 00:21:15,360 --> 00:21:16,080 kronos 579 00:21:16,080 --> 00:21:18,720 that would steal banking credentials he 580 00:21:18,720 --> 00:21:20,240 would go on to sell this malware to 581 00:21:20,240 --> 00:21:21,919 multiple individuals with the help of 582 00:21:21,919 --> 00:21:23,440 someone he met online 583 00:21:23,440 --> 00:21:27,360 named vinnie k kronos is still an 584 00:21:27,360 --> 00:21:30,880 ongoing threat to banks around the world 585 00:21:30,880 --> 00:21:32,559 hutchins initially battled the charges 586 00:21:32,559 --> 00:21:34,320 with a non-guilty plea 587 00:21:34,320 --> 00:21:36,400 but after a long and exhausting ordeal 588 00:21:36,400 --> 00:21:38,000 that lasted for years 589 00:21:38,000 --> 00:21:40,880 in april 2019 he took a plea deal that 590 00:21:40,880 --> 00:21:42,080 would essentially dismiss 591 00:21:42,080 --> 00:21:45,120 all but two counts set against him 592 00:21:45,120 --> 00:21:47,679 conspiracy to defraud the united states 593 00:21:47,679 --> 00:21:49,280 and actively marketing the kronos 594 00:21:49,280 --> 00:21:50,799 malware 595 00:21:50,799 --> 00:21:52,720 he faced the possibility of a maximum 596 00:21:52,720 --> 00:21:54,960 prison sentence of ten years 597 00:21:54,960 --> 00:21:56,640 but because of his contribution towards 598 00:21:56,640 --> 00:21:58,880 wannacry and as the community had 599 00:21:58,880 --> 00:22:00,480 constantly pointed out 600 00:22:00,480 --> 00:22:02,240 his active involvement in defending the 601 00:22:02,240 --> 00:22:04,240 world against cyber attacks 602 00:22:04,240 --> 00:22:07,520 the judge ruled in his favor he was then 603 00:22:07,520 --> 00:22:08,159 released 604 00:22:08,159 --> 00:22:10,840 with zero jail time and is now a free 605 00:22:10,840 --> 00:22:13,840 man 606 00:22:26,559 --> 00:22:28,799 as stated before wannacry attack 607 00:22:28,799 --> 00:22:31,200 impacted over 150 countries 608 00:22:31,200 --> 00:22:33,919 and approximately 230 000 computers 609 00:22:33,919 --> 00:22:35,200 globally 610 00:22:35,200 --> 00:22:37,520 russia was the most severely infected 611 00:22:37,520 --> 00:22:40,400 with over half the affected computers 612 00:22:40,400 --> 00:22:43,280 india ukraine and taiwan also suffered 613 00:22:43,280 --> 00:22:46,400 significant disruption 614 00:22:48,559 --> 00:22:50,559 the most popular victim to emerge out of 615 00:22:50,559 --> 00:22:52,159 the attacks were the uk's national 616 00:22:52,159 --> 00:22:53,280 health service 617 00:22:53,280 --> 00:22:57,200 or the nhs in the nhs over 70 000 618 00:22:57,200 --> 00:22:59,039 devices such as computers 619 00:22:59,039 --> 00:23:02,400 mri scanners devices used to test blood 620 00:23:02,400 --> 00:23:04,720 theater equipment and over 1200 pieces 621 00:23:04,720 --> 00:23:09,840 of diagnostic equipment were affected 622 00:23:10,159 --> 00:23:12,400 approximately the attack cost the nhs 623 00:23:12,400 --> 00:23:14,480 over 92 million euros 624 00:23:14,480 --> 00:23:16,080 and globally the cost amounted to 625 00:23:16,080 --> 00:23:17,919 somewhere between four and eight billion 626 00:23:17,919 --> 00:23:19,840 dollars 627 00:23:19,840 --> 00:23:21,200 you'd think that the attackers who 628 00:23:21,200 --> 00:23:22,720 launched wannacry would have made a 629 00:23:22,720 --> 00:23:24,400 decent amount considering how many 630 00:23:24,400 --> 00:23:25,200 countries 631 00:23:25,200 --> 00:23:28,480 and devices were affected however as of 632 00:23:28,480 --> 00:23:30,400 june 14 2017 633 00:23:30,400 --> 00:23:32,640 when the attacks had begun to subside 634 00:23:32,640 --> 00:23:34,559 they had only made a hundred and thirty 635 00:23:34,559 --> 00:23:35,120 thousand 636 00:23:35,120 --> 00:23:36,960 six hundred and thirty four dollars and 637 00:23:36,960 --> 00:23:38,880 seventy seven cents 638 00:23:38,880 --> 00:23:41,120 victims were urged not to pay the ransom 639 00:23:41,120 --> 00:23:42,720 since not only did it encourage the 640 00:23:42,720 --> 00:23:43,520 hackers 641 00:23:43,520 --> 00:23:45,279 but it also did not guarantee the return 642 00:23:45,279 --> 00:23:47,520 of their data due to skepticism of 643 00:23:47,520 --> 00:23:48,880 whether the attackers could actually 644 00:23:48,880 --> 00:23:50,320 place the paid ransom 645 00:23:50,320 --> 00:23:52,880 to the correct victim this was clearly 646 00:23:52,880 --> 00:23:54,400 evident from the fact that a large 647 00:23:54,400 --> 00:23:55,360 proportion 648 00:23:55,360 --> 00:23:57,279 almost all of the affected victims who 649 00:23:57,279 --> 00:23:58,400 had paid the ransom 650 00:23:58,400 --> 00:24:04,110 had still not been returned their data 651 00:24:04,110 --> 00:24:08,910 [Music] 652 00:24:13,679 --> 00:24:15,360 although initially the prime victims of 653 00:24:15,360 --> 00:24:17,360 wannacry were said to be windows xp 654 00:24:17,360 --> 00:24:20,080 clients over 98 of the victims were 655 00:24:20,080 --> 00:24:21,919 actually running unpatched versions of 656 00:24:21,919 --> 00:24:23,120 windows 7 657 00:24:23,120 --> 00:24:25,760 and less than 0.1 percent of the victims 658 00:24:25,760 --> 00:24:28,240 were using windows xp 659 00:24:28,240 --> 00:24:29,919 in the case of russia they believed 660 00:24:29,919 --> 00:24:31,760 updates did more to break their devices 661 00:24:31,760 --> 00:24:34,240 rather than fix them 662 00:24:34,240 --> 00:24:35,919 partly due to the fact that a majority 663 00:24:35,919 --> 00:24:37,679 of people use cracked or pirated 664 00:24:37,679 --> 00:24:38,960 versions of windows 665 00:24:38,960 --> 00:24:40,400 which means they wouldn't have received 666 00:24:40,400 --> 00:24:41,760 the updates which were released by 667 00:24:41,760 --> 00:24:45,120 microsoft months prior to the attack 668 00:24:45,120 --> 00:24:46,559 microsoft eventually released the 669 00:24:46,559 --> 00:24:48,320 updates for systems that were at end of 670 00:24:48,320 --> 00:24:49,200 support 671 00:24:49,200 --> 00:24:51,120 including windows xp and other older 672 00:24:51,120 --> 00:24:53,679 versions of windows 673 00:24:53,679 --> 00:24:55,520 to this day if the domain that marcus 674 00:24:55,520 --> 00:24:57,440 hutchins acquired were to go down 675 00:24:57,440 --> 00:24:59,279 the millions of infections that it has 676 00:24:59,279 --> 00:25:01,120 at bay would be released 677 00:25:01,120 --> 00:25:02,960 but possibly ineffective if the 678 00:25:02,960 --> 00:25:04,640 computers had already applied the patch 679 00:25:04,640 --> 00:25:07,600 that microsoft released 680 00:25:07,600 --> 00:25:09,840 eternal blue is still in the wild and 681 00:25:09,840 --> 00:25:11,440 variants of wannacry have since then 682 00:25:11,440 --> 00:25:13,279 surfaced like ui wix 683 00:25:13,279 --> 00:25:15,200 which did not come with a kill switch 684 00:25:15,200 --> 00:25:16,880 and addressed the bitcoin payment issue 685 00:25:16,880 --> 00:25:18,480 by assigning a new address for each 686 00:25:18,480 --> 00:25:20,320 victim to collect payment 687 00:25:20,320 --> 00:25:21,919 therefore easily allowing to track the 688 00:25:21,919 --> 00:25:23,919 payment back to the victim 689 00:25:23,919 --> 00:25:25,840 however since it did not have an 690 00:25:25,840 --> 00:25:27,760 automatic worm-like functionality that 691 00:25:27,760 --> 00:25:29,279 wannacry exhibited 692 00:25:29,279 --> 00:25:32,159 it did not pose much of a threat the 693 00:25:32,159 --> 00:25:34,880 impact of wannacry is still seen today 694 00:25:34,880 --> 00:25:36,720 trend micros data clearly indicates that 695 00:25:36,720 --> 00:25:38,559 wannacry was the most detected malware 696 00:25:38,559 --> 00:25:40,159 family in 2020 697 00:25:40,159 --> 00:25:42,240 thanks to its vulnerable nature and 698 00:25:42,240 --> 00:25:44,159 f-secure reports that the most seen type 699 00:25:44,159 --> 00:25:46,400 of exploit is against the smb version 1 700 00:25:46,400 --> 00:25:47,360 vulnerability 701 00:25:47,360 --> 00:25:49,600 using eternal blue the fact that 702 00:25:49,600 --> 00:25:51,039 attackers still continue to try and 703 00:25:51,039 --> 00:25:52,080 exploit this 704 00:25:52,080 --> 00:25:54,080 must mean that there are organizations 705 00:25:54,080 --> 00:25:55,919 out there who have not patched against 706 00:25:55,919 --> 00:26:11,840 this vulnerability 707 00:26:15,520 --> 00:26:17,840 four years after the attack there is 708 00:26:17,840 --> 00:26:19,600 still no confirmed identity of the 709 00:26:19,600 --> 00:26:21,760 creators of the wannacry 710 00:26:21,760 --> 00:26:23,760 there have been accusations towards the 711 00:26:23,760 --> 00:26:24,880 lazarus group 712 00:26:24,880 --> 00:26:27,440 who has strong links to north korea 713 00:26:27,440 --> 00:26:28,159 however 714 00:26:28,159 --> 00:26:31,679 this is nothing more than hearsay so 715 00:26:31,679 --> 00:26:33,520 who is to blame for the catastrophic 716 00:26:33,520 --> 00:26:35,520 damage of wannacry 717 00:26:35,520 --> 00:26:37,360 is it the nsa who should not have 718 00:26:37,360 --> 00:26:39,279 stockpiled exploits without alerting the 719 00:26:39,279 --> 00:26:40,640 necessary entities about the 720 00:26:40,640 --> 00:26:42,400 vulnerabilities 721 00:26:42,400 --> 00:26:43,919 is it the shadow brokers who took 722 00:26:43,919 --> 00:26:46,320 advantage of this stole and released it 723 00:26:46,320 --> 00:26:48,000 into the wild 724 00:26:48,000 --> 00:26:50,400 is it the developers of wannacry or is 725 00:26:50,400 --> 00:26:52,320 it the fault of microsoft who did not 726 00:26:52,320 --> 00:26:53,760 identify this vulnerability 727 00:26:53,760 --> 00:26:56,640 sooner while all of this might be true 728 00:26:56,640 --> 00:26:58,080 to some extent 729 00:26:58,080 --> 00:26:59,919 at the end of the day the actions these 730 00:26:59,919 --> 00:27:01,919 organizations take are largely out of 731 00:27:01,919 --> 00:27:03,600 the control of the public 732 00:27:03,600 --> 00:27:05,760 and business owners who are usually the 733 00:27:05,760 --> 00:27:07,840 victims of the attack 734 00:27:07,840 --> 00:27:10,240 regardless of what we claim the solution 735 00:27:10,240 --> 00:27:11,760 is very simple 736 00:27:11,760 --> 00:27:13,360 make sure we follow the guidelines to 737 00:27:13,360 --> 00:27:15,440 have our data secured 738 00:27:15,440 --> 00:27:17,120 the most crucial of it is to have a 739 00:27:17,120 --> 00:27:18,960 consistent schedule for updating our 740 00:27:18,960 --> 00:27:20,240 devices 741 00:27:20,240 --> 00:27:23,279 and to obviously not use outdated 742 00:27:23,279 --> 00:27:24,720 operating systems that put 743 00:27:24,720 --> 00:27:26,960 employee and customer data and their 744 00:27:26,960 --> 00:27:29,360 privacy at huge risks 745 00:27:29,360 --> 00:27:31,039 when it comes to ransomware the most 746 00:27:31,039 --> 00:27:32,880 crucial form of defense is frequent 747 00:27:32,880 --> 00:27:35,200 backup the more frequent it is 748 00:27:35,200 --> 00:27:37,760 the better less than 50 of ransomware 749 00:27:37,760 --> 00:27:39,520 payments actually result in the data 750 00:27:39,520 --> 00:27:41,120 being returned to the victims 751 00:27:41,120 --> 00:27:42,960 and so needless to say payment should 752 00:27:42,960 --> 00:27:44,399 not be an option 753 00:27:44,399 --> 00:27:46,159 lest your goal is to lose money and your 754 00:27:46,159 --> 00:27:47,760 data as well 755 00:27:47,760 --> 00:27:49,520 the biggest mistake that organizations 756 00:27:49,520 --> 00:27:51,760 tend to make is refusing to believe that 757 00:27:51,760 --> 00:27:53,520 they would be a target 758 00:27:53,520 --> 00:27:55,360 according to a study by cloudwords in 759 00:27:55,360 --> 00:27:56,640 2021 760 00:27:56,640 --> 00:27:58,559 every 11 seconds a company is hit by 761 00:27:58,559 --> 00:28:00,640 ransomware and a large proportion of 762 00:28:00,640 --> 00:28:02,240 organizations are small 763 00:28:02,240 --> 00:28:03,919 to medium-sized businesses that never 764 00:28:03,919 --> 00:28:06,080 see it coming as they're often found to 765 00:28:06,080 --> 00:28:07,600 have less than effective security 766 00:28:07,600 --> 00:28:08,960 strategies in place 767 00:28:08,960 --> 00:28:10,480 making them ideal targets for such 768 00:28:10,480 --> 00:28:12,080 attacks 769 00:28:12,080 --> 00:28:13,440 digital transformation during the 770 00:28:13,440 --> 00:28:15,360 coronavirus pandemic has started to move 771 00:28:15,360 --> 00:28:16,960 businesses to the cloud 772 00:28:16,960 --> 00:28:18,799 and so cyber criminals have now shifted 773 00:28:18,799 --> 00:28:20,720 their focus to the cloud as well 774 00:28:20,720 --> 00:28:22,320 giving them an entirely new attack 775 00:28:22,320 --> 00:28:24,000 surface to work with 776 00:28:24,000 --> 00:28:26,480 the cost of ransomware is said to top 20 777 00:28:26,480 --> 00:28:29,039 billion dollars by the end of 2021 778 00:28:29,039 --> 00:28:32,159 and that is ransomware alone by 2025 779 00:28:32,159 --> 00:28:33,919 cyber security ventures estimates that 780 00:28:33,919 --> 00:28:35,840 cyber crime will cost businesses 781 00:28:35,840 --> 00:28:39,279 10.5 trillion dollars annually 782 00:28:39,279 --> 00:28:41,279 which would amount to just 2 trillion 783 00:28:41,279 --> 00:28:43,039 short of china's economy 784 00:28:43,039 --> 00:28:46,000 the second biggest economy in the world 785 00:28:46,000 --> 00:28:46,320 we 786 00:28:46,320 --> 00:28:48,320 are headed towards bigger and more 787 00:28:48,320 --> 00:28:50,640 destructive attacks than wannacry 788 00:28:50,640 --> 00:28:53,440 and our most reliable defense is our 789 00:28:53,440 --> 00:28:54,240 awareness 790 00:28:54,240 --> 00:28:56,840 and our action to better protect 791 00:28:56,840 --> 00:29:13,840 ourselves thank you for watching 792 00:29:16,120 --> 00:29:19,310 [Music] 793 00:29:24,840 --> 00:29:27,840 me 794 00:29:30,810 --> 00:29:33,380 [Applause] 795 00:29:33,380 --> 00:29:43,780 [Music] 796 00:29:46,770 --> 00:29:51,279 [Music] 797 00:29:51,279 --> 00:29:53,360 you