0:00:00.000,0:00:09.150
[Music]

0:00:10.960,0:00:13.679
A small note before we start,

0:00:13.679,0:00:15.599
as much as this video is meant to be a

0:00:15.599,0:00:17.440
storytelling experience,

0:00:17.440,0:00:18.960
I have also intended it to be

0:00:18.960,0:00:20.640
educational,

0:00:20.640,0:00:22.480
and so, I have coupled the story along

0:00:22.480,0:00:23.840
with how some of these attacks and

0:00:23.840,0:00:26.000
technologies work.

0:00:26.000,0:00:28.400
This is my first documentary style video,

0:00:28.400,0:00:30.800
and so I appreciate any and all feedback

0:00:30.800,0:00:33.120
in the comments below.

0:00:33.120,0:00:35.680
I really hope you enjoy, and hopefully,

0:00:35.680,0:00:38.640
learn a few new things.

0:00:40.800,0:00:43.440
Right now, a crippling cyberattack has

0:00:43.440,0:00:45.039
businesses around the world

0:00:45.039,0:00:47.760
on high alert. The ransomware known as

0:00:47.760,0:00:48.719
WannaCry-

0:00:48.719,0:00:50.399
We want to move on to the other developing

0:00:50.399,0:00:52.333
story this morning, the global cyberattack-

0:00:52.333,0:00:54.239
The national security agency

0:00:54.239,0:00:56.559
developed this software and it's now

0:00:56.559,0:00:58.010
being used by criminals

0:00:58.010,0:01:00.051
around the world to demand ransom.

0:01:00.051,0:01:01.760
Security experts say this is one

0:01:01.760,0:01:03.280
of the worst and most

0:01:03.280,0:01:05.439
widespread pieces of malware they've

0:01:05.439,0:01:06.870
ever seen-

0:01:06.870,0:01:13.861
[Music]

0:01:15.607,0:01:19.247
[Typing]

0:01:20.080,0:01:23.040
In May of 2017, a worldwide cyberattack

0:01:23.040,0:01:24.799
by the name of WannaCry

0:01:24.799,0:01:27.840
shot for WannaCryptor, impacted over 150

0:01:27.840,0:01:28.720
countries,

0:01:28.720,0:01:31.360
and hit around 230,000 computers

0:01:31.360,0:01:32.720
globally.

0:01:32.720,0:01:34.560
Needless to say it became known as one

0:01:34.560,0:01:36.640
of the biggest ransomware attacks in

0:01:36.640,0:01:38.159
history.

0:01:38.159,0:01:40.799
Let's start at the very beginning. On the

0:01:40.799,0:01:43.119
morning of the 12th of May, 2017,

0:01:43.119,0:01:45.360
according to Akamai, the content delivery

0:01:45.360,0:01:46.240
network,

0:01:46.240,0:01:48.720
this was the timeline. Reportedly the

0:01:48.720,0:01:51.200
first case identified originated from a

0:01:51.200,0:01:53.600
Southeast Asian ISP which was detected

0:01:53.600,0:01:56.411
at 7:44 am UTC.

0:01:56.901,0:01:58.399
Over the next hour, there were cases

0:01:58.399,0:02:00.240
seen from Latin America,

0:02:00.240,0:02:02.960
then the Continental Europe and UK, then

0:02:02.960,0:02:06.840
Brazil and Argentinian ISPs until at 12:39 pm

0:02:06.840,0:02:09.280
UTC, 74%

0:02:09.280,0:02:12.720
of all ISPs in Asia were affected. And by

0:02:12.720,0:02:14.800
3:28 pm UTC,

0:02:14.800,0:02:17.670
the ransomware had taken hold of 65%

0:02:17.670,0:02:20.640
of Latin American ISPs.

0:02:20.640,0:02:22.879
WannaCry was spreading and at an

0:02:22.879,0:02:24.640
incredible rate.

0:02:24.640,0:02:26.160
Prior to this, such a quick and

0:02:26.160,0:02:28.640
widespread ransomware was unheard of.

0:02:28.640,0:02:31.040
A lot of organizations unable to recover

0:02:31.040,0:02:31.840
their losses

0:02:31.840,0:02:34.640
were forced to permanently shut down.

0:02:34.640,0:02:36.160
some had to put a pause on their

0:02:36.160,0:02:38.319
networks and services and reported huge

0:02:38.319,0:02:39.360
losses

0:02:39.360,0:02:42.480
some in millions of dollars the attack

0:02:42.480,0:02:44.720
did not discriminate small to

0:02:44.720,0:02:46.400
medium-sized businesses

0:02:46.400,0:02:48.800
large enterprises the private sector the

0:02:48.800,0:02:50.160
public sector

0:02:50.160,0:02:52.640
railways healthcare banks malls

0:02:52.640,0:02:53.360
ministries

0:02:53.360,0:02:56.560
police energy companies isps and there

0:02:56.560,0:02:57.440
just seemed to be

0:02:57.440,0:03:00.720
no end to the victims within few hours

0:03:00.720,0:03:02.720
it had spread to over 11 countries

0:03:02.720,0:03:04.319
and by the end of the first day of the

0:03:04.319,0:03:06.159
attack the ransomware had been

0:03:06.159,0:03:08.480
encountered in 74 countries

0:03:08.480,0:03:10.319
within thousands and thousands of

0:03:10.319,0:03:12.159
organizations

0:03:12.159,0:03:14.879
and so it begged the question how much

0:03:14.879,0:03:16.640
damage will this really cause over the

0:03:16.640,0:03:17.599
next few days

0:03:17.599,0:03:20.159
or weeks or months if no solution

0:03:20.159,0:03:23.040
presents itself

0:03:23.440,0:03:27.120
your surface has been temporarily

0:03:30.840,0:03:33.280
disconnected

0:03:33.280,0:03:36.239
ransomware works in a very simple manner

0:03:36.239,0:03:38.080
it is the type of malware most commonly

0:03:38.080,0:03:39.920
spread through phishing attacks

0:03:39.920,0:03:41.840
which are essentially emails used to

0:03:41.840,0:03:44.000
trick a user into clicking a link that

0:03:44.000,0:03:45.599
leads them to a website

0:03:45.599,0:03:47.840
where they enter sensitive data or to

0:03:47.840,0:03:50.159
download attachments which if executed

0:03:50.159,0:03:52.239
will infect the computer

0:03:52.239,0:03:54.400
although initially suspected wannacry

0:03:54.400,0:03:56.799
did not originate from a phishing attack

0:03:56.799,0:03:59.680
but we'll get to that once later

0:03:59.680,0:04:01.280
computer is infected

0:04:01.280,0:04:03.040
the ransomware runs an encryption

0:04:03.040,0:04:05.280
process and usually in less than a

0:04:05.280,0:04:06.239
minute

0:04:06.239,0:04:08.799
some or all the files depending on what

0:04:08.799,0:04:10.879
the ransomware is meant to affect in the

0:04:10.879,0:04:12.400
user's computer

0:04:12.400,0:04:14.239
is converted from plain text to

0:04:14.239,0:04:15.840
ciphertext

0:04:15.840,0:04:18.239
plain text is readable or comprehensible

0:04:18.239,0:04:19.120
data

0:04:19.120,0:04:21.120
and ciphertext is unintelligible

0:04:21.120,0:04:22.720
gibberish

0:04:22.720,0:04:24.639
in order to turn this back into plain

0:04:24.639,0:04:27.199
text the user will need what is known as

0:04:27.199,0:04:28.800
a decryption key

0:04:28.800,0:04:30.880
which the attacker promises to provide

0:04:30.880,0:04:34.560
if the user were to pay the ransom

0:04:34.639,0:04:36.880
what makes ransomware so dreadful is

0:04:36.880,0:04:39.360
that once your files have been encrypted

0:04:39.360,0:04:41.040
you can't exactly decrypt it and

0:04:41.040,0:04:42.960
retrieve your data

0:04:42.960,0:04:44.720
well you can but with the current

0:04:44.720,0:04:46.639
technology we have to break common

0:04:46.639,0:04:48.720
encryption algorithms used in ransomware

0:04:48.720,0:04:49.600
attacks

0:04:49.600,0:04:52.800
such as the rsa it would take millions

0:04:52.800,0:04:57.280
to billions to trillions of years

0:04:57.280,0:05:00.410
[Music]

0:05:03.520,0:05:05.440
this is what you'd see if you were to

0:05:05.440,0:05:07.199
become infected with the wannacry

0:05:07.199,0:05:08.639
ransomware

0:05:08.639,0:05:10.160
in addition to this intimidating

0:05:10.160,0:05:12.479
wallpaper your documents

0:05:12.479,0:05:16.160
spreadsheets images videos

0:05:16.160,0:05:18.639
music and most everyday productivity and

0:05:18.639,0:05:21.039
multimedia files become encrypted

0:05:21.039,0:05:22.800
essentially being held hostage till the

0:05:22.800,0:05:26.240
ransom payment has been made

0:05:27.120,0:05:29.199
the wanted crypto 2.0 comes with a set

0:05:29.199,0:05:30.240
of instructions

0:05:30.240,0:05:31.919
and in 28 different languages for

0:05:31.919,0:05:33.680
victims to follow in order to recover

0:05:33.680,0:05:35.199
their files

0:05:35.199,0:05:37.759
the attackers demanded for 300 worth of

0:05:37.759,0:05:38.639
bitcoin

0:05:38.639,0:05:40.560
and after three days would be updated to

0:05:40.560,0:05:42.479
six hundred dollars

0:05:42.479,0:05:44.080
if the payment were to be made seven

0:05:44.080,0:05:45.919
days after the infection the files would

0:05:45.919,0:05:47.680
be recoverable

0:05:47.680,0:05:49.840
however despite this they also go on to

0:05:49.840,0:05:51.759
state that they will return the files

0:05:51.759,0:05:54.800
for free to quote users who are so poor

0:05:54.800,0:05:55.840
that they couldn't pay

0:05:55.840,0:05:58.720
end quote after six months the method of

0:05:58.720,0:05:59.840
payment

0:05:59.840,0:06:02.400
bitcoin

0:06:04.160,0:06:06.400
the reason that attackers chose bitcoin

0:06:06.400,0:06:07.840
was because it is what we know

0:06:07.840,0:06:10.479
as a private cryptocurrency this allows

0:06:10.479,0:06:12.080
the holder of the currency to remain

0:06:12.080,0:06:13.280
anonymous

0:06:13.280,0:06:14.639
though the money could be traced to a

0:06:14.639,0:06:16.560
cryptocurrency wallet which is where the

0:06:16.560,0:06:18.160
currency itself is stored

0:06:18.160,0:06:19.840
it would be exponentially difficult to

0:06:19.840,0:06:21.360
find the owner of the wallet without

0:06:21.360,0:06:24.319
extensive forensic analysis

0:06:24.319,0:06:26.560
this is the reason that bitcoin is used

0:06:26.560,0:06:27.840
widely in the dark web

0:06:27.840,0:06:30.639
to purchase guns drugs and other illegal

0:06:30.639,0:06:32.319
goods and services that for obvious

0:06:32.319,0:06:33.199
reasons

0:06:33.199,0:06:35.039
you would not be able to find on the

0:06:35.039,0:06:48.000
surface web

0:06:48.000,0:06:50.080
problem with wannacry and what made it

0:06:50.080,0:06:51.919
exponentially more dangerous than your

0:06:51.919,0:06:53.280
average ransomware

0:06:53.280,0:06:56.319
was its propagating capabilities

0:06:56.319,0:06:58.240
but to understand this fully we need to

0:06:58.240,0:06:59.840
go back in time a little bit

0:06:59.840,0:07:04.000
to 2016. in august of 2016 the equation

0:07:04.000,0:07:05.680
group suspected to have ties with the

0:07:05.680,0:07:07.520
national security agency's tailored

0:07:07.520,0:07:08.800
operations unit

0:07:08.800,0:07:10.880
and described by kaspersky as one of the

0:07:10.880,0:07:12.880
most sophisticated cyber attack groups

0:07:12.880,0:07:14.080
in the world

0:07:14.080,0:07:15.759
was said to be hacked by a group called

0:07:15.759,0:07:17.680
the shadow brokers

0:07:17.680,0:07:19.919
in this hack disks full of the nsa

0:07:19.919,0:07:22.800
secrets were stolen

0:07:22.800,0:07:25.039
this was bad because the nsa houses what

0:07:25.039,0:07:27.520
we know as nation state attacks

0:07:27.520,0:07:29.759
which are exploits or hacking tools that

0:07:29.759,0:07:31.280
are used to carry out a hack for their

0:07:31.280,0:07:32.479
home country

0:07:32.479,0:07:35.199
against another country the nsa would

0:07:35.199,0:07:37.120
essentially recruit a skilled hacker and

0:07:37.120,0:07:39.280
give them a license to hack

0:07:39.280,0:07:41.199
which means if they did carry it out it

0:07:41.199,0:07:42.560
wouldn't be illegal

0:07:42.560,0:07:44.800
at least in that country and the hacker

0:07:44.800,0:07:47.759
would not be charged

0:07:48.639,0:07:50.639
the danger here is that the nation-state

0:07:50.639,0:07:52.400
tools in itself are usually pretty

0:07:52.400,0:07:53.440
effective

0:07:53.440,0:07:55.120
especially considering they are to be

0:07:55.120,0:07:57.280
used as weapons against entire states

0:07:57.280,0:07:59.840
and countries

0:08:03.599,0:08:05.440
the nsa is said to have discovered a

0:08:05.440,0:08:07.199
multitude of other vulnerabilities in

0:08:07.199,0:08:08.160
the windows os

0:08:08.160,0:08:11.280
as early as 2013 but was speculated to

0:08:11.280,0:08:13.280
have developed exploits secretly and

0:08:13.280,0:08:14.560
stockpile them

0:08:14.560,0:08:16.560
rather than reporting it to microsoft or

0:08:16.560,0:08:18.240
the infosec community

0:08:18.240,0:08:20.000
so that they could weaponize it and

0:08:20.000,0:08:21.919
utilize them in their nation state and

0:08:21.919,0:08:24.560
other attacks

0:08:25.440,0:08:27.199
the shadow brokers would go on to

0:08:27.199,0:08:28.720
auction off some of these tools that

0:08:28.720,0:08:30.000
were developed

0:08:30.000,0:08:32.080
but due to skepticism online on whether

0:08:32.080,0:08:34.080
the hackers really did have files as

0:08:34.080,0:08:36.159
dangerous as they had claimed

0:08:36.159,0:08:37.919
this would essentially go on to become a

0:08:37.919,0:08:40.719
catastrophic failure

0:08:40.719,0:08:42.399
we can talk quite a bit about the shadow

0:08:42.399,0:08:44.800
brokers the story is itself worth

0:08:44.800,0:08:46.720
examining individually and maybe even on

0:08:46.720,0:08:48.080
a separate video

0:08:48.080,0:08:49.760
but let's narrow our focus down to the

0:08:49.760,0:08:51.839
leak that made wannacry possible

0:08:51.839,0:08:54.000
which at that point was the fifth leak

0:08:54.000,0:08:55.760
by the group and was said to be the most

0:08:55.760,0:08:58.640
damaging one yet

0:08:59.360,0:09:02.080
on april 14 2017 the shadow brokers

0:09:02.080,0:09:03.600
would post a tweet that linked to their

0:09:03.600,0:09:05.120
steam blockchain

0:09:05.120,0:09:08.880
on a post titled lost in translation

0:09:08.880,0:09:10.399
this leak contained files from the

0:09:10.399,0:09:12.160
initial failed auction which they now

0:09:12.160,0:09:14.160
decided to release to the public

0:09:14.160,0:09:18.080
for free the description accompanying

0:09:18.080,0:09:19.839
the leaked files doesn't really contain

0:09:19.839,0:09:21.279
much worth noting

0:09:21.279,0:09:23.120
as always the shadow brokers would use

0:09:23.120,0:09:25.040
broken but still somewhat comprehensible

0:09:25.040,0:09:26.399
english

0:09:26.399,0:09:28.480
however this is widely speculated not to

0:09:28.480,0:09:29.839
speak to their proficiency in the

0:09:29.839,0:09:30.640
language

0:09:30.640,0:09:32.160
but rather an attempt to mislead

0:09:32.160,0:09:33.920
analysts and prevent them from yielding

0:09:33.920,0:09:36.240
any results regarding their identity

0:09:36.240,0:09:39.519
characterized by how they type

0:09:39.519,0:09:41.200
the link which has now been taken down

0:09:41.200,0:09:42.800
takes you to an archive filled with a

0:09:42.800,0:09:44.640
number of windows exploits developed by

0:09:44.640,0:09:46.240
the nsa

0:09:46.240,0:09:48.160
it did contain many other valuable tools

0:09:48.160,0:09:49.440
worth examining

0:09:49.440,0:09:51.279
but the ones relevant to our story and

0:09:51.279,0:09:53.040
what made a regular ransomware so

0:09:53.040,0:09:54.160
destructive

0:09:54.160,0:09:56.880
were the payload double pulsar and the

0:09:56.880,0:09:58.560
now infamous exploit used in the

0:09:58.560,0:09:59.839
wannacry attack

0:09:59.839,0:10:05.839
eternal blue

0:10:13.120,0:10:15.440
[Music]

0:10:15.440,0:10:18.800
server message block version 1 or smb v1

0:10:18.800,0:10:20.720
is a network communication protocol

0:10:20.720,0:10:23.519
which was developed in 1983.

0:10:23.519,0:10:25.440
the function of this protocol would be

0:10:25.440,0:10:27.200
to allow one windows computer to

0:10:27.200,0:10:28.720
communicate with another

0:10:28.720,0:10:30.880
and share files and printers on a local

0:10:30.880,0:10:32.399
network

0:10:32.399,0:10:34.880
however smb version 1 had a critical

0:10:34.880,0:10:36.160
vulnerability

0:10:36.160,0:10:39.040
which allowed for what is known as a

0:10:39.040,0:10:41.760
remote arbitrary code execution

0:10:41.760,0:10:43.440
in which an attacker would be able to

0:10:43.440,0:10:45.440
execute whatever code that they'd like

0:10:45.440,0:10:47.680
on their target or victim's computer

0:10:47.680,0:10:48.800
over the internet

0:10:48.800,0:10:51.600
usually with malicious intent the

0:10:51.600,0:10:53.360
function of eternal blue was to take

0:10:53.360,0:10:55.839
advantage of this vulnerability

0:10:55.839,0:10:58.000
essentially i'm going to try and strip

0:10:58.000,0:10:59.519
it down to simplify it as much as

0:10:59.519,0:11:00.800
possible

0:11:00.800,0:11:02.640
when the shadow brokers first leaked the

0:11:02.640,0:11:03.920
nsa tools

0:11:03.920,0:11:05.920
hackers took this opportunity to install

0:11:05.920,0:11:07.519
double pulsar

0:11:07.519,0:11:09.200
which is a tool which opens what we

0:11:09.200,0:11:10.880
commonly know in security

0:11:10.880,0:11:14.000
as a back door backdoors allows hackers

0:11:14.000,0:11:16.560
to create an entry point into the system

0:11:16.560,0:11:18.560
or a network of systems and gain easy

0:11:18.560,0:11:20.880
access later on

0:11:20.880,0:11:22.880
the initial infection of wannacry is not

0:11:22.880,0:11:23.920
known

0:11:23.920,0:11:25.680
but it is speculated that the attackers

0:11:25.680,0:11:27.120
took advantage of the back door to

0:11:27.120,0:11:28.880
deliver the payload

0:11:28.880,0:11:30.399
the payload in this case is the

0:11:30.399,0:11:32.800
ransomware wannacry

0:11:32.800,0:11:34.399
when a computer is infected with

0:11:34.399,0:11:36.160
wannacry oddly

0:11:36.160,0:11:37.440
it then tries to connect to the

0:11:37.440,0:11:39.600
following unregistered domain

0:11:39.600,0:11:41.519
which is basically a random string of

0:11:41.519,0:11:43.360
numbers and letters

0:11:43.360,0:11:45.120
if it cannot establish a connection to

0:11:45.120,0:11:48.000
this domain then the real damage begins

0:11:48.000,0:11:50.880
it scans for port 445 on the network

0:11:50.880,0:11:52.560
which is the port that is used to host

0:11:52.560,0:11:54.079
smb version 1

0:11:54.079,0:11:56.079
and if the port is deemed to be open it

0:11:56.079,0:11:57.600
would then proceed to spread to that

0:11:57.600,0:11:59.680
computer

0:11:59.680,0:12:01.900
this is how it propagated so quickly

0:12:01.900,0:12:03.120
[Music]

0:12:03.120,0:12:04.800
whether the other users in the network

0:12:04.800,0:12:06.560
actually downloaded or clicked on

0:12:06.560,0:12:08.000
anything malicious

0:12:08.000,0:12:10.399
regardless they would be infected and in

0:12:10.399,0:12:12.000
seconds all their data would be

0:12:12.000,0:12:13.140
encrypted

0:12:13.140,0:12:14.399
[Music]

0:12:14.399,0:12:17.360
so the damage came in two parts the

0:12:17.360,0:12:19.120
ransomware that encrypts the data

0:12:19.120,0:12:20.959
and the worm-like component that is used

0:12:20.959,0:12:22.480
to spread the ransomware to any

0:12:22.480,0:12:23.279
connected

0:12:23.279,0:12:25.600
vulnerable devices in the network as a

0:12:25.600,0:12:28.880
result of eternal blue and double pulsar

0:12:28.880,0:12:31.360
the attack only affected windows systems

0:12:31.360,0:12:33.360
mainly targeting windows xp

0:12:33.360,0:12:36.320
vista windows 7 windows 8 and windows

0:12:36.320,0:12:37.519
10.

0:12:37.519,0:12:39.519
however a month prior to the leak by the

0:12:39.519,0:12:42.480
shadow brokers on march 14 2017

0:12:42.480,0:12:44.079
microsoft was made aware of this

0:12:44.079,0:12:45.920
vulnerability after it was publicly

0:12:45.920,0:12:46.800
reported

0:12:46.800,0:12:50.480
almost five years after its discovery

0:12:50.480,0:12:52.320
microsoft then released a critical patch

0:12:52.320,0:12:53.700
to fix this vulnerability

0:12:53.700,0:12:54.920
[Music]

0:12:54.920,0:12:57.040
ms-17010

0:12:57.040,0:12:59.600
however despite the release of the patch

0:12:59.600,0:13:01.519
a significant number of organizations

0:13:01.519,0:13:03.360
never updated their systems

0:13:03.360,0:13:05.680
and unfortunately there were still major

0:13:05.680,0:13:08.000
organizations running windows xp

0:13:08.000,0:13:11.680
or server 2003 these devices were at end

0:13:11.680,0:13:12.959
of support

0:13:12.959,0:13:14.800
which means that even if updates were

0:13:14.800,0:13:16.639
out they would not receive them

0:13:16.639,0:13:18.839
and be completely vulnerable to the

0:13:18.839,0:13:20.800
exploit

0:13:20.800,0:13:22.160
if you want to know more about the

0:13:22.160,0:13:23.760
vulnerability that the eternalblue

0:13:23.760,0:13:24.720
exploited

0:13:24.720,0:13:26.160
it is now logged in the national

0:13:26.160,0:13:27.760
vulnerability database

0:13:27.760,0:13:33.950
as cve 20170144

0:13:33.950,0:13:38.200
[Music]

0:13:47.920,0:13:50.560
marcus hutchins also known online by his

0:13:50.560,0:13:52.320
alias malwa attack

0:13:52.320,0:13:54.320
was a 23 year old british security

0:13:54.320,0:13:56.160
researcher at kryptos logic

0:13:56.160,0:13:59.519
in la after returning from lunch with a

0:13:59.519,0:14:01.839
friend on the afternoon of the attack

0:14:01.839,0:14:03.600
he found himself scouring messaging

0:14:03.600,0:14:04.880
boards where he came across

0:14:04.880,0:14:07.519
news of a ransomware rapidly taking down

0:14:07.519,0:14:09.680
systems in the national health service

0:14:09.680,0:14:13.519
or nhs all over the uk

0:14:13.519,0:14:14.959
hutchins who found it odd that the

0:14:14.959,0:14:17.040
ransomware was consistently affecting so

0:14:17.040,0:14:18.399
many devices

0:14:18.399,0:14:20.320
concluded that the attack was probably a

0:14:20.320,0:14:21.760
computer worm and not just

0:14:21.760,0:14:25.120
a simple ransomware he quickly requested

0:14:25.120,0:14:27.040
one of his friends to pass him a sample

0:14:27.040,0:14:28.160
of the malware

0:14:28.160,0:14:30.000
so that he could examine it and reverse

0:14:30.000,0:14:32.000
engineer it to analyze exactly how it

0:14:32.000,0:14:33.279
worked

0:14:33.279,0:14:34.880
once he had gotten his hands on the

0:14:34.880,0:14:36.320
malware sample

0:14:36.320,0:14:38.079
he had run it using a virtual

0:14:38.079,0:14:40.160
environment with fake files

0:14:40.160,0:14:41.680
and found out that it was trying to

0:14:41.680,0:14:44.480
connect to an unregistered domain

0:14:44.480,0:14:48.079
which we discussed earlier in chapter 4.

0:14:48.079,0:14:49.839
hutchins would go on to register this

0:14:49.839,0:14:51.839
domain for only 10

0:14:51.839,0:14:55.120
and 69 cents which unbeknownst to him

0:14:55.120,0:14:56.839
would actually halt the wannacry

0:14:56.839,0:14:58.560
infection

0:14:58.560,0:15:00.240
he would later admit in a tweet that

0:15:00.240,0:15:02.560
same day that the domain registration

0:15:02.560,0:15:04.079
leading to a pause in the rapid

0:15:04.079,0:15:05.120
infection

0:15:05.120,0:15:08.399
was indeed an accident dubbing marcus

0:15:08.399,0:15:09.120
hutchins

0:15:09.120,0:15:13.839
as the accidental hero

0:15:23.440,0:15:25.680
to hachins taking control of

0:15:25.680,0:15:27.680
unregistered domains was just a part of

0:15:27.680,0:15:28.880
his workflow

0:15:28.880,0:15:30.480
when it came to stopping botnets and

0:15:30.480,0:15:32.320
tracking malware

0:15:32.320,0:15:33.839
this was so that he could get further

0:15:33.839,0:15:35.839
insight into how the malware or botnets

0:15:35.839,0:15:37.440
were spreading

0:15:37.440,0:15:38.959
for those of you unaware of what a

0:15:38.959,0:15:41.199
botnet is it is essentially a group of

0:15:41.199,0:15:42.800
computers that have been hijacked by

0:15:42.800,0:15:44.240
malicious actors

0:15:44.240,0:15:46.160
or hackers in order to be used in their

0:15:46.160,0:15:47.440
attacks to drive

0:15:47.440,0:15:50.560
excess network traffic or steel data

0:15:50.560,0:15:52.399
one computer that has been hijacked is

0:15:52.399,0:15:54.560
called a bot and a network of them

0:15:54.560,0:15:57.680
is called a botnet however

0:15:57.680,0:16:00.399
since as we discussed earlier the attack

0:16:00.399,0:16:02.320
only executes if it's unable to reach

0:16:02.320,0:16:04.639
the domains that it checks for

0:16:04.639,0:16:06.839
think of it as a simple if then

0:16:06.839,0:16:08.160
statement

0:16:08.160,0:16:09.920
if the infection cannot connect to x

0:16:09.920,0:16:12.639
domain then proceed with the infection

0:16:12.639,0:16:16.560
if it can reach x domain stop the attack

0:16:16.560,0:16:18.320
and so the malware being able to connect

0:16:18.320,0:16:20.160
to the domain was known as the kill

0:16:20.160,0:16:21.199
switch

0:16:21.199,0:16:23.199
the big red button that stops the attack

0:16:23.199,0:16:25.839
from spreading any further

0:16:25.839,0:16:28.240
but why would the attackers implement a

0:16:28.240,0:16:30.399
kill switch at all

0:16:30.399,0:16:32.240
the first theory is that the creators of

0:16:32.240,0:16:34.160
wannacry wanted a way to stop the attack

0:16:34.160,0:16:36.480
if it ever got out of hand or had any

0:16:36.480,0:16:38.560
unintentional effects

0:16:38.560,0:16:40.399
the second and the most likely theory

0:16:40.399,0:16:42.320
proposed by hutchins and other security

0:16:42.320,0:16:43.519
researchers

0:16:43.519,0:16:45.360
was that the kill switch was present in

0:16:45.360,0:16:46.800
order to prevent researchers from

0:16:46.800,0:16:49.279
looking into the behavior of monocry

0:16:49.279,0:16:51.120
if it was being executed within what is

0:16:51.120,0:16:52.320
known in security

0:16:52.320,0:16:55.759
as a sandbox a sandbox is usually a

0:16:55.759,0:16:57.519
virtual computer that is used to run

0:16:57.519,0:16:58.800
malware

0:16:58.800,0:17:00.320
it is a contained environment with

0:17:00.320,0:17:02.000
measures that have been taken to not

0:17:02.000,0:17:04.559
infect any important files or spread to

0:17:04.559,0:17:06.480
other networks

0:17:06.480,0:17:08.240
much like what i used in chapter 2 to

0:17:08.240,0:17:10.109
demonstrate the wannacry ransomware

0:17:10.109,0:17:12.160
[Music]

0:17:12.160,0:17:14.240
researchers used these sandboxes to run

0:17:14.240,0:17:16.240
malware and then use tools to determine

0:17:16.240,0:17:18.480
the behavior of the attack

0:17:18.480,0:17:20.240
this is what hutchins did with fake

0:17:20.240,0:17:22.640
files as well

0:17:22.640,0:17:24.559
so the intent behind this kill switch

0:17:24.559,0:17:26.240
was to destroy the ransomware if it

0:17:26.240,0:17:28.960
existed within a sandbox environment

0:17:28.960,0:17:30.720
again since they didn't want researchers

0:17:30.720,0:17:32.480
to be able to analyze exactly how it

0:17:32.480,0:17:34.000
worked

0:17:34.000,0:17:35.919
however since the attackers used a

0:17:35.919,0:17:37.280
static domain

0:17:37.280,0:17:38.960
a domain name that did not change for

0:17:38.960,0:17:41.039
each infection instead of using

0:17:41.039,0:17:43.280
dynamically generated domain names

0:17:43.280,0:17:45.039
like other renditions of this concept

0:17:45.039,0:17:46.480
would usually do

0:17:46.480,0:17:48.400
the wannacry infections around the world

0:17:48.400,0:17:50.240
believed that it was being analyzed in a

0:17:50.240,0:17:51.760
sandbox environment

0:17:51.760,0:17:54.160
and essentially killed itself since

0:17:54.160,0:17:55.679
every single infection was trying to

0:17:55.679,0:17:56.080
reach

0:17:56.080,0:17:58.880
one single hard-coded domain and now

0:17:58.880,0:18:00.720
they could after hutchins had purchased

0:18:00.720,0:18:03.039
it and put it online

0:18:03.039,0:18:05.039
if it had been a randomly generated

0:18:05.039,0:18:06.160
domain name

0:18:06.160,0:18:07.520
then the infection would only have

0:18:07.520,0:18:09.520
removed itself from hutchins's sandbox

0:18:09.520,0:18:10.880
environment

0:18:10.880,0:18:12.400
because the domain he registered would

0:18:12.400,0:18:14.000
be unique to him and would not

0:18:14.000,0:18:17.200
affect anyone else this

0:18:17.200,0:18:20.160
seems to be an amateur mistake so

0:18:20.160,0:18:21.840
amateur in fact that the researchers

0:18:21.840,0:18:23.760
have speculated that maybe the intent of

0:18:23.760,0:18:24.799
the attackers

0:18:24.799,0:18:27.679
was not monetary gain but rather a more

0:18:27.679,0:18:29.039
political intention

0:18:29.039,0:18:31.600
such as to bring shame to the nsa

0:18:31.600,0:18:32.480
however

0:18:32.480,0:18:34.160
to this date there is nothing that

0:18:34.160,0:18:36.000
confirms nor denies the motive

0:18:36.000,0:18:43.840
of the wannacry attack

0:18:50.720,0:18:53.360
the rapid infection had seemed to stop

0:18:53.360,0:18:55.360
but for hutchins or malwater and his

0:18:55.360,0:18:58.640
team the nightmare had only just begun

0:18:58.640,0:19:00.240
less than an hour from when he had

0:19:00.240,0:19:03.120
activated the domain it was under attack

0:19:03.120,0:19:04.880
the motive of the attackers were to use

0:19:04.880,0:19:07.280
the mirai botnet to host a distributed

0:19:07.280,0:19:08.960
denial of service attack

0:19:08.960,0:19:11.440
also known as ddos to shut down the

0:19:11.440,0:19:13.360
domain so that it would be unreachable

0:19:13.360,0:19:16.160
once again and all the halted infections

0:19:16.160,0:19:18.000
would resume

0:19:18.000,0:19:20.000
a ddos attack is usually performed to

0:19:20.000,0:19:21.280
flood a domain with

0:19:21.280,0:19:23.120
junk traffic till it can't handle

0:19:23.120,0:19:25.840
anymore and is driven offline

0:19:25.840,0:19:27.679
the mirai botnet that the attackers were

0:19:27.679,0:19:29.679
employing was previously used in one of

0:19:29.679,0:19:31.760
the largest ever ddos attacks

0:19:31.760,0:19:33.600
and was comprised of hundreds and

0:19:33.600,0:19:35.760
thousands of devices

0:19:35.760,0:19:37.520
the haunting realization that they were

0:19:37.520,0:19:39.360
the wall between a flood of infections

0:19:39.360,0:19:41.120
that was currently being blocked

0:19:41.120,0:19:43.039
slowly dawned on hutchins and the other

0:19:43.039,0:19:46.080
researchers working on the case

0:19:46.080,0:19:47.760
they eventually dealt with the issue by

0:19:47.760,0:19:50.000
taking the site to a cached version

0:19:50.000,0:19:51.760
which was capable of handling a much

0:19:51.760,0:19:55.200
higher traffic load than a live site

0:19:55.200,0:19:57.280
two days after the domain went live the

0:19:57.280,0:19:59.200
data showed that two million infections

0:19:59.200,0:20:00.480
had been halted

0:20:00.480,0:20:02.159
showing us what the extent of the damage

0:20:02.159,0:20:03.760
could have been if it was not for the

0:20:03.760,0:20:07.840
discovery of the kill switch

0:20:25.360,0:20:28.320
marcus hutchins story does not stop here

0:20:28.320,0:20:30.400
he would go on to be named as a cyber

0:20:30.400,0:20:31.760
crime hero

0:20:31.760,0:20:34.159
a title which he didn't enjoy as it

0:20:34.159,0:20:36.880
would bring to him unwanted attention

0:20:36.880,0:20:38.320
people trying to piece together his

0:20:38.320,0:20:40.480
address media camping outside of his

0:20:40.480,0:20:41.360
house

0:20:41.360,0:20:43.440
and in addition to all of this he was

0:20:43.440,0:20:45.039
still under the pressure of the domain

0:20:45.039,0:20:46.840
going offline any minute and wreaking

0:20:46.840,0:20:48.400
havoc

0:20:48.400,0:20:50.400
however he was able to get through these

0:20:50.400,0:20:52.960
weary days and sleepless nights

0:20:52.960,0:20:57.039
only to be thrown back into chaos

0:20:57.200,0:20:59.440
three months after the wannacry attack

0:20:59.440,0:21:01.600
in august of 2017

0:21:01.600,0:21:03.919
marcus hutchins after partying in vegas

0:21:03.919,0:21:05.280
for a week and a half

0:21:05.280,0:21:08.240
during defcon a hacker convention was

0:21:08.240,0:21:10.320
arrested in the airport by the fbi on

0:21:10.320,0:21:12.080
his way back home

0:21:12.080,0:21:13.760
it seemed that hutchins in his teenage

0:21:13.760,0:21:15.360
years had developed a malware named

0:21:15.360,0:21:16.080
kronos

0:21:16.080,0:21:18.720
that would steal banking credentials he

0:21:18.720,0:21:20.240
would go on to sell this malware to

0:21:20.240,0:21:21.919
multiple individuals with the help of

0:21:21.919,0:21:23.440
someone he met online

0:21:23.440,0:21:27.360
named vinnie k kronos is still an

0:21:27.360,0:21:30.880
ongoing threat to banks around the world

0:21:30.880,0:21:32.559
hutchins initially battled the charges

0:21:32.559,0:21:34.320
with a non-guilty plea

0:21:34.320,0:21:36.400
but after a long and exhausting ordeal

0:21:36.400,0:21:38.000
that lasted for years

0:21:38.000,0:21:40.880
in april 2019 he took a plea deal that

0:21:40.880,0:21:42.080
would essentially dismiss

0:21:42.080,0:21:45.120
all but two counts set against him

0:21:45.120,0:21:47.679
conspiracy to defraud the united states

0:21:47.679,0:21:49.280
and actively marketing the kronos

0:21:49.280,0:21:50.799
malware

0:21:50.799,0:21:52.720
he faced the possibility of a maximum

0:21:52.720,0:21:54.960
prison sentence of ten years

0:21:54.960,0:21:56.640
but because of his contribution towards

0:21:56.640,0:21:58.880
wannacry and as the community had

0:21:58.880,0:22:00.480
constantly pointed out

0:22:00.480,0:22:02.240
his active involvement in defending the

0:22:02.240,0:22:04.240
world against cyber attacks

0:22:04.240,0:22:07.520
the judge ruled in his favor he was then

0:22:07.520,0:22:08.159
released

0:22:08.159,0:22:10.840
with zero jail time and is now a free

0:22:10.840,0:22:13.840
man

0:22:26.559,0:22:28.799
as stated before wannacry attack

0:22:28.799,0:22:31.200
impacted over 150 countries

0:22:31.200,0:22:33.919
and approximately 230 000 computers

0:22:33.919,0:22:35.200
globally

0:22:35.200,0:22:37.520
russia was the most severely infected

0:22:37.520,0:22:40.400
with over half the affected computers

0:22:40.400,0:22:43.280
india ukraine and taiwan also suffered

0:22:43.280,0:22:46.400
significant disruption

0:22:48.559,0:22:50.559
the most popular victim to emerge out of

0:22:50.559,0:22:52.159
the attacks were the uk's national

0:22:52.159,0:22:53.280
health service

0:22:53.280,0:22:57.200
or the nhs in the nhs over 70 000

0:22:57.200,0:22:59.039
devices such as computers

0:22:59.039,0:23:02.400
mri scanners devices used to test blood

0:23:02.400,0:23:04.720
theater equipment and over 1200 pieces

0:23:04.720,0:23:09.840
of diagnostic equipment were affected

0:23:10.159,0:23:12.400
approximately the attack cost the nhs

0:23:12.400,0:23:14.480
over 92 million euros

0:23:14.480,0:23:16.080
and globally the cost amounted to

0:23:16.080,0:23:17.919
somewhere between four and eight billion

0:23:17.919,0:23:19.840
dollars

0:23:19.840,0:23:21.200
you'd think that the attackers who

0:23:21.200,0:23:22.720
launched wannacry would have made a

0:23:22.720,0:23:24.400
decent amount considering how many

0:23:24.400,0:23:25.200
countries

0:23:25.200,0:23:28.480
and devices were affected however as of

0:23:28.480,0:23:30.400
june 14 2017

0:23:30.400,0:23:32.640
when the attacks had begun to subside

0:23:32.640,0:23:34.559
they had only made a hundred and thirty

0:23:34.559,0:23:35.120
thousand

0:23:35.120,0:23:36.960
six hundred and thirty four dollars and

0:23:36.960,0:23:38.880
seventy seven cents

0:23:38.880,0:23:41.120
victims were urged not to pay the ransom

0:23:41.120,0:23:42.720
since not only did it encourage the

0:23:42.720,0:23:43.520
hackers

0:23:43.520,0:23:45.279
but it also did not guarantee the return

0:23:45.279,0:23:47.520
of their data due to skepticism of

0:23:47.520,0:23:48.880
whether the attackers could actually

0:23:48.880,0:23:50.320
place the paid ransom

0:23:50.320,0:23:52.880
to the correct victim this was clearly

0:23:52.880,0:23:54.400
evident from the fact that a large

0:23:54.400,0:23:55.360
proportion

0:23:55.360,0:23:57.279
almost all of the affected victims who

0:23:57.279,0:23:58.400
had paid the ransom

0:23:58.400,0:24:04.110
had still not been returned their data

0:24:04.110,0:24:08.910
[Music]

0:24:13.679,0:24:15.360
although initially the prime victims of

0:24:15.360,0:24:17.360
wannacry were said to be windows xp

0:24:17.360,0:24:20.080
clients over 98 of the victims were

0:24:20.080,0:24:21.919
actually running unpatched versions of

0:24:21.919,0:24:23.120
windows 7

0:24:23.120,0:24:25.760
and less than 0.1 percent of the victims

0:24:25.760,0:24:28.240
were using windows xp

0:24:28.240,0:24:29.919
in the case of russia they believed

0:24:29.919,0:24:31.760
updates did more to break their devices

0:24:31.760,0:24:34.240
rather than fix them

0:24:34.240,0:24:35.919
partly due to the fact that a majority

0:24:35.919,0:24:37.679
of people use cracked or pirated

0:24:37.679,0:24:38.960
versions of windows

0:24:38.960,0:24:40.400
which means they wouldn't have received

0:24:40.400,0:24:41.760
the updates which were released by

0:24:41.760,0:24:45.120
microsoft months prior to the attack

0:24:45.120,0:24:46.559
microsoft eventually released the

0:24:46.559,0:24:48.320
updates for systems that were at end of

0:24:48.320,0:24:49.200
support

0:24:49.200,0:24:51.120
including windows xp and other older

0:24:51.120,0:24:53.679
versions of windows

0:24:53.679,0:24:55.520
to this day if the domain that marcus

0:24:55.520,0:24:57.440
hutchins acquired were to go down

0:24:57.440,0:24:59.279
the millions of infections that it has

0:24:59.279,0:25:01.120
at bay would be released

0:25:01.120,0:25:02.960
but possibly ineffective if the

0:25:02.960,0:25:04.640
computers had already applied the patch

0:25:04.640,0:25:07.600
that microsoft released

0:25:07.600,0:25:09.840
eternal blue is still in the wild and

0:25:09.840,0:25:11.440
variants of wannacry have since then

0:25:11.440,0:25:13.279
surfaced like ui wix

0:25:13.279,0:25:15.200
which did not come with a kill switch

0:25:15.200,0:25:16.880
and addressed the bitcoin payment issue

0:25:16.880,0:25:18.480
by assigning a new address for each

0:25:18.480,0:25:20.320
victim to collect payment

0:25:20.320,0:25:21.919
therefore easily allowing to track the

0:25:21.919,0:25:23.919
payment back to the victim

0:25:23.919,0:25:25.840
however since it did not have an

0:25:25.840,0:25:27.760
automatic worm-like functionality that

0:25:27.760,0:25:29.279
wannacry exhibited

0:25:29.279,0:25:32.159
it did not pose much of a threat the

0:25:32.159,0:25:34.880
impact of wannacry is still seen today

0:25:34.880,0:25:36.720
trend micros data clearly indicates that

0:25:36.720,0:25:38.559
wannacry was the most detected malware

0:25:38.559,0:25:40.159
family in 2020

0:25:40.159,0:25:42.240
thanks to its vulnerable nature and

0:25:42.240,0:25:44.159
f-secure reports that the most seen type

0:25:44.159,0:25:46.400
of exploit is against the smb version 1

0:25:46.400,0:25:47.360
vulnerability

0:25:47.360,0:25:49.600
using eternal blue the fact that

0:25:49.600,0:25:51.039
attackers still continue to try and

0:25:51.039,0:25:52.080
exploit this

0:25:52.080,0:25:54.080
must mean that there are organizations

0:25:54.080,0:25:55.919
out there who have not patched against

0:25:55.919,0:26:11.840
this vulnerability

0:26:15.520,0:26:17.840
four years after the attack there is

0:26:17.840,0:26:19.600
still no confirmed identity of the

0:26:19.600,0:26:21.760
creators of the wannacry

0:26:21.760,0:26:23.760
there have been accusations towards the

0:26:23.760,0:26:24.880
lazarus group

0:26:24.880,0:26:27.440
who has strong links to north korea

0:26:27.440,0:26:28.159
however

0:26:28.159,0:26:31.679
this is nothing more than hearsay so

0:26:31.679,0:26:33.520
who is to blame for the catastrophic

0:26:33.520,0:26:35.520
damage of wannacry

0:26:35.520,0:26:37.360
is it the nsa who should not have

0:26:37.360,0:26:39.279
stockpiled exploits without alerting the

0:26:39.279,0:26:40.640
necessary entities about the

0:26:40.640,0:26:42.400
vulnerabilities

0:26:42.400,0:26:43.919
is it the shadow brokers who took

0:26:43.919,0:26:46.320
advantage of this stole and released it

0:26:46.320,0:26:48.000
into the wild

0:26:48.000,0:26:50.400
is it the developers of wannacry or is

0:26:50.400,0:26:52.320
it the fault of microsoft who did not

0:26:52.320,0:26:53.760
identify this vulnerability

0:26:53.760,0:26:56.640
sooner while all of this might be true

0:26:56.640,0:26:58.080
to some extent

0:26:58.080,0:26:59.919
at the end of the day the actions these

0:26:59.919,0:27:01.919
organizations take are largely out of

0:27:01.919,0:27:03.600
the control of the public

0:27:03.600,0:27:05.760
and business owners who are usually the

0:27:05.760,0:27:07.840
victims of the attack

0:27:07.840,0:27:10.240
regardless of what we claim the solution

0:27:10.240,0:27:11.760
is very simple

0:27:11.760,0:27:13.360
make sure we follow the guidelines to

0:27:13.360,0:27:15.440
have our data secured

0:27:15.440,0:27:17.120
the most crucial of it is to have a

0:27:17.120,0:27:18.960
consistent schedule for updating our

0:27:18.960,0:27:20.240
devices

0:27:20.240,0:27:23.279
and to obviously not use outdated

0:27:23.279,0:27:24.720
operating systems that put

0:27:24.720,0:27:26.960
employee and customer data and their

0:27:26.960,0:27:29.360
privacy at huge risks

0:27:29.360,0:27:31.039
when it comes to ransomware the most

0:27:31.039,0:27:32.880
crucial form of defense is frequent

0:27:32.880,0:27:35.200
backup the more frequent it is

0:27:35.200,0:27:37.760
the better less than 50 of ransomware

0:27:37.760,0:27:39.520
payments actually result in the data

0:27:39.520,0:27:41.120
being returned to the victims

0:27:41.120,0:27:42.960
and so needless to say payment should

0:27:42.960,0:27:44.399
not be an option

0:27:44.399,0:27:46.159
lest your goal is to lose money and your

0:27:46.159,0:27:47.760
data as well

0:27:47.760,0:27:49.520
the biggest mistake that organizations

0:27:49.520,0:27:51.760
tend to make is refusing to believe that

0:27:51.760,0:27:53.520
they would be a target

0:27:53.520,0:27:55.360
according to a study by cloudwords in

0:27:55.360,0:27:56.640
2021

0:27:56.640,0:27:58.559
every 11 seconds a company is hit by

0:27:58.559,0:28:00.640
ransomware and a large proportion of

0:28:00.640,0:28:02.240
organizations are small

0:28:02.240,0:28:03.919
to medium-sized businesses that never

0:28:03.919,0:28:06.080
see it coming as they're often found to

0:28:06.080,0:28:07.600
have less than effective security

0:28:07.600,0:28:08.960
strategies in place

0:28:08.960,0:28:10.480
making them ideal targets for such

0:28:10.480,0:28:12.080
attacks

0:28:12.080,0:28:13.440
digital transformation during the

0:28:13.440,0:28:15.360
coronavirus pandemic has started to move

0:28:15.360,0:28:16.960
businesses to the cloud

0:28:16.960,0:28:18.799
and so cyber criminals have now shifted

0:28:18.799,0:28:20.720
their focus to the cloud as well

0:28:20.720,0:28:22.320
giving them an entirely new attack

0:28:22.320,0:28:24.000
surface to work with

0:28:24.000,0:28:26.480
the cost of ransomware is said to top 20

0:28:26.480,0:28:29.039
billion dollars by the end of 2021

0:28:29.039,0:28:32.159
and that is ransomware alone by 2025

0:28:32.159,0:28:33.919
cyber security ventures estimates that

0:28:33.919,0:28:35.840
cyber crime will cost businesses

0:28:35.840,0:28:39.279
10.5 trillion dollars annually

0:28:39.279,0:28:41.279
which would amount to just 2 trillion

0:28:41.279,0:28:43.039
short of china's economy

0:28:43.039,0:28:46.000
the second biggest economy in the world

0:28:46.000,0:28:46.320
we

0:28:46.320,0:28:48.320
are headed towards bigger and more

0:28:48.320,0:28:50.640
destructive attacks than wannacry

0:28:50.640,0:28:53.440
and our most reliable defense is our

0:28:53.440,0:28:54.240
awareness

0:28:54.240,0:28:56.840
and our action to better protect

0:28:56.840,0:29:13.840
ourselves thank you for watching

0:29:16.120,0:29:19.310
[Music]

0:29:24.840,0:29:27.840
me

0:29:30.810,0:29:33.380
[Applause]

0:29:33.380,0:29:43.780
[Music]

0:29:46.770,0:29:51.279
[Music]

0:29:51.279,0:29:53.360
you