1 00:00:00,000 --> 00:00:09,150 [Music] 2 00:00:10,960 --> 00:00:13,679 A small note before we start, 3 00:00:13,679 --> 00:00:15,599 as much as this video is meant to be a 4 00:00:15,599 --> 00:00:17,440 storytelling experience, 5 00:00:17,440 --> 00:00:18,960 I have also intended it to be 6 00:00:18,960 --> 00:00:20,640 educational, 7 00:00:20,640 --> 00:00:22,480 and so, I have coupled the story along 8 00:00:22,480 --> 00:00:23,840 with how some of these attacks and 9 00:00:23,840 --> 00:00:26,000 technologies work. 10 00:00:26,000 --> 00:00:28,400 This is my first documentary style video, 11 00:00:28,400 --> 00:00:30,800 and so I appreciate any and all feedback 12 00:00:30,800 --> 00:00:33,120 in the comments below. 13 00:00:33,120 --> 00:00:35,680 I really hope you enjoy, and hopefully, 14 00:00:35,680 --> 00:00:38,640 learn a few new things. 15 00:00:40,800 --> 00:00:43,440 Right now, a crippling cyberattack has 16 00:00:43,440 --> 00:00:45,039 businesses around the world 17 00:00:45,039 --> 00:00:47,760 on high alert. The ransomware known as 18 00:00:47,760 --> 00:00:48,719 WannaCry- 19 00:00:48,719 --> 00:00:50,399 We want to move on to the other developing 20 00:00:50,399 --> 00:00:52,333 story this morning, the global cyberattack- 21 00:00:52,333 --> 00:00:54,239 The national security agency 22 00:00:54,239 --> 00:00:56,559 developed this software and it's now 23 00:00:56,559 --> 00:00:58,010 being used by criminals 24 00:00:58,010 --> 00:01:00,051 around the world to demand ransom. 25 00:01:00,051 --> 00:01:01,760 Security experts say this is one 26 00:01:01,760 --> 00:01:03,280 of the worst and most 27 00:01:03,280 --> 00:01:05,439 widespread pieces of malware they've 28 00:01:05,439 --> 00:01:06,870 ever seen- 29 00:01:06,870 --> 00:01:13,861 [Music] 30 00:01:15,607 --> 00:01:19,247 [Typing] 31 00:01:20,080 --> 00:01:23,040 In May of 2017, a worldwide cyberattack 32 00:01:23,040 --> 00:01:24,799 by the name of WannaCry 33 00:01:24,799 --> 00:01:27,840 shot for WannaCryptor, impacted over 150 34 00:01:27,840 --> 00:01:28,720 countries, 35 00:01:28,720 --> 00:01:31,360 and hit around 230,000 computers 36 00:01:31,360 --> 00:01:32,720 globally. 37 00:01:32,720 --> 00:01:34,560 Needless to say it became known as one 38 00:01:34,560 --> 00:01:36,640 of the biggest ransomware attacks in 39 00:01:36,640 --> 00:01:38,159 history. 40 00:01:38,159 --> 00:01:40,799 Let's start at the very beginning. On the 41 00:01:40,799 --> 00:01:43,119 morning of the 12th of May, 2017, 42 00:01:43,119 --> 00:01:45,360 according to Akamai, the content delivery 43 00:01:45,360 --> 00:01:46,240 network, 44 00:01:46,240 --> 00:01:48,720 this was the timeline. Reportedly the 45 00:01:48,720 --> 00:01:51,200 first case identified originated from a 46 00:01:51,200 --> 00:01:53,600 Southeast Asian ISP which was detected 47 00:01:53,600 --> 00:01:56,411 at 7:44 am UTC. 48 00:01:56,901 --> 00:01:58,399 Over the next hour, there were cases 49 00:01:58,399 --> 00:02:00,240 seen from Latin America, 50 00:02:00,240 --> 00:02:02,960 then the Continental Europe and UK, then 51 00:02:02,960 --> 00:02:06,840 Brazil and Argentinian ISPs until at 12:39 pm 52 00:02:06,840 --> 00:02:09,280 UTC, 74% 53 00:02:09,280 --> 00:02:12,720 of all ISPs in Asia were affected. And by 54 00:02:12,720 --> 00:02:14,800 3:28 pm UTC, 55 00:02:14,800 --> 00:02:17,670 the ransomware had taken hold of 65% 56 00:02:17,670 --> 00:02:20,640 of Latin American ISPs. 57 00:02:20,640 --> 00:02:22,879 WannaCry was spreading and at an 58 00:02:22,879 --> 00:02:24,640 incredible rate. 59 00:02:24,640 --> 00:02:26,160 Prior to this, such a quick and 60 00:02:26,160 --> 00:02:28,640 widespread ransomware was unheard of. 61 00:02:28,640 --> 00:02:31,040 A lot of organizations, unable to recover 62 00:02:31,040 --> 00:02:31,840 their losses, 63 00:02:31,840 --> 00:02:34,640 were forced to permanently shut down. 64 00:02:34,640 --> 00:02:36,160 Some had to put a pause on their 65 00:02:36,160 --> 00:02:38,319 networks and services, and reported huge 66 00:02:38,319 --> 00:02:39,360 losses, 67 00:02:39,360 --> 00:02:42,480 some in millions of dollars. The attack 68 00:02:42,480 --> 00:02:44,720 did not discriminate. Small to 69 00:02:44,720 --> 00:02:46,400 medium-sized businesses, 70 00:02:46,400 --> 00:02:48,800 large enterprises, the private sector, the 71 00:02:48,800 --> 00:02:50,160 public sector, 72 00:02:50,160 --> 00:02:52,640 railways, healthcare, banks, malls, 73 00:02:52,640 --> 00:02:53,360 ministries, 74 00:02:53,360 --> 00:02:56,560 police, energy companies, ISPs, and there 75 00:02:56,560 --> 00:02:57,440 just seemed to be 76 00:02:57,440 --> 00:03:00,720 no end to the victims. Within few hours, 77 00:03:00,720 --> 00:03:02,720 it had spread to over 11 countries, 78 00:03:02,720 --> 00:03:04,319 and by the end of the first day of the 79 00:03:04,319 --> 00:03:06,159 attack, the ransomware had been 80 00:03:06,159 --> 00:03:08,480 encountered in 74 countries 81 00:03:08,480 --> 00:03:10,319 within thousands and thousands of 82 00:03:10,319 --> 00:03:12,159 organizations. 83 00:03:12,159 --> 00:03:14,879 And so it begged the question, how much 84 00:03:14,879 --> 00:03:16,640 damage will this really cause over the 85 00:03:16,640 --> 00:03:17,599 next few days 86 00:03:17,599 --> 00:03:20,159 or weeks or months if no solution 87 00:03:20,159 --> 00:03:23,040 presents itself? 88 00:03:23,440 --> 00:03:26,450 Your service has been temporarily disconnected. 89 00:03:26,850 --> 00:03:30,290 [Typing] 90 00:03:31,200 --> 00:03:33,280 [Music] 91 00:03:33,280 --> 00:03:36,239 Ransomware works in a very simple manner. 92 00:03:36,239 --> 00:03:38,080 It is a type of malware most commonly 93 00:03:38,080 --> 00:03:39,920 spread through phishing attacks 94 00:03:39,920 --> 00:03:41,840 which are essentially emails used to 95 00:03:41,840 --> 00:03:44,000 trick a user into clicking a link that 96 00:03:44,000 --> 00:03:45,599 leads them to a website 97 00:03:45,599 --> 00:03:47,840 where they enter sensitive data or to 98 00:03:47,840 --> 00:03:50,159 download attachments which if executed 99 00:03:50,159 --> 00:03:52,239 will infect the computer 100 00:03:52,239 --> 00:03:54,400 although initially suspected wannacry 101 00:03:54,400 --> 00:03:56,799 did not originate from a phishing attack 102 00:03:56,799 --> 00:03:59,680 but we'll get to that once later 103 00:03:59,680 --> 00:04:01,280 computer is infected 104 00:04:01,280 --> 00:04:03,040 the ransomware runs an encryption 105 00:04:03,040 --> 00:04:05,280 process and usually in less than a 106 00:04:05,280 --> 00:04:06,239 minute 107 00:04:06,239 --> 00:04:08,799 some or all the files depending on what 108 00:04:08,799 --> 00:04:10,879 the ransomware is meant to affect in the 109 00:04:10,879 --> 00:04:12,400 user's computer 110 00:04:12,400 --> 00:04:14,239 is converted from plain text to 111 00:04:14,239 --> 00:04:15,840 ciphertext 112 00:04:15,840 --> 00:04:18,239 plain text is readable or comprehensible 113 00:04:18,239 --> 00:04:19,120 data 114 00:04:19,120 --> 00:04:21,120 and ciphertext is unintelligible 115 00:04:21,120 --> 00:04:22,720 gibberish 116 00:04:22,720 --> 00:04:24,639 in order to turn this back into plain 117 00:04:24,639 --> 00:04:27,199 text the user will need what is known as 118 00:04:27,199 --> 00:04:28,800 a decryption key 119 00:04:28,800 --> 00:04:30,880 which the attacker promises to provide 120 00:04:30,880 --> 00:04:34,560 if the user were to pay the ransom 121 00:04:34,639 --> 00:04:36,880 what makes ransomware so dreadful is 122 00:04:36,880 --> 00:04:39,360 that once your files have been encrypted 123 00:04:39,360 --> 00:04:41,040 you can't exactly decrypt it and 124 00:04:41,040 --> 00:04:42,960 retrieve your data 125 00:04:42,960 --> 00:04:44,720 well you can but with the current 126 00:04:44,720 --> 00:04:46,639 technology we have to break common 127 00:04:46,639 --> 00:04:48,720 encryption algorithms used in ransomware 128 00:04:48,720 --> 00:04:49,600 attacks 129 00:04:49,600 --> 00:04:52,800 such as the rsa it would take millions 130 00:04:52,800 --> 00:04:57,280 to billions to trillions of years 131 00:04:57,280 --> 00:05:00,410 [Music] 132 00:05:03,520 --> 00:05:05,440 this is what you'd see if you were to 133 00:05:05,440 --> 00:05:07,199 become infected with the wannacry 134 00:05:07,199 --> 00:05:08,639 ransomware 135 00:05:08,639 --> 00:05:10,160 in addition to this intimidating 136 00:05:10,160 --> 00:05:12,479 wallpaper your documents 137 00:05:12,479 --> 00:05:16,160 spreadsheets images videos 138 00:05:16,160 --> 00:05:18,639 music and most everyday productivity and 139 00:05:18,639 --> 00:05:21,039 multimedia files become encrypted 140 00:05:21,039 --> 00:05:22,800 essentially being held hostage till the 141 00:05:22,800 --> 00:05:26,240 ransom payment has been made 142 00:05:27,120 --> 00:05:29,199 the wanted crypto 2.0 comes with a set 143 00:05:29,199 --> 00:05:30,240 of instructions 144 00:05:30,240 --> 00:05:31,919 and in 28 different languages for 145 00:05:31,919 --> 00:05:33,680 victims to follow in order to recover 146 00:05:33,680 --> 00:05:35,199 their files 147 00:05:35,199 --> 00:05:37,759 the attackers demanded for 300 worth of 148 00:05:37,759 --> 00:05:38,639 bitcoin 149 00:05:38,639 --> 00:05:40,560 and after three days would be updated to 150 00:05:40,560 --> 00:05:42,479 six hundred dollars 151 00:05:42,479 --> 00:05:44,080 if the payment were to be made seven 152 00:05:44,080 --> 00:05:45,919 days after the infection the files would 153 00:05:45,919 --> 00:05:47,680 be recoverable 154 00:05:47,680 --> 00:05:49,840 however despite this they also go on to 155 00:05:49,840 --> 00:05:51,759 state that they will return the files 156 00:05:51,759 --> 00:05:54,800 for free to quote users who are so poor 157 00:05:54,800 --> 00:05:55,840 that they couldn't pay 158 00:05:55,840 --> 00:05:58,720 end quote after six months the method of 159 00:05:58,720 --> 00:05:59,840 payment 160 00:05:59,840 --> 00:06:02,400 bitcoin 161 00:06:04,160 --> 00:06:06,400 the reason that attackers chose bitcoin 162 00:06:06,400 --> 00:06:07,840 was because it is what we know 163 00:06:07,840 --> 00:06:10,479 as a private cryptocurrency this allows 164 00:06:10,479 --> 00:06:12,080 the holder of the currency to remain 165 00:06:12,080 --> 00:06:13,280 anonymous 166 00:06:13,280 --> 00:06:14,639 though the money could be traced to a 167 00:06:14,639 --> 00:06:16,560 cryptocurrency wallet which is where the 168 00:06:16,560 --> 00:06:18,160 currency itself is stored 169 00:06:18,160 --> 00:06:19,840 it would be exponentially difficult to 170 00:06:19,840 --> 00:06:21,360 find the owner of the wallet without 171 00:06:21,360 --> 00:06:24,319 extensive forensic analysis 172 00:06:24,319 --> 00:06:26,560 this is the reason that bitcoin is used 173 00:06:26,560 --> 00:06:27,840 widely in the dark web 174 00:06:27,840 --> 00:06:30,639 to purchase guns drugs and other illegal 175 00:06:30,639 --> 00:06:32,319 goods and services that for obvious 176 00:06:32,319 --> 00:06:33,199 reasons 177 00:06:33,199 --> 00:06:35,039 you would not be able to find on the 178 00:06:35,039 --> 00:06:48,000 surface web 179 00:06:48,000 --> 00:06:50,080 problem with wannacry and what made it 180 00:06:50,080 --> 00:06:51,919 exponentially more dangerous than your 181 00:06:51,919 --> 00:06:53,280 average ransomware 182 00:06:53,280 --> 00:06:56,319 was its propagating capabilities 183 00:06:56,319 --> 00:06:58,240 but to understand this fully we need to 184 00:06:58,240 --> 00:06:59,840 go back in time a little bit 185 00:06:59,840 --> 00:07:04,000 to 2016. in august of 2016 the equation 186 00:07:04,000 --> 00:07:05,680 group suspected to have ties with the 187 00:07:05,680 --> 00:07:07,520 national security agency's tailored 188 00:07:07,520 --> 00:07:08,800 operations unit 189 00:07:08,800 --> 00:07:10,880 and described by kaspersky as one of the 190 00:07:10,880 --> 00:07:12,880 most sophisticated cyber attack groups 191 00:07:12,880 --> 00:07:14,080 in the world 192 00:07:14,080 --> 00:07:15,759 was said to be hacked by a group called 193 00:07:15,759 --> 00:07:17,680 the shadow brokers 194 00:07:17,680 --> 00:07:19,919 in this hack disks full of the nsa 195 00:07:19,919 --> 00:07:22,800 secrets were stolen 196 00:07:22,800 --> 00:07:25,039 this was bad because the nsa houses what 197 00:07:25,039 --> 00:07:27,520 we know as nation state attacks 198 00:07:27,520 --> 00:07:29,759 which are exploits or hacking tools that 199 00:07:29,759 --> 00:07:31,280 are used to carry out a hack for their 200 00:07:31,280 --> 00:07:32,479 home country 201 00:07:32,479 --> 00:07:35,199 against another country the nsa would 202 00:07:35,199 --> 00:07:37,120 essentially recruit a skilled hacker and 203 00:07:37,120 --> 00:07:39,280 give them a license to hack 204 00:07:39,280 --> 00:07:41,199 which means if they did carry it out it 205 00:07:41,199 --> 00:07:42,560 wouldn't be illegal 206 00:07:42,560 --> 00:07:44,800 at least in that country and the hacker 207 00:07:44,800 --> 00:07:47,759 would not be charged 208 00:07:48,639 --> 00:07:50,639 the danger here is that the nation-state 209 00:07:50,639 --> 00:07:52,400 tools in itself are usually pretty 210 00:07:52,400 --> 00:07:53,440 effective 211 00:07:53,440 --> 00:07:55,120 especially considering they are to be 212 00:07:55,120 --> 00:07:57,280 used as weapons against entire states 213 00:07:57,280 --> 00:07:59,840 and countries 214 00:08:03,599 --> 00:08:05,440 the nsa is said to have discovered a 215 00:08:05,440 --> 00:08:07,199 multitude of other vulnerabilities in 216 00:08:07,199 --> 00:08:08,160 the windows os 217 00:08:08,160 --> 00:08:11,280 as early as 2013 but was speculated to 218 00:08:11,280 --> 00:08:13,280 have developed exploits secretly and 219 00:08:13,280 --> 00:08:14,560 stockpile them 220 00:08:14,560 --> 00:08:16,560 rather than reporting it to microsoft or 221 00:08:16,560 --> 00:08:18,240 the infosec community 222 00:08:18,240 --> 00:08:20,000 so that they could weaponize it and 223 00:08:20,000 --> 00:08:21,919 utilize them in their nation state and 224 00:08:21,919 --> 00:08:24,560 other attacks 225 00:08:25,440 --> 00:08:27,199 the shadow brokers would go on to 226 00:08:27,199 --> 00:08:28,720 auction off some of these tools that 227 00:08:28,720 --> 00:08:30,000 were developed 228 00:08:30,000 --> 00:08:32,080 but due to skepticism online on whether 229 00:08:32,080 --> 00:08:34,080 the hackers really did have files as 230 00:08:34,080 --> 00:08:36,159 dangerous as they had claimed 231 00:08:36,159 --> 00:08:37,919 this would essentially go on to become a 232 00:08:37,919 --> 00:08:40,719 catastrophic failure 233 00:08:40,719 --> 00:08:42,399 we can talk quite a bit about the shadow 234 00:08:42,399 --> 00:08:44,800 brokers the story is itself worth 235 00:08:44,800 --> 00:08:46,720 examining individually and maybe even on 236 00:08:46,720 --> 00:08:48,080 a separate video 237 00:08:48,080 --> 00:08:49,760 but let's narrow our focus down to the 238 00:08:49,760 --> 00:08:51,839 leak that made wannacry possible 239 00:08:51,839 --> 00:08:54,000 which at that point was the fifth leak 240 00:08:54,000 --> 00:08:55,760 by the group and was said to be the most 241 00:08:55,760 --> 00:08:58,640 damaging one yet 242 00:08:59,360 --> 00:09:02,080 on april 14 2017 the shadow brokers 243 00:09:02,080 --> 00:09:03,600 would post a tweet that linked to their 244 00:09:03,600 --> 00:09:05,120 steam blockchain 245 00:09:05,120 --> 00:09:08,880 on a post titled lost in translation 246 00:09:08,880 --> 00:09:10,399 this leak contained files from the 247 00:09:10,399 --> 00:09:12,160 initial failed auction which they now 248 00:09:12,160 --> 00:09:14,160 decided to release to the public 249 00:09:14,160 --> 00:09:18,080 for free the description accompanying 250 00:09:18,080 --> 00:09:19,839 the leaked files doesn't really contain 251 00:09:19,839 --> 00:09:21,279 much worth noting 252 00:09:21,279 --> 00:09:23,120 as always the shadow brokers would use 253 00:09:23,120 --> 00:09:25,040 broken but still somewhat comprehensible 254 00:09:25,040 --> 00:09:26,399 english 255 00:09:26,399 --> 00:09:28,480 however this is widely speculated not to 256 00:09:28,480 --> 00:09:29,839 speak to their proficiency in the 257 00:09:29,839 --> 00:09:30,640 language 258 00:09:30,640 --> 00:09:32,160 but rather an attempt to mislead 259 00:09:32,160 --> 00:09:33,920 analysts and prevent them from yielding 260 00:09:33,920 --> 00:09:36,240 any results regarding their identity 261 00:09:36,240 --> 00:09:39,519 characterized by how they type 262 00:09:39,519 --> 00:09:41,200 the link which has now been taken down 263 00:09:41,200 --> 00:09:42,800 takes you to an archive filled with a 264 00:09:42,800 --> 00:09:44,640 number of windows exploits developed by 265 00:09:44,640 --> 00:09:46,240 the nsa 266 00:09:46,240 --> 00:09:48,160 it did contain many other valuable tools 267 00:09:48,160 --> 00:09:49,440 worth examining 268 00:09:49,440 --> 00:09:51,279 but the ones relevant to our story and 269 00:09:51,279 --> 00:09:53,040 what made a regular ransomware so 270 00:09:53,040 --> 00:09:54,160 destructive 271 00:09:54,160 --> 00:09:56,880 were the payload double pulsar and the 272 00:09:56,880 --> 00:09:58,560 now infamous exploit used in the 273 00:09:58,560 --> 00:09:59,839 wannacry attack 274 00:09:59,839 --> 00:10:05,839 eternal blue 275 00:10:13,120 --> 00:10:15,440 [Music] 276 00:10:15,440 --> 00:10:18,800 server message block version 1 or smb v1 277 00:10:18,800 --> 00:10:20,720 is a network communication protocol 278 00:10:20,720 --> 00:10:23,519 which was developed in 1983. 279 00:10:23,519 --> 00:10:25,440 the function of this protocol would be 280 00:10:25,440 --> 00:10:27,200 to allow one windows computer to 281 00:10:27,200 --> 00:10:28,720 communicate with another 282 00:10:28,720 --> 00:10:30,880 and share files and printers on a local 283 00:10:30,880 --> 00:10:32,399 network 284 00:10:32,399 --> 00:10:34,880 however smb version 1 had a critical 285 00:10:34,880 --> 00:10:36,160 vulnerability 286 00:10:36,160 --> 00:10:39,040 which allowed for what is known as a 287 00:10:39,040 --> 00:10:41,760 remote arbitrary code execution 288 00:10:41,760 --> 00:10:43,440 in which an attacker would be able to 289 00:10:43,440 --> 00:10:45,440 execute whatever code that they'd like 290 00:10:45,440 --> 00:10:47,680 on their target or victim's computer 291 00:10:47,680 --> 00:10:48,800 over the internet 292 00:10:48,800 --> 00:10:51,600 usually with malicious intent the 293 00:10:51,600 --> 00:10:53,360 function of eternal blue was to take 294 00:10:53,360 --> 00:10:55,839 advantage of this vulnerability 295 00:10:55,839 --> 00:10:58,000 essentially i'm going to try and strip 296 00:10:58,000 --> 00:10:59,519 it down to simplify it as much as 297 00:10:59,519 --> 00:11:00,800 possible 298 00:11:00,800 --> 00:11:02,640 when the shadow brokers first leaked the 299 00:11:02,640 --> 00:11:03,920 nsa tools 300 00:11:03,920 --> 00:11:05,920 hackers took this opportunity to install 301 00:11:05,920 --> 00:11:07,519 double pulsar 302 00:11:07,519 --> 00:11:09,200 which is a tool which opens what we 303 00:11:09,200 --> 00:11:10,880 commonly know in security 304 00:11:10,880 --> 00:11:14,000 as a back door backdoors allows hackers 305 00:11:14,000 --> 00:11:16,560 to create an entry point into the system 306 00:11:16,560 --> 00:11:18,560 or a network of systems and gain easy 307 00:11:18,560 --> 00:11:20,880 access later on 308 00:11:20,880 --> 00:11:22,880 the initial infection of wannacry is not 309 00:11:22,880 --> 00:11:23,920 known 310 00:11:23,920 --> 00:11:25,680 but it is speculated that the attackers 311 00:11:25,680 --> 00:11:27,120 took advantage of the back door to 312 00:11:27,120 --> 00:11:28,880 deliver the payload 313 00:11:28,880 --> 00:11:30,399 the payload in this case is the 314 00:11:30,399 --> 00:11:32,800 ransomware wannacry 315 00:11:32,800 --> 00:11:34,399 when a computer is infected with 316 00:11:34,399 --> 00:11:36,160 wannacry oddly 317 00:11:36,160 --> 00:11:37,440 it then tries to connect to the 318 00:11:37,440 --> 00:11:39,600 following unregistered domain 319 00:11:39,600 --> 00:11:41,519 which is basically a random string of 320 00:11:41,519 --> 00:11:43,360 numbers and letters 321 00:11:43,360 --> 00:11:45,120 if it cannot establish a connection to 322 00:11:45,120 --> 00:11:48,000 this domain then the real damage begins 323 00:11:48,000 --> 00:11:50,880 it scans for port 445 on the network 324 00:11:50,880 --> 00:11:52,560 which is the port that is used to host 325 00:11:52,560 --> 00:11:54,079 smb version 1 326 00:11:54,079 --> 00:11:56,079 and if the port is deemed to be open it 327 00:11:56,079 --> 00:11:57,600 would then proceed to spread to that 328 00:11:57,600 --> 00:11:59,680 computer 329 00:11:59,680 --> 00:12:01,900 this is how it propagated so quickly 330 00:12:01,900 --> 00:12:03,120 [Music] 331 00:12:03,120 --> 00:12:04,800 whether the other users in the network 332 00:12:04,800 --> 00:12:06,560 actually downloaded or clicked on 333 00:12:06,560 --> 00:12:08,000 anything malicious 334 00:12:08,000 --> 00:12:10,399 regardless they would be infected and in 335 00:12:10,399 --> 00:12:12,000 seconds all their data would be 336 00:12:12,000 --> 00:12:13,140 encrypted 337 00:12:13,140 --> 00:12:14,399 [Music] 338 00:12:14,399 --> 00:12:17,360 so the damage came in two parts the 339 00:12:17,360 --> 00:12:19,120 ransomware that encrypts the data 340 00:12:19,120 --> 00:12:20,959 and the worm-like component that is used 341 00:12:20,959 --> 00:12:22,480 to spread the ransomware to any 342 00:12:22,480 --> 00:12:23,279 connected 343 00:12:23,279 --> 00:12:25,600 vulnerable devices in the network as a 344 00:12:25,600 --> 00:12:28,880 result of eternal blue and double pulsar 345 00:12:28,880 --> 00:12:31,360 the attack only affected windows systems 346 00:12:31,360 --> 00:12:33,360 mainly targeting windows xp 347 00:12:33,360 --> 00:12:36,320 vista windows 7 windows 8 and windows 348 00:12:36,320 --> 00:12:37,519 10. 349 00:12:37,519 --> 00:12:39,519 however a month prior to the leak by the 350 00:12:39,519 --> 00:12:42,480 shadow brokers on march 14 2017 351 00:12:42,480 --> 00:12:44,079 microsoft was made aware of this 352 00:12:44,079 --> 00:12:45,920 vulnerability after it was publicly 353 00:12:45,920 --> 00:12:46,800 reported 354 00:12:46,800 --> 00:12:50,480 almost five years after its discovery 355 00:12:50,480 --> 00:12:52,320 microsoft then released a critical patch 356 00:12:52,320 --> 00:12:53,700 to fix this vulnerability 357 00:12:53,700 --> 00:12:54,920 [Music] 358 00:12:54,920 --> 00:12:57,040 ms-17010 359 00:12:57,040 --> 00:12:59,600 however despite the release of the patch 360 00:12:59,600 --> 00:13:01,519 a significant number of organizations 361 00:13:01,519 --> 00:13:03,360 never updated their systems 362 00:13:03,360 --> 00:13:05,680 and unfortunately there were still major 363 00:13:05,680 --> 00:13:08,000 organizations running windows xp 364 00:13:08,000 --> 00:13:11,680 or server 2003 these devices were at end 365 00:13:11,680 --> 00:13:12,959 of support 366 00:13:12,959 --> 00:13:14,800 which means that even if updates were 367 00:13:14,800 --> 00:13:16,639 out they would not receive them 368 00:13:16,639 --> 00:13:18,839 and be completely vulnerable to the 369 00:13:18,839 --> 00:13:20,800 exploit 370 00:13:20,800 --> 00:13:22,160 if you want to know more about the 371 00:13:22,160 --> 00:13:23,760 vulnerability that the eternalblue 372 00:13:23,760 --> 00:13:24,720 exploited 373 00:13:24,720 --> 00:13:26,160 it is now logged in the national 374 00:13:26,160 --> 00:13:27,760 vulnerability database 375 00:13:27,760 --> 00:13:33,950 as cve 20170144 376 00:13:33,950 --> 00:13:38,200 [Music] 377 00:13:47,920 --> 00:13:50,560 marcus hutchins also known online by his 378 00:13:50,560 --> 00:13:52,320 alias malwa attack 379 00:13:52,320 --> 00:13:54,320 was a 23 year old british security 380 00:13:54,320 --> 00:13:56,160 researcher at kryptos logic 381 00:13:56,160 --> 00:13:59,519 in la after returning from lunch with a 382 00:13:59,519 --> 00:14:01,839 friend on the afternoon of the attack 383 00:14:01,839 --> 00:14:03,600 he found himself scouring messaging 384 00:14:03,600 --> 00:14:04,880 boards where he came across 385 00:14:04,880 --> 00:14:07,519 news of a ransomware rapidly taking down 386 00:14:07,519 --> 00:14:09,680 systems in the national health service 387 00:14:09,680 --> 00:14:13,519 or nhs all over the uk 388 00:14:13,519 --> 00:14:14,959 hutchins who found it odd that the 389 00:14:14,959 --> 00:14:17,040 ransomware was consistently affecting so 390 00:14:17,040 --> 00:14:18,399 many devices 391 00:14:18,399 --> 00:14:20,320 concluded that the attack was probably a 392 00:14:20,320 --> 00:14:21,760 computer worm and not just 393 00:14:21,760 --> 00:14:25,120 a simple ransomware he quickly requested 394 00:14:25,120 --> 00:14:27,040 one of his friends to pass him a sample 395 00:14:27,040 --> 00:14:28,160 of the malware 396 00:14:28,160 --> 00:14:30,000 so that he could examine it and reverse 397 00:14:30,000 --> 00:14:32,000 engineer it to analyze exactly how it 398 00:14:32,000 --> 00:14:33,279 worked 399 00:14:33,279 --> 00:14:34,880 once he had gotten his hands on the 400 00:14:34,880 --> 00:14:36,320 malware sample 401 00:14:36,320 --> 00:14:38,079 he had run it using a virtual 402 00:14:38,079 --> 00:14:40,160 environment with fake files 403 00:14:40,160 --> 00:14:41,680 and found out that it was trying to 404 00:14:41,680 --> 00:14:44,480 connect to an unregistered domain 405 00:14:44,480 --> 00:14:48,079 which we discussed earlier in chapter 4. 406 00:14:48,079 --> 00:14:49,839 hutchins would go on to register this 407 00:14:49,839 --> 00:14:51,839 domain for only 10 408 00:14:51,839 --> 00:14:55,120 and 69 cents which unbeknownst to him 409 00:14:55,120 --> 00:14:56,839 would actually halt the wannacry 410 00:14:56,839 --> 00:14:58,560 infection 411 00:14:58,560 --> 00:15:00,240 he would later admit in a tweet that 412 00:15:00,240 --> 00:15:02,560 same day that the domain registration 413 00:15:02,560 --> 00:15:04,079 leading to a pause in the rapid 414 00:15:04,079 --> 00:15:05,120 infection 415 00:15:05,120 --> 00:15:08,399 was indeed an accident dubbing marcus 416 00:15:08,399 --> 00:15:09,120 hutchins 417 00:15:09,120 --> 00:15:13,839 as the accidental hero 418 00:15:23,440 --> 00:15:25,680 to hachins taking control of 419 00:15:25,680 --> 00:15:27,680 unregistered domains was just a part of 420 00:15:27,680 --> 00:15:28,880 his workflow 421 00:15:28,880 --> 00:15:30,480 when it came to stopping botnets and 422 00:15:30,480 --> 00:15:32,320 tracking malware 423 00:15:32,320 --> 00:15:33,839 this was so that he could get further 424 00:15:33,839 --> 00:15:35,839 insight into how the malware or botnets 425 00:15:35,839 --> 00:15:37,440 were spreading 426 00:15:37,440 --> 00:15:38,959 for those of you unaware of what a 427 00:15:38,959 --> 00:15:41,199 botnet is it is essentially a group of 428 00:15:41,199 --> 00:15:42,800 computers that have been hijacked by 429 00:15:42,800 --> 00:15:44,240 malicious actors 430 00:15:44,240 --> 00:15:46,160 or hackers in order to be used in their 431 00:15:46,160 --> 00:15:47,440 attacks to drive 432 00:15:47,440 --> 00:15:50,560 excess network traffic or steel data 433 00:15:50,560 --> 00:15:52,399 one computer that has been hijacked is 434 00:15:52,399 --> 00:15:54,560 called a bot and a network of them 435 00:15:54,560 --> 00:15:57,680 is called a botnet however 436 00:15:57,680 --> 00:16:00,399 since as we discussed earlier the attack 437 00:16:00,399 --> 00:16:02,320 only executes if it's unable to reach 438 00:16:02,320 --> 00:16:04,639 the domains that it checks for 439 00:16:04,639 --> 00:16:06,839 think of it as a simple if then 440 00:16:06,839 --> 00:16:08,160 statement 441 00:16:08,160 --> 00:16:09,920 if the infection cannot connect to x 442 00:16:09,920 --> 00:16:12,639 domain then proceed with the infection 443 00:16:12,639 --> 00:16:16,560 if it can reach x domain stop the attack 444 00:16:16,560 --> 00:16:18,320 and so the malware being able to connect 445 00:16:18,320 --> 00:16:20,160 to the domain was known as the kill 446 00:16:20,160 --> 00:16:21,199 switch 447 00:16:21,199 --> 00:16:23,199 the big red button that stops the attack 448 00:16:23,199 --> 00:16:25,839 from spreading any further 449 00:16:25,839 --> 00:16:28,240 but why would the attackers implement a 450 00:16:28,240 --> 00:16:30,399 kill switch at all 451 00:16:30,399 --> 00:16:32,240 the first theory is that the creators of 452 00:16:32,240 --> 00:16:34,160 wannacry wanted a way to stop the attack 453 00:16:34,160 --> 00:16:36,480 if it ever got out of hand or had any 454 00:16:36,480 --> 00:16:38,560 unintentional effects 455 00:16:38,560 --> 00:16:40,399 the second and the most likely theory 456 00:16:40,399 --> 00:16:42,320 proposed by hutchins and other security 457 00:16:42,320 --> 00:16:43,519 researchers 458 00:16:43,519 --> 00:16:45,360 was that the kill switch was present in 459 00:16:45,360 --> 00:16:46,800 order to prevent researchers from 460 00:16:46,800 --> 00:16:49,279 looking into the behavior of monocry 461 00:16:49,279 --> 00:16:51,120 if it was being executed within what is 462 00:16:51,120 --> 00:16:52,320 known in security 463 00:16:52,320 --> 00:16:55,759 as a sandbox a sandbox is usually a 464 00:16:55,759 --> 00:16:57,519 virtual computer that is used to run 465 00:16:57,519 --> 00:16:58,800 malware 466 00:16:58,800 --> 00:17:00,320 it is a contained environment with 467 00:17:00,320 --> 00:17:02,000 measures that have been taken to not 468 00:17:02,000 --> 00:17:04,559 infect any important files or spread to 469 00:17:04,559 --> 00:17:06,480 other networks 470 00:17:06,480 --> 00:17:08,240 much like what i used in chapter 2 to 471 00:17:08,240 --> 00:17:10,109 demonstrate the wannacry ransomware 472 00:17:10,109 --> 00:17:12,160 [Music] 473 00:17:12,160 --> 00:17:14,240 researchers used these sandboxes to run 474 00:17:14,240 --> 00:17:16,240 malware and then use tools to determine 475 00:17:16,240 --> 00:17:18,480 the behavior of the attack 476 00:17:18,480 --> 00:17:20,240 this is what hutchins did with fake 477 00:17:20,240 --> 00:17:22,640 files as well 478 00:17:22,640 --> 00:17:24,559 so the intent behind this kill switch 479 00:17:24,559 --> 00:17:26,240 was to destroy the ransomware if it 480 00:17:26,240 --> 00:17:28,960 existed within a sandbox environment 481 00:17:28,960 --> 00:17:30,720 again since they didn't want researchers 482 00:17:30,720 --> 00:17:32,480 to be able to analyze exactly how it 483 00:17:32,480 --> 00:17:34,000 worked 484 00:17:34,000 --> 00:17:35,919 however since the attackers used a 485 00:17:35,919 --> 00:17:37,280 static domain 486 00:17:37,280 --> 00:17:38,960 a domain name that did not change for 487 00:17:38,960 --> 00:17:41,039 each infection instead of using 488 00:17:41,039 --> 00:17:43,280 dynamically generated domain names 489 00:17:43,280 --> 00:17:45,039 like other renditions of this concept 490 00:17:45,039 --> 00:17:46,480 would usually do 491 00:17:46,480 --> 00:17:48,400 the wannacry infections around the world 492 00:17:48,400 --> 00:17:50,240 believed that it was being analyzed in a 493 00:17:50,240 --> 00:17:51,760 sandbox environment 494 00:17:51,760 --> 00:17:54,160 and essentially killed itself since 495 00:17:54,160 --> 00:17:55,679 every single infection was trying to 496 00:17:55,679 --> 00:17:56,080 reach 497 00:17:56,080 --> 00:17:58,880 one single hard-coded domain and now 498 00:17:58,880 --> 00:18:00,720 they could after hutchins had purchased 499 00:18:00,720 --> 00:18:03,039 it and put it online 500 00:18:03,039 --> 00:18:05,039 if it had been a randomly generated 501 00:18:05,039 --> 00:18:06,160 domain name 502 00:18:06,160 --> 00:18:07,520 then the infection would only have 503 00:18:07,520 --> 00:18:09,520 removed itself from hutchins's sandbox 504 00:18:09,520 --> 00:18:10,880 environment 505 00:18:10,880 --> 00:18:12,400 because the domain he registered would 506 00:18:12,400 --> 00:18:14,000 be unique to him and would not 507 00:18:14,000 --> 00:18:17,200 affect anyone else this 508 00:18:17,200 --> 00:18:20,160 seems to be an amateur mistake so 509 00:18:20,160 --> 00:18:21,840 amateur in fact that the researchers 510 00:18:21,840 --> 00:18:23,760 have speculated that maybe the intent of 511 00:18:23,760 --> 00:18:24,799 the attackers 512 00:18:24,799 --> 00:18:27,679 was not monetary gain but rather a more 513 00:18:27,679 --> 00:18:29,039 political intention 514 00:18:29,039 --> 00:18:31,600 such as to bring shame to the nsa 515 00:18:31,600 --> 00:18:32,480 however 516 00:18:32,480 --> 00:18:34,160 to this date there is nothing that 517 00:18:34,160 --> 00:18:36,000 confirms nor denies the motive 518 00:18:36,000 --> 00:18:43,840 of the wannacry attack 519 00:18:50,720 --> 00:18:53,360 the rapid infection had seemed to stop 520 00:18:53,360 --> 00:18:55,360 but for hutchins or malwater and his 521 00:18:55,360 --> 00:18:58,640 team the nightmare had only just begun 522 00:18:58,640 --> 00:19:00,240 less than an hour from when he had 523 00:19:00,240 --> 00:19:03,120 activated the domain it was under attack 524 00:19:03,120 --> 00:19:04,880 the motive of the attackers were to use 525 00:19:04,880 --> 00:19:07,280 the mirai botnet to host a distributed 526 00:19:07,280 --> 00:19:08,960 denial of service attack 527 00:19:08,960 --> 00:19:11,440 also known as ddos to shut down the 528 00:19:11,440 --> 00:19:13,360 domain so that it would be unreachable 529 00:19:13,360 --> 00:19:16,160 once again and all the halted infections 530 00:19:16,160 --> 00:19:18,000 would resume 531 00:19:18,000 --> 00:19:20,000 a ddos attack is usually performed to 532 00:19:20,000 --> 00:19:21,280 flood a domain with 533 00:19:21,280 --> 00:19:23,120 junk traffic till it can't handle 534 00:19:23,120 --> 00:19:25,840 anymore and is driven offline 535 00:19:25,840 --> 00:19:27,679 the mirai botnet that the attackers were 536 00:19:27,679 --> 00:19:29,679 employing was previously used in one of 537 00:19:29,679 --> 00:19:31,760 the largest ever ddos attacks 538 00:19:31,760 --> 00:19:33,600 and was comprised of hundreds and 539 00:19:33,600 --> 00:19:35,760 thousands of devices 540 00:19:35,760 --> 00:19:37,520 the haunting realization that they were 541 00:19:37,520 --> 00:19:39,360 the wall between a flood of infections 542 00:19:39,360 --> 00:19:41,120 that was currently being blocked 543 00:19:41,120 --> 00:19:43,039 slowly dawned on hutchins and the other 544 00:19:43,039 --> 00:19:46,080 researchers working on the case 545 00:19:46,080 --> 00:19:47,760 they eventually dealt with the issue by 546 00:19:47,760 --> 00:19:50,000 taking the site to a cached version 547 00:19:50,000 --> 00:19:51,760 which was capable of handling a much 548 00:19:51,760 --> 00:19:55,200 higher traffic load than a live site 549 00:19:55,200 --> 00:19:57,280 two days after the domain went live the 550 00:19:57,280 --> 00:19:59,200 data showed that two million infections 551 00:19:59,200 --> 00:20:00,480 had been halted 552 00:20:00,480 --> 00:20:02,159 showing us what the extent of the damage 553 00:20:02,159 --> 00:20:03,760 could have been if it was not for the 554 00:20:03,760 --> 00:20:07,840 discovery of the kill switch 555 00:20:25,360 --> 00:20:28,320 marcus hutchins story does not stop here 556 00:20:28,320 --> 00:20:30,400 he would go on to be named as a cyber 557 00:20:30,400 --> 00:20:31,760 crime hero 558 00:20:31,760 --> 00:20:34,159 a title which he didn't enjoy as it 559 00:20:34,159 --> 00:20:36,880 would bring to him unwanted attention 560 00:20:36,880 --> 00:20:38,320 people trying to piece together his 561 00:20:38,320 --> 00:20:40,480 address media camping outside of his 562 00:20:40,480 --> 00:20:41,360 house 563 00:20:41,360 --> 00:20:43,440 and in addition to all of this he was 564 00:20:43,440 --> 00:20:45,039 still under the pressure of the domain 565 00:20:45,039 --> 00:20:46,840 going offline any minute and wreaking 566 00:20:46,840 --> 00:20:48,400 havoc 567 00:20:48,400 --> 00:20:50,400 however he was able to get through these 568 00:20:50,400 --> 00:20:52,960 weary days and sleepless nights 569 00:20:52,960 --> 00:20:57,039 only to be thrown back into chaos 570 00:20:57,200 --> 00:20:59,440 three months after the wannacry attack 571 00:20:59,440 --> 00:21:01,600 in august of 2017 572 00:21:01,600 --> 00:21:03,919 marcus hutchins after partying in vegas 573 00:21:03,919 --> 00:21:05,280 for a week and a half 574 00:21:05,280 --> 00:21:08,240 during defcon a hacker convention was 575 00:21:08,240 --> 00:21:10,320 arrested in the airport by the fbi on 576 00:21:10,320 --> 00:21:12,080 his way back home 577 00:21:12,080 --> 00:21:13,760 it seemed that hutchins in his teenage 578 00:21:13,760 --> 00:21:15,360 years had developed a malware named 579 00:21:15,360 --> 00:21:16,080 kronos 580 00:21:16,080 --> 00:21:18,720 that would steal banking credentials he 581 00:21:18,720 --> 00:21:20,240 would go on to sell this malware to 582 00:21:20,240 --> 00:21:21,919 multiple individuals with the help of 583 00:21:21,919 --> 00:21:23,440 someone he met online 584 00:21:23,440 --> 00:21:27,360 named vinnie k kronos is still an 585 00:21:27,360 --> 00:21:30,880 ongoing threat to banks around the world 586 00:21:30,880 --> 00:21:32,559 hutchins initially battled the charges 587 00:21:32,559 --> 00:21:34,320 with a non-guilty plea 588 00:21:34,320 --> 00:21:36,400 but after a long and exhausting ordeal 589 00:21:36,400 --> 00:21:38,000 that lasted for years 590 00:21:38,000 --> 00:21:40,880 in april 2019 he took a plea deal that 591 00:21:40,880 --> 00:21:42,080 would essentially dismiss 592 00:21:42,080 --> 00:21:45,120 all but two counts set against him 593 00:21:45,120 --> 00:21:47,679 conspiracy to defraud the united states 594 00:21:47,679 --> 00:21:49,280 and actively marketing the kronos 595 00:21:49,280 --> 00:21:50,799 malware 596 00:21:50,799 --> 00:21:52,720 he faced the possibility of a maximum 597 00:21:52,720 --> 00:21:54,960 prison sentence of ten years 598 00:21:54,960 --> 00:21:56,640 but because of his contribution towards 599 00:21:56,640 --> 00:21:58,880 wannacry and as the community had 600 00:21:58,880 --> 00:22:00,480 constantly pointed out 601 00:22:00,480 --> 00:22:02,240 his active involvement in defending the 602 00:22:02,240 --> 00:22:04,240 world against cyber attacks 603 00:22:04,240 --> 00:22:07,520 the judge ruled in his favor he was then 604 00:22:07,520 --> 00:22:08,159 released 605 00:22:08,159 --> 00:22:10,840 with zero jail time and is now a free 606 00:22:10,840 --> 00:22:13,840 man 607 00:22:26,559 --> 00:22:28,799 as stated before wannacry attack 608 00:22:28,799 --> 00:22:31,200 impacted over 150 countries 609 00:22:31,200 --> 00:22:33,919 and approximately 230 000 computers 610 00:22:33,919 --> 00:22:35,200 globally 611 00:22:35,200 --> 00:22:37,520 russia was the most severely infected 612 00:22:37,520 --> 00:22:40,400 with over half the affected computers 613 00:22:40,400 --> 00:22:43,280 india ukraine and taiwan also suffered 614 00:22:43,280 --> 00:22:46,400 significant disruption 615 00:22:48,559 --> 00:22:50,559 the most popular victim to emerge out of 616 00:22:50,559 --> 00:22:52,159 the attacks were the uk's national 617 00:22:52,159 --> 00:22:53,280 health service 618 00:22:53,280 --> 00:22:57,200 or the nhs in the nhs over 70 000 619 00:22:57,200 --> 00:22:59,039 devices such as computers 620 00:22:59,039 --> 00:23:02,400 mri scanners devices used to test blood 621 00:23:02,400 --> 00:23:04,720 theater equipment and over 1200 pieces 622 00:23:04,720 --> 00:23:09,840 of diagnostic equipment were affected 623 00:23:10,159 --> 00:23:12,400 approximately the attack cost the nhs 624 00:23:12,400 --> 00:23:14,480 over 92 million euros 625 00:23:14,480 --> 00:23:16,080 and globally the cost amounted to 626 00:23:16,080 --> 00:23:17,919 somewhere between four and eight billion 627 00:23:17,919 --> 00:23:19,840 dollars 628 00:23:19,840 --> 00:23:21,200 you'd think that the attackers who 629 00:23:21,200 --> 00:23:22,720 launched wannacry would have made a 630 00:23:22,720 --> 00:23:24,400 decent amount considering how many 631 00:23:24,400 --> 00:23:25,200 countries 632 00:23:25,200 --> 00:23:28,480 and devices were affected however as of 633 00:23:28,480 --> 00:23:30,400 june 14 2017 634 00:23:30,400 --> 00:23:32,640 when the attacks had begun to subside 635 00:23:32,640 --> 00:23:34,559 they had only made a hundred and thirty 636 00:23:34,559 --> 00:23:35,120 thousand 637 00:23:35,120 --> 00:23:36,960 six hundred and thirty four dollars and 638 00:23:36,960 --> 00:23:38,880 seventy seven cents 639 00:23:38,880 --> 00:23:41,120 victims were urged not to pay the ransom 640 00:23:41,120 --> 00:23:42,720 since not only did it encourage the 641 00:23:42,720 --> 00:23:43,520 hackers 642 00:23:43,520 --> 00:23:45,279 but it also did not guarantee the return 643 00:23:45,279 --> 00:23:47,520 of their data due to skepticism of 644 00:23:47,520 --> 00:23:48,880 whether the attackers could actually 645 00:23:48,880 --> 00:23:50,320 place the paid ransom 646 00:23:50,320 --> 00:23:52,880 to the correct victim this was clearly 647 00:23:52,880 --> 00:23:54,400 evident from the fact that a large 648 00:23:54,400 --> 00:23:55,360 proportion 649 00:23:55,360 --> 00:23:57,279 almost all of the affected victims who 650 00:23:57,279 --> 00:23:58,400 had paid the ransom 651 00:23:58,400 --> 00:24:04,110 had still not been returned their data 652 00:24:04,110 --> 00:24:08,910 [Music] 653 00:24:13,679 --> 00:24:15,360 although initially the prime victims of 654 00:24:15,360 --> 00:24:17,360 wannacry were said to be windows xp 655 00:24:17,360 --> 00:24:20,080 clients over 98 of the victims were 656 00:24:20,080 --> 00:24:21,919 actually running unpatched versions of 657 00:24:21,919 --> 00:24:23,120 windows 7 658 00:24:23,120 --> 00:24:25,760 and less than 0.1 percent of the victims 659 00:24:25,760 --> 00:24:28,240 were using windows xp 660 00:24:28,240 --> 00:24:29,919 in the case of russia they believed 661 00:24:29,919 --> 00:24:31,760 updates did more to break their devices 662 00:24:31,760 --> 00:24:34,240 rather than fix them 663 00:24:34,240 --> 00:24:35,919 partly due to the fact that a majority 664 00:24:35,919 --> 00:24:37,679 of people use cracked or pirated 665 00:24:37,679 --> 00:24:38,960 versions of windows 666 00:24:38,960 --> 00:24:40,400 which means they wouldn't have received 667 00:24:40,400 --> 00:24:41,760 the updates which were released by 668 00:24:41,760 --> 00:24:45,120 microsoft months prior to the attack 669 00:24:45,120 --> 00:24:46,559 microsoft eventually released the 670 00:24:46,559 --> 00:24:48,320 updates for systems that were at end of 671 00:24:48,320 --> 00:24:49,200 support 672 00:24:49,200 --> 00:24:51,120 including windows xp and other older 673 00:24:51,120 --> 00:24:53,679 versions of windows 674 00:24:53,679 --> 00:24:55,520 to this day if the domain that marcus 675 00:24:55,520 --> 00:24:57,440 hutchins acquired were to go down 676 00:24:57,440 --> 00:24:59,279 the millions of infections that it has 677 00:24:59,279 --> 00:25:01,120 at bay would be released 678 00:25:01,120 --> 00:25:02,960 but possibly ineffective if the 679 00:25:02,960 --> 00:25:04,640 computers had already applied the patch 680 00:25:04,640 --> 00:25:07,600 that microsoft released 681 00:25:07,600 --> 00:25:09,840 eternal blue is still in the wild and 682 00:25:09,840 --> 00:25:11,440 variants of wannacry have since then 683 00:25:11,440 --> 00:25:13,279 surfaced like ui wix 684 00:25:13,279 --> 00:25:15,200 which did not come with a kill switch 685 00:25:15,200 --> 00:25:16,880 and addressed the bitcoin payment issue 686 00:25:16,880 --> 00:25:18,480 by assigning a new address for each 687 00:25:18,480 --> 00:25:20,320 victim to collect payment 688 00:25:20,320 --> 00:25:21,919 therefore easily allowing to track the 689 00:25:21,919 --> 00:25:23,919 payment back to the victim 690 00:25:23,919 --> 00:25:25,840 however since it did not have an 691 00:25:25,840 --> 00:25:27,760 automatic worm-like functionality that 692 00:25:27,760 --> 00:25:29,279 wannacry exhibited 693 00:25:29,279 --> 00:25:32,159 it did not pose much of a threat the 694 00:25:32,159 --> 00:25:34,880 impact of wannacry is still seen today 695 00:25:34,880 --> 00:25:36,720 trend micros data clearly indicates that 696 00:25:36,720 --> 00:25:38,559 wannacry was the most detected malware 697 00:25:38,559 --> 00:25:40,159 family in 2020 698 00:25:40,159 --> 00:25:42,240 thanks to its vulnerable nature and 699 00:25:42,240 --> 00:25:44,159 f-secure reports that the most seen type 700 00:25:44,159 --> 00:25:46,400 of exploit is against the smb version 1 701 00:25:46,400 --> 00:25:47,360 vulnerability 702 00:25:47,360 --> 00:25:49,600 using eternal blue the fact that 703 00:25:49,600 --> 00:25:51,039 attackers still continue to try and 704 00:25:51,039 --> 00:25:52,080 exploit this 705 00:25:52,080 --> 00:25:54,080 must mean that there are organizations 706 00:25:54,080 --> 00:25:55,919 out there who have not patched against 707 00:25:55,919 --> 00:26:11,840 this vulnerability 708 00:26:15,520 --> 00:26:17,840 four years after the attack there is 709 00:26:17,840 --> 00:26:19,600 still no confirmed identity of the 710 00:26:19,600 --> 00:26:21,760 creators of the wannacry 711 00:26:21,760 --> 00:26:23,760 there have been accusations towards the 712 00:26:23,760 --> 00:26:24,880 lazarus group 713 00:26:24,880 --> 00:26:27,440 who has strong links to north korea 714 00:26:27,440 --> 00:26:28,159 however 715 00:26:28,159 --> 00:26:31,679 this is nothing more than hearsay so 716 00:26:31,679 --> 00:26:33,520 who is to blame for the catastrophic 717 00:26:33,520 --> 00:26:35,520 damage of wannacry 718 00:26:35,520 --> 00:26:37,360 is it the nsa who should not have 719 00:26:37,360 --> 00:26:39,279 stockpiled exploits without alerting the 720 00:26:39,279 --> 00:26:40,640 necessary entities about the 721 00:26:40,640 --> 00:26:42,400 vulnerabilities 722 00:26:42,400 --> 00:26:43,919 is it the shadow brokers who took 723 00:26:43,919 --> 00:26:46,320 advantage of this stole and released it 724 00:26:46,320 --> 00:26:48,000 into the wild 725 00:26:48,000 --> 00:26:50,400 is it the developers of wannacry or is 726 00:26:50,400 --> 00:26:52,320 it the fault of microsoft who did not 727 00:26:52,320 --> 00:26:53,760 identify this vulnerability 728 00:26:53,760 --> 00:26:56,640 sooner while all of this might be true 729 00:26:56,640 --> 00:26:58,080 to some extent 730 00:26:58,080 --> 00:26:59,919 at the end of the day the actions these 731 00:26:59,919 --> 00:27:01,919 organizations take are largely out of 732 00:27:01,919 --> 00:27:03,600 the control of the public 733 00:27:03,600 --> 00:27:05,760 and business owners who are usually the 734 00:27:05,760 --> 00:27:07,840 victims of the attack 735 00:27:07,840 --> 00:27:10,240 regardless of what we claim the solution 736 00:27:10,240 --> 00:27:11,760 is very simple 737 00:27:11,760 --> 00:27:13,360 make sure we follow the guidelines to 738 00:27:13,360 --> 00:27:15,440 have our data secured 739 00:27:15,440 --> 00:27:17,120 the most crucial of it is to have a 740 00:27:17,120 --> 00:27:18,960 consistent schedule for updating our 741 00:27:18,960 --> 00:27:20,240 devices 742 00:27:20,240 --> 00:27:23,279 and to obviously not use outdated 743 00:27:23,279 --> 00:27:24,720 operating systems that put 744 00:27:24,720 --> 00:27:26,960 employee and customer data and their 745 00:27:26,960 --> 00:27:29,360 privacy at huge risks 746 00:27:29,360 --> 00:27:31,039 when it comes to ransomware the most 747 00:27:31,039 --> 00:27:32,880 crucial form of defense is frequent 748 00:27:32,880 --> 00:27:35,200 backup the more frequent it is 749 00:27:35,200 --> 00:27:37,760 the better less than 50 of ransomware 750 00:27:37,760 --> 00:27:39,520 payments actually result in the data 751 00:27:39,520 --> 00:27:41,120 being returned to the victims 752 00:27:41,120 --> 00:27:42,960 and so needless to say payment should 753 00:27:42,960 --> 00:27:44,399 not be an option 754 00:27:44,399 --> 00:27:46,159 lest your goal is to lose money and your 755 00:27:46,159 --> 00:27:47,760 data as well 756 00:27:47,760 --> 00:27:49,520 the biggest mistake that organizations 757 00:27:49,520 --> 00:27:51,760 tend to make is refusing to believe that 758 00:27:51,760 --> 00:27:53,520 they would be a target 759 00:27:53,520 --> 00:27:55,360 according to a study by cloudwords in 760 00:27:55,360 --> 00:27:56,640 2021 761 00:27:56,640 --> 00:27:58,559 every 11 seconds a company is hit by 762 00:27:58,559 --> 00:28:00,640 ransomware and a large proportion of 763 00:28:00,640 --> 00:28:02,240 organizations are small 764 00:28:02,240 --> 00:28:03,919 to medium-sized businesses that never 765 00:28:03,919 --> 00:28:06,080 see it coming as they're often found to 766 00:28:06,080 --> 00:28:07,600 have less than effective security 767 00:28:07,600 --> 00:28:08,960 strategies in place 768 00:28:08,960 --> 00:28:10,480 making them ideal targets for such 769 00:28:10,480 --> 00:28:12,080 attacks 770 00:28:12,080 --> 00:28:13,440 digital transformation during the 771 00:28:13,440 --> 00:28:15,360 coronavirus pandemic has started to move 772 00:28:15,360 --> 00:28:16,960 businesses to the cloud 773 00:28:16,960 --> 00:28:18,799 and so cyber criminals have now shifted 774 00:28:18,799 --> 00:28:20,720 their focus to the cloud as well 775 00:28:20,720 --> 00:28:22,320 giving them an entirely new attack 776 00:28:22,320 --> 00:28:24,000 surface to work with 777 00:28:24,000 --> 00:28:26,480 the cost of ransomware is said to top 20 778 00:28:26,480 --> 00:28:29,039 billion dollars by the end of 2021 779 00:28:29,039 --> 00:28:32,159 and that is ransomware alone by 2025 780 00:28:32,159 --> 00:28:33,919 cyber security ventures estimates that 781 00:28:33,919 --> 00:28:35,840 cyber crime will cost businesses 782 00:28:35,840 --> 00:28:39,279 10.5 trillion dollars annually 783 00:28:39,279 --> 00:28:41,279 which would amount to just 2 trillion 784 00:28:41,279 --> 00:28:43,039 short of china's economy 785 00:28:43,039 --> 00:28:46,000 the second biggest economy in the world 786 00:28:46,000 --> 00:28:46,320 we 787 00:28:46,320 --> 00:28:48,320 are headed towards bigger and more 788 00:28:48,320 --> 00:28:50,640 destructive attacks than wannacry 789 00:28:50,640 --> 00:28:53,440 and our most reliable defense is our 790 00:28:53,440 --> 00:28:54,240 awareness 791 00:28:54,240 --> 00:28:56,840 and our action to better protect 792 00:28:56,840 --> 00:29:13,840 ourselves thank you for watching 793 00:29:16,120 --> 00:29:19,310 [Music] 794 00:29:24,840 --> 00:29:27,840 me 795 00:29:30,810 --> 00:29:33,380 [Applause] 796 00:29:33,380 --> 00:29:43,780 [Music] 797 00:29:46,770 --> 00:29:51,279 [Music] 798 00:29:51,279 --> 00:29:53,360 you