1 00:00:00,000 --> 00:00:09,150 [Music] 2 00:00:10,960 --> 00:00:13,679 A small note before we start, 3 00:00:13,679 --> 00:00:15,599 as much as this video is meant to be a 4 00:00:15,599 --> 00:00:17,440 storytelling experience, 5 00:00:17,440 --> 00:00:18,960 I have also intended it to be 6 00:00:18,960 --> 00:00:20,640 educational, 7 00:00:20,640 --> 00:00:22,480 and so, I have coupled the story along 8 00:00:22,480 --> 00:00:23,840 with how some of these attacks and 9 00:00:23,840 --> 00:00:26,000 technologies work. 10 00:00:26,000 --> 00:00:28,400 This is my first documentary style video, 11 00:00:28,400 --> 00:00:30,800 and so I appreciate any and all feedback 12 00:00:30,800 --> 00:00:33,120 in the comments below. 13 00:00:33,120 --> 00:00:35,680 I really hope you enjoy, and hopefully, 14 00:00:35,680 --> 00:00:38,640 learn a few new things. 15 00:00:40,800 --> 00:00:43,440 Right now, a crippling cyberattack has 16 00:00:43,440 --> 00:00:45,039 businesses around the world 17 00:00:45,039 --> 00:00:47,760 on high alert. The ransomware known as 18 00:00:47,760 --> 00:00:48,719 WannaCry- 19 00:00:48,719 --> 00:00:50,399 We want to move on to the other developing 20 00:00:50,399 --> 00:00:52,333 story this morning, the global cyberattack- 21 00:00:52,333 --> 00:00:54,239 The national security agency 22 00:00:54,239 --> 00:00:56,559 developed this software and it's now 23 00:00:56,559 --> 00:00:58,010 being used by criminals 24 00:00:58,010 --> 00:01:00,051 around the world to demand ransom. 25 00:01:00,051 --> 00:01:01,760 Security experts say this is one 26 00:01:01,760 --> 00:01:03,280 of the worst and most 27 00:01:03,280 --> 00:01:05,439 widespread pieces of malware they've 28 00:01:05,439 --> 00:01:06,870 ever seen- 29 00:01:06,870 --> 00:01:13,861 [Music] 30 00:01:15,607 --> 00:01:19,247 [Typing] 31 00:01:20,080 --> 00:01:23,040 In May of 2017, a worldwide cyberattack 32 00:01:23,040 --> 00:01:24,799 by the name of WannaCry 33 00:01:24,799 --> 00:01:27,840 shot for WannaCryptor, impacted over 150 34 00:01:27,840 --> 00:01:28,720 countries, 35 00:01:28,720 --> 00:01:31,360 and hit around 230,000 computers 36 00:01:31,360 --> 00:01:32,720 globally. 37 00:01:32,720 --> 00:01:34,560 Needless to say it became known as one 38 00:01:34,560 --> 00:01:36,640 of the biggest ransomware attacks in 39 00:01:36,640 --> 00:01:38,159 history. 40 00:01:38,159 --> 00:01:40,799 Let's start at the very beginning. On the 41 00:01:40,799 --> 00:01:43,119 morning of the 12th of May, 2017, 42 00:01:43,119 --> 00:01:45,360 according to Akamai, the content delivery 43 00:01:45,360 --> 00:01:46,240 network, 44 00:01:46,240 --> 00:01:48,720 this was the timeline. Reportedly the 45 00:01:48,720 --> 00:01:51,200 first case identified originated from a 46 00:01:51,200 --> 00:01:53,600 Southeast Asian ISP which was detected 47 00:01:53,600 --> 00:01:56,411 at 7:44 am UTC. 48 00:01:56,901 --> 00:01:58,399 Over the next hour, there were cases 49 00:01:58,399 --> 00:02:00,240 seen from Latin America, 50 00:02:00,240 --> 00:02:02,960 then the Continental Europe and UK, then 51 00:02:02,960 --> 00:02:06,840 Brazil and Argentinian ISPs until at 12:39 pm 52 00:02:06,840 --> 00:02:09,280 UTC, 74% 53 00:02:09,280 --> 00:02:12,720 of all ISPs in Asia were affected. And by 54 00:02:12,720 --> 00:02:14,800 3:28 pm UTC, 55 00:02:14,800 --> 00:02:17,670 the ransomware had taken hold of 65% 56 00:02:17,670 --> 00:02:20,640 of Latin American ISPs. 57 00:02:20,640 --> 00:02:22,879 WannaCry was spreading and at an 58 00:02:22,879 --> 00:02:24,640 incredible rate. 59 00:02:24,640 --> 00:02:26,160 Prior to this, such a quick and 60 00:02:26,160 --> 00:02:28,640 widespread ransomware was unheard of. 61 00:02:28,640 --> 00:02:31,040 A lot of organizations, unable to recover 62 00:02:31,040 --> 00:02:31,840 their losses, 63 00:02:31,840 --> 00:02:34,640 were forced to permanently shut down. 64 00:02:34,640 --> 00:02:36,160 Some had to put a pause on their 65 00:02:36,160 --> 00:02:38,319 networks and services, and reported huge 66 00:02:38,319 --> 00:02:39,360 losses, 67 00:02:39,360 --> 00:02:42,480 some in millions of dollars. The attack 68 00:02:42,480 --> 00:02:44,720 did not discriminate. Small to 69 00:02:44,720 --> 00:02:46,400 medium-sized businesses, 70 00:02:46,400 --> 00:02:48,800 large enterprises, the private sector, the 71 00:02:48,800 --> 00:02:50,160 public sector, 72 00:02:50,160 --> 00:02:52,640 railways, healthcare, banks, malls, 73 00:02:52,640 --> 00:02:53,360 ministries, 74 00:02:53,360 --> 00:02:56,560 police, energy companies, ISPs, and there 75 00:02:56,560 --> 00:02:57,440 just seemed to be 76 00:02:57,440 --> 00:03:00,720 no end to the victims. Within few hours, 77 00:03:00,720 --> 00:03:02,720 it had spread to over 11 countries, 78 00:03:02,720 --> 00:03:04,319 and by the end of the first day of the 79 00:03:04,319 --> 00:03:06,159 attack, the ransomware had been 80 00:03:06,159 --> 00:03:08,480 encountered in 74 countries 81 00:03:08,480 --> 00:03:10,319 within thousands and thousands of 82 00:03:10,319 --> 00:03:12,159 organizations. 83 00:03:12,159 --> 00:03:14,879 And so it begged the question, how much 84 00:03:14,879 --> 00:03:16,640 damage will this really cause over the 85 00:03:16,640 --> 00:03:17,599 next few days 86 00:03:17,599 --> 00:03:20,159 or weeks or months if no solution 87 00:03:20,159 --> 00:03:23,040 presents itself? 88 00:03:23,440 --> 00:03:26,450 Your service has been temporarily disconnected. 89 00:03:26,850 --> 00:03:30,290 [Typing] 90 00:03:31,200 --> 00:03:33,280 [Music] 91 00:03:33,280 --> 00:03:36,239 Ransomware works in a very simple manner. 92 00:03:36,239 --> 00:03:38,080 It is a type of malware most commonly 93 00:03:38,080 --> 00:03:39,920 spread through phishing attacks, 94 00:03:39,920 --> 00:03:41,840 which are essentially emails used to 95 00:03:41,840 --> 00:03:44,000 trick a user into clicking a link that 96 00:03:44,000 --> 00:03:45,599 leads them to a website 97 00:03:45,599 --> 00:03:47,840 where they enter sensitive data, or to 98 00:03:47,840 --> 00:03:50,159 download attachments which if executed 99 00:03:50,159 --> 00:03:52,239 will infect the computer. 100 00:03:52,239 --> 00:03:54,400 Although initially suspected, WannaCry 101 00:03:54,400 --> 00:03:56,799 did not originate from a phishing attack, 102 00:03:56,799 --> 00:03:59,240 but we'll get to that later. 103 00:03:59,240 --> 00:04:01,280 Once a computer is infected, 104 00:04:01,280 --> 00:04:03,040 the ransomware runs an encryption 105 00:04:03,040 --> 00:04:05,280 process, and usually in less than a 106 00:04:05,280 --> 00:04:06,239 minute, 107 00:04:06,239 --> 00:04:08,799 some or all the files depending on what 108 00:04:08,799 --> 00:04:10,879 the ransomware is meant to affect in the 109 00:04:10,879 --> 00:04:12,400 user's computer 110 00:04:12,400 --> 00:04:14,239 is converted from plain text to 111 00:04:14,239 --> 00:04:15,840 ciphertext. 112 00:04:15,840 --> 00:04:18,239 Plain text is readable or comprehensible 113 00:04:18,239 --> 00:04:19,120 data, 114 00:04:19,120 --> 00:04:21,120 and ciphertext is unintelligible 115 00:04:21,120 --> 00:04:22,720 gibberish. 116 00:04:22,720 --> 00:04:24,639 In order to turn this back into plain 117 00:04:24,639 --> 00:04:27,199 text, the user will need what is known as 118 00:04:27,199 --> 00:04:28,800 a decryption key, 119 00:04:28,800 --> 00:04:30,880 which the attacker promises to provide 120 00:04:30,880 --> 00:04:34,560 if the user were to pay the ransom. 121 00:04:34,639 --> 00:04:36,880 What makes ransomware so dreadful is 122 00:04:36,880 --> 00:04:39,360 that once your files have been encrypted, 123 00:04:39,360 --> 00:04:41,040 you can't exactly decrypt it and 124 00:04:41,040 --> 00:04:42,960 retrieve your data. 125 00:04:42,960 --> 00:04:44,720 Well, you can, but with the current 126 00:04:44,720 --> 00:04:46,639 technology we have, to break common 127 00:04:46,639 --> 00:04:48,720 encryption algorithms used in ransomware 128 00:04:48,720 --> 00:04:49,600 attacks 129 00:04:49,600 --> 00:04:52,800 such as the RSA, it would take millions 130 00:04:52,800 --> 00:04:56,270 to billions to trillions of years. 131 00:04:56,270 --> 00:05:00,410 [Music] 132 00:05:01,465 --> 00:05:03,200 [Typing] 133 00:05:03,520 --> 00:05:05,440 This is what you'd see if you were to 134 00:05:05,440 --> 00:05:07,199 become infected with the WannaCry 135 00:05:07,199 --> 00:05:08,639 ransomware. 136 00:05:08,639 --> 00:05:10,160 In addition to this intimidating 137 00:05:10,160 --> 00:05:12,479 wallpaper, your documents, 138 00:05:12,479 --> 00:05:16,160 spreadsheets, images, videos, 139 00:05:16,160 --> 00:05:18,639 music, and most everyday productivity and 140 00:05:18,639 --> 00:05:21,039 multimedia files become encrypted, 141 00:05:21,039 --> 00:05:22,800 essentially being held hostage till the 142 00:05:22,800 --> 00:05:26,240 ransom payment has been made. 143 00:05:27,120 --> 00:05:29,199 The Wanna Decryptor 2.0 comes with a set 144 00:05:29,199 --> 00:05:30,240 of instructions 145 00:05:30,240 --> 00:05:31,919 and in 28 different languages for 146 00:05:31,919 --> 00:05:33,680 victims to follow in order to recover 147 00:05:33,680 --> 00:05:35,199 their files. 148 00:05:35,199 --> 00:05:37,759 The attackers demanded for $300 worth of 149 00:05:37,759 --> 00:05:38,639 bitcoin, 150 00:05:38,639 --> 00:05:40,560 and after three days it would be updated to 151 00:05:40,560 --> 00:05:42,479 $600. 152 00:05:42,479 --> 00:05:44,080 If the payment were to be made seven 153 00:05:44,080 --> 00:05:45,919 days after the infection, the files would 154 00:05:45,919 --> 00:05:47,680 be recoverable. 155 00:05:47,680 --> 00:05:49,840 However, despite this, they also go on to 156 00:05:49,840 --> 00:05:51,759 state that they will return the files 157 00:05:51,759 --> 00:05:54,800 for free to "Users who are so poor 158 00:05:54,800 --> 00:05:56,510 that they couldn't pay" 159 00:05:56,510 --> 00:05:58,720 after six months. The method of 160 00:05:58,720 --> 00:05:59,840 payment, 161 00:05:59,840 --> 00:06:00,950 bitcoin. 162 00:06:00,950 --> 00:06:04,160 [Music] 163 00:06:04,160 --> 00:06:06,400 The reason the attackers chose bitcoin 164 00:06:06,400 --> 00:06:07,840 was because it is what we know 165 00:06:07,840 --> 00:06:10,479 as a private cryptocurrency. This allows 166 00:06:10,479 --> 00:06:12,080 the holder of the currency to remain 167 00:06:12,080 --> 00:06:13,280 anonymous. 168 00:06:13,280 --> 00:06:14,639 Though the money could be traced to a 169 00:06:14,639 --> 00:06:16,560 cryptocurrency wallet, which is where the 170 00:06:16,560 --> 00:06:18,160 currency itself is stored, 171 00:06:18,160 --> 00:06:19,840 it would be exponentially difficult to 172 00:06:19,840 --> 00:06:21,360 find the owner of the wallet without 173 00:06:21,360 --> 00:06:24,319 extensive forensic analysis. 174 00:06:24,319 --> 00:06:26,560 This is the reason that bitcoin is used 175 00:06:26,560 --> 00:06:27,840 widely in the dark web 176 00:06:27,840 --> 00:06:30,639 to purchase guns, drugs, and other illegal 177 00:06:30,639 --> 00:06:32,260 goods and services that for obvious 178 00:06:32,260 --> 00:06:33,199 reasons, 179 00:06:33,199 --> 00:06:35,039 you would not be able to find on the 180 00:06:35,039 --> 00:06:36,359 surface web. 181 00:06:38,879 --> 00:06:42,517 [Typing] 182 00:06:48,000 --> 00:06:50,080 The problem with WannaCry and what made it 183 00:06:50,080 --> 00:06:51,919 exponentially more dangerous than your 184 00:06:51,919 --> 00:06:53,280 average ransomware 185 00:06:53,280 --> 00:06:56,319 was its propagating capabilities. 186 00:06:56,319 --> 00:06:58,240 But to understand this fully, we need to 187 00:06:58,240 --> 00:06:59,840 go back in time a little bit 188 00:06:59,840 --> 00:07:04,000 to 2016. In August of 2016, the equation 189 00:07:04,000 --> 00:07:05,680 group, suspected to have ties with the 190 00:07:05,680 --> 00:07:07,520 National Security Agency's tailored 191 00:07:07,520 --> 00:07:08,800 operations unit, 192 00:07:08,800 --> 00:07:10,880 and described by Kaspersky as one of the 193 00:07:10,880 --> 00:07:12,880 most sophisticated cyberattack groups 194 00:07:12,880 --> 00:07:14,080 in the world, 195 00:07:14,080 --> 00:07:15,759 was said to be hacked by a group called 196 00:07:15,759 --> 00:07:17,680 the shadow brokers. 197 00:07:17,680 --> 00:07:19,919 In this hack, disks full of the NSA's 198 00:07:19,919 --> 00:07:21,630 secrets were stolen. 199 00:07:22,800 --> 00:07:25,039 This was bad because the NSA houses what 200 00:07:25,039 --> 00:07:27,520 we know as Nation State Attacks 201 00:07:27,520 --> 00:07:29,759 which are exploits or hacking tools that 202 00:07:29,759 --> 00:07:31,280 are used to carry out a hack for their 203 00:07:31,280 --> 00:07:32,479 home country 204 00:07:32,479 --> 00:07:35,199 against another country. The NSA would 205 00:07:35,199 --> 00:07:37,120 essentially recruit a skilled hacker and 206 00:07:37,120 --> 00:07:39,280 give them a license to hack 207 00:07:39,280 --> 00:07:41,199 which means if they did carry it out, it 208 00:07:41,199 --> 00:07:42,560 wouldn't be illegal 209 00:07:42,560 --> 00:07:44,800 at least in that country, and the hacker 210 00:07:44,800 --> 00:07:46,679 would not be charged. 211 00:07:48,639 --> 00:07:50,639 The danger here is that the Nation State 212 00:07:50,639 --> 00:07:52,400 Tools in itself are usually pretty 213 00:07:52,400 --> 00:07:53,440 effective, 214 00:07:53,440 --> 00:07:55,120 especially considering they are to be 215 00:07:55,120 --> 00:07:57,280 used as weapons against entire states 216 00:07:57,280 --> 00:07:58,500 and countries. 217 00:08:00,459 --> 00:08:03,599 [Music] 218 00:08:03,599 --> 00:08:05,440 The NSA is said to have discovered a 219 00:08:05,440 --> 00:08:07,199 multitude of other vulnerabilities in 220 00:08:07,199 --> 00:08:08,160 the Windows OS 221 00:08:08,160 --> 00:08:11,280 as early as 2013, but was speculated to 222 00:08:11,280 --> 00:08:13,280 have developed exploits secretly and 223 00:08:13,280 --> 00:08:14,560 stockpile them, 224 00:08:14,560 --> 00:08:16,560 rather than reporting it to Microsoft or 225 00:08:16,560 --> 00:08:18,240 the InfoSec community, 226 00:08:18,240 --> 00:08:20,000 so that they could weaponize it and 227 00:08:20,000 --> 00:08:21,919 utilize them in their nation state and 228 00:08:21,919 --> 00:08:23,690 other attacks. 229 00:08:25,440 --> 00:08:27,199 The shadow brokers would go on to 230 00:08:27,199 --> 00:08:28,720 auction off some of these tools that 231 00:08:28,720 --> 00:08:30,000 were developed, 232 00:08:30,000 --> 00:08:32,080 but due to skepticism online on whether 233 00:08:32,080 --> 00:08:34,080 the hackers really did have files as 234 00:08:34,080 --> 00:08:36,159 dangerous as they had claimed, 235 00:08:36,159 --> 00:08:37,919 this would essentially go on to become a 236 00:08:37,919 --> 00:08:40,719 catastrophic failure. 237 00:08:40,719 --> 00:08:42,399 We can talk quite a bit about the shadow 238 00:08:42,399 --> 00:08:44,800 brokers. The story is itself worth 239 00:08:44,800 --> 00:08:46,720 examining individually and maybe even on 240 00:08:46,720 --> 00:08:48,080 a separate video, 241 00:08:48,080 --> 00:08:49,760 but let's narrow our focus down to the 242 00:08:49,760 --> 00:08:51,839 leak that made WannaCry possible 243 00:08:51,839 --> 00:08:54,000 which at that point was the fifth leak 244 00:08:54,000 --> 00:08:55,760 by the group and was said to be the most 245 00:08:55,760 --> 00:08:58,640 damaging one yet. 246 00:08:59,360 --> 00:09:02,080 On April 14, 2017, the shadow brokers 247 00:09:02,080 --> 00:09:03,600 would post a tweet that linked to their 248 00:09:03,600 --> 00:09:05,120 Steem blockchain 249 00:09:05,120 --> 00:09:08,880 on a post titled lost in translation. 250 00:09:08,880 --> 00:09:10,399 This leak contained files from the 251 00:09:10,399 --> 00:09:12,160 initial failed auction which they now 252 00:09:12,160 --> 00:09:14,160 decided to release to the public 253 00:09:14,160 --> 00:09:18,080 for free. The description accompanying 254 00:09:18,080 --> 00:09:19,839 the leaked files doesn't really contain 255 00:09:19,839 --> 00:09:21,279 much worth noting. 256 00:09:21,279 --> 00:09:23,120 As always the shadow brokers would use 257 00:09:23,120 --> 00:09:25,040 broken, but still somewhat comprehensible 258 00:09:25,040 --> 00:09:26,399 English. 259 00:09:26,399 --> 00:09:28,480 However, this is widely speculated not to 260 00:09:28,480 --> 00:09:29,839 speak to their proficiency in the 261 00:09:29,839 --> 00:09:30,640 language, 262 00:09:30,640 --> 00:09:32,160 but rather an attempt to mislead 263 00:09:32,160 --> 00:09:33,920 analysts and prevent them from yielding 264 00:09:33,920 --> 00:09:36,240 any results regarding their identity 265 00:09:36,240 --> 00:09:39,519 characterized by how they type. 266 00:09:39,519 --> 00:09:41,200 The link, which has now been taken down, 267 00:09:41,200 --> 00:09:42,800 takes you to an archive filled with a 268 00:09:42,800 --> 00:09:44,640 number of Windows exploits developed by 269 00:09:44,640 --> 00:09:46,240 the NSA. 270 00:09:46,240 --> 00:09:48,160 It did contain many other valuable tools 271 00:09:48,160 --> 00:09:49,440 worth examining, 272 00:09:49,440 --> 00:09:51,279 but the ones relevant to our story and 273 00:09:51,279 --> 00:09:53,040 what made a regular ransomware so 274 00:09:53,040 --> 00:09:54,160 destructive 275 00:09:54,160 --> 00:09:56,880 were the payload, Doublepulsar and the 276 00:09:56,880 --> 00:09:58,560 now infamous exploit used in the 277 00:09:58,560 --> 00:09:59,839 WannaCry attack, 278 00:09:59,839 --> 00:10:01,329 Eternalblue. 279 00:10:01,329 --> 00:10:05,664 [Music] 280 00:10:08,112 --> 00:10:11,441 [Typing] 281 00:10:15,440 --> 00:10:18,800 Server Message Block version 1 or SMBv1 282 00:10:18,800 --> 00:10:20,720 is a network communication protocol 283 00:10:20,720 --> 00:10:23,519 which was developed in 1983. 284 00:10:23,519 --> 00:10:25,440 The function of this protocol would be 285 00:10:25,440 --> 00:10:27,200 to allow one Windows computer to 286 00:10:27,200 --> 00:10:28,720 communicate with another 287 00:10:28,720 --> 00:10:30,880 and share files and printers on a local 288 00:10:30,880 --> 00:10:32,399 network. 289 00:10:32,399 --> 00:10:34,880 However, SMB version 1 had a critical 290 00:10:34,880 --> 00:10:36,160 vulnerability 291 00:10:36,160 --> 00:10:39,040 which allowed for what is known as a 292 00:10:39,040 --> 00:10:41,760 Remote Arbitrary Code Execution 293 00:10:41,760 --> 00:10:43,440 in which an attacker would be able to 294 00:10:43,440 --> 00:10:45,440 execute whatever code that they'd like 295 00:10:45,440 --> 00:10:47,680 on their target or victim's computer 296 00:10:47,680 --> 00:10:48,800 over the Internet 297 00:10:48,800 --> 00:10:51,600 usually with malicious intent. The 298 00:10:51,600 --> 00:10:53,360 function of Eternalblue was to take 299 00:10:53,360 --> 00:10:55,839 advantage of this vulnerability. 300 00:10:55,839 --> 00:10:58,000 Essentially, and I'm going to try and strip 301 00:10:58,000 --> 00:10:59,519 it down to simplify it as much as 302 00:10:59,519 --> 00:11:00,800 possible, 303 00:11:00,800 --> 00:11:02,640 when the shadow brokers first leaked the 304 00:11:02,640 --> 00:11:03,920 NSA tools, 305 00:11:03,920 --> 00:11:05,920 hackers took this opportunity to install 306 00:11:05,920 --> 00:11:07,519 Doublepulsar 307 00:11:07,519 --> 00:11:09,200 which is a tool which opens what we 308 00:11:09,200 --> 00:11:10,880 commonly know in security 309 00:11:10,880 --> 00:11:14,000 as a backdoor. Backdoors allows hackers 310 00:11:14,000 --> 00:11:16,560 to create an entry point into the system 311 00:11:16,560 --> 00:11:18,560 or a network of systems and gain easy 312 00:11:18,560 --> 00:11:20,880 access later on. 313 00:11:20,880 --> 00:11:22,880 The initial infection of WannaCry is not 314 00:11:22,880 --> 00:11:23,920 known, 315 00:11:23,920 --> 00:11:25,680 but it is speculated that the attackers 316 00:11:25,680 --> 00:11:27,120 took advantage of the backdoor to 317 00:11:27,120 --> 00:11:28,880 deliver the payload. 318 00:11:28,880 --> 00:11:30,399 The payload in this case is the 319 00:11:30,399 --> 00:11:32,800 ransomware WannaCry. 320 00:11:32,800 --> 00:11:34,399 When a computer is infected with 321 00:11:34,399 --> 00:11:36,160 WannaCry, oddly 322 00:11:36,160 --> 00:11:37,440 it then tries to connect to the 323 00:11:37,440 --> 00:11:39,600 following unregistered domain 324 00:11:39,600 --> 00:11:41,519 which is basically a random string of 325 00:11:41,519 --> 00:11:43,360 numbers and letters. 326 00:11:43,360 --> 00:11:45,120 If it cannot establish a connection to 327 00:11:45,120 --> 00:11:48,000 this domain, then the real damage begins. 328 00:11:48,000 --> 00:11:50,880 It scans for port 445 on the network 329 00:11:50,880 --> 00:11:52,560 which is the port that is used to host 330 00:11:52,560 --> 00:11:54,079 SMB version 1, 331 00:11:54,079 --> 00:11:56,079 and if the port is deemed to be open, it 332 00:11:56,079 --> 00:11:57,600 would then proceed to spread to that 333 00:11:57,600 --> 00:11:59,280 computer. 334 00:11:59,680 --> 00:12:02,200 This is how it propagated so quickly. 335 00:12:03,120 --> 00:12:04,800 Whether the other users in the network 336 00:12:04,800 --> 00:12:06,560 actually downloaded or clicked on 337 00:12:06,560 --> 00:12:08,000 anything malicious, 338 00:12:08,000 --> 00:12:10,399 regardless, they would be infected, and in 339 00:12:10,399 --> 00:12:12,000 seconds all their data would be 340 00:12:12,000 --> 00:12:13,140 encrypted. 341 00:12:14,399 --> 00:12:17,360 So the damage came in two parts, the 342 00:12:17,360 --> 00:12:19,120 ransomware that encrypts the data 343 00:12:19,120 --> 00:12:20,959 and the worm-like component that is used 344 00:12:20,959 --> 00:12:22,480 to spread the ransomware to any 345 00:12:22,480 --> 00:12:23,279 connected, 346 00:12:23,279 --> 00:12:25,600 vulnerable devices in the network as a 347 00:12:25,600 --> 00:12:28,880 result of Eternalblue and Doublepulsar. 348 00:12:28,880 --> 00:12:31,360 The attack only affected Windows systems, 349 00:12:31,360 --> 00:12:33,360 mainly targeting Windows XP, 350 00:12:33,360 --> 00:12:36,320 Vista, Windows 7, Windows 8, and Windows 351 00:12:36,320 --> 00:12:37,519 10. 352 00:12:37,519 --> 00:12:39,519 However, a month prior to the leak by the 353 00:12:39,519 --> 00:12:42,480 shadow brokers on March 14, 2017, 354 00:12:42,480 --> 00:12:44,079 Microsoft was made aware of this 355 00:12:44,079 --> 00:12:45,920 vulnerability after it was publicly 356 00:12:45,920 --> 00:12:46,800 reported 357 00:12:46,800 --> 00:12:50,480 almost five years after its discovery. 358 00:12:50,480 --> 00:12:52,320 Microsoft then released a critical patch 359 00:12:52,320 --> 00:12:54,070 to fix this vulnerability, 360 00:12:54,070 --> 00:12:57,040 MS17-010. 361 00:12:57,040 --> 00:12:59,600 However, despite the release of the patch, 362 00:12:59,600 --> 00:13:01,519 a significant number of organizations 363 00:13:01,519 --> 00:13:03,360 never updated their systems, 364 00:13:03,360 --> 00:13:05,680 and unfortunately there were still major 365 00:13:05,680 --> 00:13:08,000 organizations running Windows XP 366 00:13:08,000 --> 00:13:11,680 or Server 2003. These devices were at end 367 00:13:11,680 --> 00:13:12,959 of support 368 00:13:12,959 --> 00:13:14,800 which means that even if updates were 369 00:13:14,800 --> 00:13:16,639 out, they would not receive them 370 00:13:16,639 --> 00:13:18,309 and be completely vulnerable to the 371 00:13:18,309 --> 00:13:19,710 exploit. 372 00:13:20,800 --> 00:13:22,160 If you want to know more about the 373 00:13:22,160 --> 00:13:23,760 vulnerability that the Eternalblue 374 00:13:23,760 --> 00:13:24,720 exploited, 375 00:13:24,720 --> 00:13:26,160 it is now logged in the national 376 00:13:26,160 --> 00:13:27,760 vulnerability database 377 00:13:27,760 --> 00:13:32,447 as CVE-2017-0144 378 00:13:32,447 --> 00:13:36,056 [Music] 379 00:13:38,048 --> 00:13:40,889 [Typing] 380 00:13:47,920 --> 00:13:50,560 Marcus Hutchins, also known online by his 381 00:13:50,560 --> 00:13:52,320 alias MalwareTech, 382 00:13:52,320 --> 00:13:54,320 was a 23 year old British security 383 00:13:54,320 --> 00:13:56,160 researcher at Kryptos Logic 384 00:13:56,160 --> 00:13:59,519 in LA. After returning from lunch with a 385 00:13:59,519 --> 00:14:01,839 friend on the afternoon of the attack, 386 00:14:01,839 --> 00:14:03,600 he found himself scouring messaging 387 00:14:03,600 --> 00:14:04,880 boards where he came across 388 00:14:04,880 --> 00:14:07,519 news of a ransomware rapidly taking down 389 00:14:07,519 --> 00:14:09,680 systems in the National Health Service 390 00:14:09,680 --> 00:14:13,519 or NHS all over the UK. 391 00:14:13,519 --> 00:14:14,959 Hutchins, who found it odd that the 392 00:14:14,959 --> 00:14:17,040 ransomware was consistently affecting so 393 00:14:17,040 --> 00:14:18,399 many devices, 394 00:14:18,399 --> 00:14:20,320 concluded that the attack was probably a 395 00:14:20,320 --> 00:14:21,760 computer worm and not just 396 00:14:21,760 --> 00:14:25,120 a simple ransomware. He quickly requested 397 00:14:25,120 --> 00:14:27,040 one of his friends to pass him a sample 398 00:14:27,040 --> 00:14:28,160 of the malware 399 00:14:28,160 --> 00:14:30,000 so that he could examine it and reverse 400 00:14:30,000 --> 00:14:32,000 engineer it to analyze exactly how it 401 00:14:32,000 --> 00:14:33,279 worked. 402 00:14:33,279 --> 00:14:34,880 Once he had gotten his hands on the 403 00:14:34,880 --> 00:14:36,320 malware sample, 404 00:14:36,320 --> 00:14:38,079 he had run it using a virtual 405 00:14:38,079 --> 00:14:40,160 environment with fake files 406 00:14:40,160 --> 00:14:41,680 and found out that it was trying to 407 00:14:41,680 --> 00:14:44,480 connect to an unregistered domain, 408 00:14:44,480 --> 00:14:48,079 which we discussed earlier in Chapter 4. 409 00:14:48,079 --> 00:14:49,839 Hutchins would go on to register this 410 00:14:49,839 --> 00:14:53,708 domain for only $10.69, 411 00:14:53,708 --> 00:14:55,120 which unbeknownst to him, 412 00:14:55,120 --> 00:14:56,839 would actually halt the wannacry 413 00:14:56,839 --> 00:14:58,560 infection. 414 00:14:58,560 --> 00:15:00,240 He would later admit in a tweet that 415 00:15:00,240 --> 00:15:02,560 same day that the domain registration 416 00:15:02,560 --> 00:15:04,079 leading to a pause in the rapid 417 00:15:04,079 --> 00:15:05,120 infection 418 00:15:05,120 --> 00:15:08,399 was indeed an accident dubbing Marcus 419 00:15:08,399 --> 00:15:09,120 Hutchins 420 00:15:09,120 --> 00:15:12,621 as the accidental hero. 421 00:15:12,621 --> 00:15:17,371 [Music] 422 00:15:18,360 --> 00:15:23,350 [Music] 423 00:15:23,440 --> 00:15:25,680 To Hutchins, taking control of 424 00:15:25,680 --> 00:15:27,680 unregistered domains was just a part of 425 00:15:27,680 --> 00:15:28,880 his workflow 426 00:15:28,880 --> 00:15:30,480 when it came to stopping botnets and 427 00:15:30,480 --> 00:15:32,320 tracking malware. 428 00:15:32,320 --> 00:15:33,839 This was so that he could get further 429 00:15:33,839 --> 00:15:35,839 insight into how the malware or botnets 430 00:15:35,839 --> 00:15:37,440 were spreading. 431 00:15:37,440 --> 00:15:38,959 For those of you unaware of what a 432 00:15:38,959 --> 00:15:41,199 botnet is, it is essentially a group of 433 00:15:41,199 --> 00:15:42,800 computers that have been hijacked by 434 00:15:42,800 --> 00:15:44,240 malicious actors 435 00:15:44,240 --> 00:15:46,160 or hackers in order to be used in their 436 00:15:46,160 --> 00:15:47,440 attacks to drive 437 00:15:47,440 --> 00:15:50,560 excess network traffic or steal data. 438 00:15:50,560 --> 00:15:52,399 One computer that has been hijacked is 439 00:15:52,399 --> 00:15:54,560 called a bot and a network of them 440 00:15:54,560 --> 00:15:57,680 is called a botnet, however, 441 00:15:57,680 --> 00:16:00,399 since, as we discussed earlier, the attack 442 00:16:00,399 --> 00:16:02,320 only executes if it's unable to reach 443 00:16:02,320 --> 00:16:04,639 the domains that it checks for. 444 00:16:04,639 --> 00:16:06,839 Think of it as a simple if then 445 00:16:06,839 --> 00:16:08,160 statement. 446 00:16:08,160 --> 00:16:09,920 If the infection cannot connect to x 447 00:16:09,920 --> 00:16:12,639 domain, then proceed with the infection. 448 00:16:12,639 --> 00:16:16,560 If it can reach x domain, stop the attack. 449 00:16:16,560 --> 00:16:18,320 And so the malware being able to connect 450 00:16:18,320 --> 00:16:20,160 to the domain was known as the kill 451 00:16:20,160 --> 00:16:21,199 switch, 452 00:16:21,199 --> 00:16:23,199 the big red button that stops the attack 453 00:16:23,199 --> 00:16:25,839 from spreading any further. 454 00:16:25,839 --> 00:16:28,240 But why would the attackers implement a 455 00:16:28,240 --> 00:16:30,399 kill switch at all? 456 00:16:30,399 --> 00:16:32,240 The first theory is that the creators of 457 00:16:32,240 --> 00:16:34,160 WannaCry wanted a way to stop the attack 458 00:16:34,160 --> 00:16:36,480 if it ever got out of hand or had any 459 00:16:36,480 --> 00:16:38,560 unintentional effects. 460 00:16:38,560 --> 00:16:40,399 The second and the most likely theory 461 00:16:40,399 --> 00:16:42,320 proposed by Hutchins and other security 462 00:16:42,320 --> 00:16:43,519 researchers 463 00:16:43,519 --> 00:16:45,360 was that the kill switch was present in 464 00:16:45,360 --> 00:16:46,800 order to prevent researchers from 465 00:16:46,800 --> 00:16:49,279 looking into the behavior of WannaCry 466 00:16:49,279 --> 00:16:51,120 if it was being executed within what is 467 00:16:51,120 --> 00:16:52,320 known in security 468 00:16:52,320 --> 00:16:55,759 as a sandbox. A sandbox is usually a 469 00:16:55,759 --> 00:16:57,519 virtual computer that is used to run 470 00:16:57,519 --> 00:16:58,800 malware. 471 00:16:58,800 --> 00:17:00,320 It is a contained environment with 472 00:17:00,320 --> 00:17:02,000 measures that have been taken to not 473 00:17:02,000 --> 00:17:04,559 infect any important files or spread to 474 00:17:04,559 --> 00:17:06,480 other networks. 475 00:17:06,480 --> 00:17:08,240 Much like what I used in chapter 2 to 476 00:17:08,240 --> 00:17:10,109 demonstrate the wannacry ransomware 477 00:17:10,109 --> 00:17:12,160 [Music] 478 00:17:12,160 --> 00:17:14,240 researchers used these sandboxes to run 479 00:17:14,240 --> 00:17:16,240 malware and then use tools to determine 480 00:17:16,240 --> 00:17:18,480 the behavior of the attack 481 00:17:18,480 --> 00:17:20,240 this is what hutchins did with fake 482 00:17:20,240 --> 00:17:22,640 files as well 483 00:17:22,640 --> 00:17:24,559 so the intent behind this kill switch 484 00:17:24,559 --> 00:17:26,240 was to destroy the ransomware if it 485 00:17:26,240 --> 00:17:28,960 existed within a sandbox environment 486 00:17:28,960 --> 00:17:30,720 again since they didn't want researchers 487 00:17:30,720 --> 00:17:32,480 to be able to analyze exactly how it 488 00:17:32,480 --> 00:17:34,000 worked 489 00:17:34,000 --> 00:17:35,919 however since the attackers used a 490 00:17:35,919 --> 00:17:37,280 static domain 491 00:17:37,280 --> 00:17:38,960 a domain name that did not change for 492 00:17:38,960 --> 00:17:41,039 each infection instead of using 493 00:17:41,039 --> 00:17:43,280 dynamically generated domain names 494 00:17:43,280 --> 00:17:45,039 like other renditions of this concept 495 00:17:45,039 --> 00:17:46,480 would usually do 496 00:17:46,480 --> 00:17:48,400 the wannacry infections around the world 497 00:17:48,400 --> 00:17:50,240 believed that it was being analyzed in a 498 00:17:50,240 --> 00:17:51,760 sandbox environment 499 00:17:51,760 --> 00:17:54,160 and essentially killed itself since 500 00:17:54,160 --> 00:17:55,679 every single infection was trying to 501 00:17:55,679 --> 00:17:56,080 reach 502 00:17:56,080 --> 00:17:58,880 one single hard-coded domain and now 503 00:17:58,880 --> 00:18:00,720 they could after hutchins had purchased 504 00:18:00,720 --> 00:18:03,039 it and put it online 505 00:18:03,039 --> 00:18:05,039 if it had been a randomly generated 506 00:18:05,039 --> 00:18:06,160 domain name 507 00:18:06,160 --> 00:18:07,520 then the infection would only have 508 00:18:07,520 --> 00:18:09,520 removed itself from hutchins's sandbox 509 00:18:09,520 --> 00:18:10,880 environment 510 00:18:10,880 --> 00:18:12,400 because the domain he registered would 511 00:18:12,400 --> 00:18:14,000 be unique to him and would not 512 00:18:14,000 --> 00:18:17,200 affect anyone else this 513 00:18:17,200 --> 00:18:20,160 seems to be an amateur mistake so 514 00:18:20,160 --> 00:18:21,840 amateur in fact that the researchers 515 00:18:21,840 --> 00:18:23,760 have speculated that maybe the intent of 516 00:18:23,760 --> 00:18:24,799 the attackers 517 00:18:24,799 --> 00:18:27,679 was not monetary gain but rather a more 518 00:18:27,679 --> 00:18:29,039 political intention 519 00:18:29,039 --> 00:18:31,600 such as to bring shame to the nsa 520 00:18:31,600 --> 00:18:32,480 however 521 00:18:32,480 --> 00:18:34,160 to this date there is nothing that 522 00:18:34,160 --> 00:18:36,000 confirms nor denies the motive 523 00:18:36,000 --> 00:18:43,840 of the wannacry attack 524 00:18:50,720 --> 00:18:53,360 the rapid infection had seemed to stop 525 00:18:53,360 --> 00:18:55,360 but for hutchins or malwater and his 526 00:18:55,360 --> 00:18:58,640 team the nightmare had only just begun 527 00:18:58,640 --> 00:19:00,240 less than an hour from when he had 528 00:19:00,240 --> 00:19:03,120 activated the domain it was under attack 529 00:19:03,120 --> 00:19:04,880 the motive of the attackers were to use 530 00:19:04,880 --> 00:19:07,280 the mirai botnet to host a distributed 531 00:19:07,280 --> 00:19:08,960 denial of service attack 532 00:19:08,960 --> 00:19:11,440 also known as ddos to shut down the 533 00:19:11,440 --> 00:19:13,360 domain so that it would be unreachable 534 00:19:13,360 --> 00:19:16,160 once again and all the halted infections 535 00:19:16,160 --> 00:19:18,000 would resume 536 00:19:18,000 --> 00:19:20,000 a ddos attack is usually performed to 537 00:19:20,000 --> 00:19:21,280 flood a domain with 538 00:19:21,280 --> 00:19:23,120 junk traffic till it can't handle 539 00:19:23,120 --> 00:19:25,840 anymore and is driven offline 540 00:19:25,840 --> 00:19:27,679 the mirai botnet that the attackers were 541 00:19:27,679 --> 00:19:29,679 employing was previously used in one of 542 00:19:29,679 --> 00:19:31,760 the largest ever ddos attacks 543 00:19:31,760 --> 00:19:33,600 and was comprised of hundreds and 544 00:19:33,600 --> 00:19:35,760 thousands of devices 545 00:19:35,760 --> 00:19:37,520 the haunting realization that they were 546 00:19:37,520 --> 00:19:39,360 the wall between a flood of infections 547 00:19:39,360 --> 00:19:41,120 that was currently being blocked 548 00:19:41,120 --> 00:19:43,039 slowly dawned on hutchins and the other 549 00:19:43,039 --> 00:19:46,080 researchers working on the case 550 00:19:46,080 --> 00:19:47,760 they eventually dealt with the issue by 551 00:19:47,760 --> 00:19:50,000 taking the site to a cached version 552 00:19:50,000 --> 00:19:51,760 which was capable of handling a much 553 00:19:51,760 --> 00:19:55,200 higher traffic load than a live site 554 00:19:55,200 --> 00:19:57,280 two days after the domain went live the 555 00:19:57,280 --> 00:19:59,200 data showed that two million infections 556 00:19:59,200 --> 00:20:00,480 had been halted 557 00:20:00,480 --> 00:20:02,159 showing us what the extent of the damage 558 00:20:02,159 --> 00:20:03,760 could have been if it was not for the 559 00:20:03,760 --> 00:20:07,840 discovery of the kill switch 560 00:20:25,360 --> 00:20:28,320 marcus hutchins story does not stop here 561 00:20:28,320 --> 00:20:30,400 he would go on to be named as a cyber 562 00:20:30,400 --> 00:20:31,760 crime hero 563 00:20:31,760 --> 00:20:34,159 a title which he didn't enjoy as it 564 00:20:34,159 --> 00:20:36,880 would bring to him unwanted attention 565 00:20:36,880 --> 00:20:38,320 people trying to piece together his 566 00:20:38,320 --> 00:20:40,480 address media camping outside of his 567 00:20:40,480 --> 00:20:41,360 house 568 00:20:41,360 --> 00:20:43,440 and in addition to all of this he was 569 00:20:43,440 --> 00:20:45,039 still under the pressure of the domain 570 00:20:45,039 --> 00:20:46,840 going offline any minute and wreaking 571 00:20:46,840 --> 00:20:48,400 havoc 572 00:20:48,400 --> 00:20:50,400 however he was able to get through these 573 00:20:50,400 --> 00:20:52,960 weary days and sleepless nights 574 00:20:52,960 --> 00:20:57,039 only to be thrown back into chaos 575 00:20:57,200 --> 00:20:59,440 three months after the wannacry attack 576 00:20:59,440 --> 00:21:01,600 in august of 2017 577 00:21:01,600 --> 00:21:03,919 marcus hutchins after partying in vegas 578 00:21:03,919 --> 00:21:05,280 for a week and a half 579 00:21:05,280 --> 00:21:08,240 during defcon a hacker convention was 580 00:21:08,240 --> 00:21:10,320 arrested in the airport by the fbi on 581 00:21:10,320 --> 00:21:12,080 his way back home 582 00:21:12,080 --> 00:21:13,760 it seemed that hutchins in his teenage 583 00:21:13,760 --> 00:21:15,360 years had developed a malware named 584 00:21:15,360 --> 00:21:16,080 kronos 585 00:21:16,080 --> 00:21:18,720 that would steal banking credentials he 586 00:21:18,720 --> 00:21:20,240 would go on to sell this malware to 587 00:21:20,240 --> 00:21:21,919 multiple individuals with the help of 588 00:21:21,919 --> 00:21:23,440 someone he met online 589 00:21:23,440 --> 00:21:27,360 named vinnie k kronos is still an 590 00:21:27,360 --> 00:21:30,880 ongoing threat to banks around the world 591 00:21:30,880 --> 00:21:32,559 hutchins initially battled the charges 592 00:21:32,559 --> 00:21:34,320 with a non-guilty plea 593 00:21:34,320 --> 00:21:36,400 but after a long and exhausting ordeal 594 00:21:36,400 --> 00:21:38,000 that lasted for years 595 00:21:38,000 --> 00:21:40,880 in april 2019 he took a plea deal that 596 00:21:40,880 --> 00:21:42,080 would essentially dismiss 597 00:21:42,080 --> 00:21:45,120 all but two counts set against him 598 00:21:45,120 --> 00:21:47,679 conspiracy to defraud the united states 599 00:21:47,679 --> 00:21:49,280 and actively marketing the kronos 600 00:21:49,280 --> 00:21:50,799 malware 601 00:21:50,799 --> 00:21:52,720 he faced the possibility of a maximum 602 00:21:52,720 --> 00:21:54,960 prison sentence of ten years 603 00:21:54,960 --> 00:21:56,640 but because of his contribution towards 604 00:21:56,640 --> 00:21:58,880 wannacry and as the community had 605 00:21:58,880 --> 00:22:00,480 constantly pointed out 606 00:22:00,480 --> 00:22:02,240 his active involvement in defending the 607 00:22:02,240 --> 00:22:04,240 world against cyber attacks 608 00:22:04,240 --> 00:22:07,520 the judge ruled in his favor he was then 609 00:22:07,520 --> 00:22:08,159 released 610 00:22:08,159 --> 00:22:10,840 with zero jail time and is now a free 611 00:22:10,840 --> 00:22:13,840 man 612 00:22:26,559 --> 00:22:28,799 as stated before wannacry attack 613 00:22:28,799 --> 00:22:31,200 impacted over 150 countries 614 00:22:31,200 --> 00:22:33,919 and approximately 230 000 computers 615 00:22:33,919 --> 00:22:35,200 globally 616 00:22:35,200 --> 00:22:37,520 russia was the most severely infected 617 00:22:37,520 --> 00:22:40,400 with over half the affected computers 618 00:22:40,400 --> 00:22:43,280 india ukraine and taiwan also suffered 619 00:22:43,280 --> 00:22:46,400 significant disruption 620 00:22:48,559 --> 00:22:50,559 the most popular victim to emerge out of 621 00:22:50,559 --> 00:22:52,159 the attacks were the uk's national 622 00:22:52,159 --> 00:22:53,280 health service 623 00:22:53,280 --> 00:22:57,200 or the nhs in the nhs over 70 000 624 00:22:57,200 --> 00:22:59,039 devices such as computers 625 00:22:59,039 --> 00:23:02,400 mri scanners devices used to test blood 626 00:23:02,400 --> 00:23:04,720 theater equipment and over 1200 pieces 627 00:23:04,720 --> 00:23:09,840 of diagnostic equipment were affected 628 00:23:10,159 --> 00:23:12,400 approximately the attack cost the nhs 629 00:23:12,400 --> 00:23:14,480 over 92 million euros 630 00:23:14,480 --> 00:23:16,080 and globally the cost amounted to 631 00:23:16,080 --> 00:23:17,919 somewhere between four and eight billion 632 00:23:17,919 --> 00:23:19,840 dollars 633 00:23:19,840 --> 00:23:21,200 you'd think that the attackers who 634 00:23:21,200 --> 00:23:22,720 launched wannacry would have made a 635 00:23:22,720 --> 00:23:24,400 decent amount considering how many 636 00:23:24,400 --> 00:23:25,200 countries 637 00:23:25,200 --> 00:23:28,480 and devices were affected however as of 638 00:23:28,480 --> 00:23:30,400 june 14 2017 639 00:23:30,400 --> 00:23:32,640 when the attacks had begun to subside 640 00:23:32,640 --> 00:23:34,559 they had only made a hundred and thirty 641 00:23:34,559 --> 00:23:35,120 thousand 642 00:23:35,120 --> 00:23:36,960 six hundred and thirty four dollars and 643 00:23:36,960 --> 00:23:38,880 seventy seven cents 644 00:23:38,880 --> 00:23:41,120 victims were urged not to pay the ransom 645 00:23:41,120 --> 00:23:42,720 since not only did it encourage the 646 00:23:42,720 --> 00:23:43,520 hackers 647 00:23:43,520 --> 00:23:45,279 but it also did not guarantee the return 648 00:23:45,279 --> 00:23:47,520 of their data due to skepticism of 649 00:23:47,520 --> 00:23:48,880 whether the attackers could actually 650 00:23:48,880 --> 00:23:50,320 place the paid ransom 651 00:23:50,320 --> 00:23:52,880 to the correct victim this was clearly 652 00:23:52,880 --> 00:23:54,400 evident from the fact that a large 653 00:23:54,400 --> 00:23:55,360 proportion 654 00:23:55,360 --> 00:23:57,279 almost all of the affected victims who 655 00:23:57,279 --> 00:23:58,400 had paid the ransom 656 00:23:58,400 --> 00:24:04,110 had still not been returned their data 657 00:24:04,110 --> 00:24:08,910 [Music] 658 00:24:13,679 --> 00:24:15,360 although initially the prime victims of 659 00:24:15,360 --> 00:24:17,360 wannacry were said to be windows xp 660 00:24:17,360 --> 00:24:20,080 clients over 98 of the victims were 661 00:24:20,080 --> 00:24:21,919 actually running unpatched versions of 662 00:24:21,919 --> 00:24:23,120 windows 7 663 00:24:23,120 --> 00:24:25,760 and less than 0.1 percent of the victims 664 00:24:25,760 --> 00:24:28,240 were using windows xp 665 00:24:28,240 --> 00:24:29,919 in the case of russia they believed 666 00:24:29,919 --> 00:24:31,760 updates did more to break their devices 667 00:24:31,760 --> 00:24:34,240 rather than fix them 668 00:24:34,240 --> 00:24:35,919 partly due to the fact that a majority 669 00:24:35,919 --> 00:24:37,679 of people use cracked or pirated 670 00:24:37,679 --> 00:24:38,960 versions of windows 671 00:24:38,960 --> 00:24:40,400 which means they wouldn't have received 672 00:24:40,400 --> 00:24:41,760 the updates which were released by 673 00:24:41,760 --> 00:24:45,120 microsoft months prior to the attack 674 00:24:45,120 --> 00:24:46,559 microsoft eventually released the 675 00:24:46,559 --> 00:24:48,320 updates for systems that were at end of 676 00:24:48,320 --> 00:24:49,200 support 677 00:24:49,200 --> 00:24:51,120 including windows xp and other older 678 00:24:51,120 --> 00:24:53,679 versions of windows 679 00:24:53,679 --> 00:24:55,520 to this day if the domain that marcus 680 00:24:55,520 --> 00:24:57,440 hutchins acquired were to go down 681 00:24:57,440 --> 00:24:59,279 the millions of infections that it has 682 00:24:59,279 --> 00:25:01,120 at bay would be released 683 00:25:01,120 --> 00:25:02,960 but possibly ineffective if the 684 00:25:02,960 --> 00:25:04,640 computers had already applied the patch 685 00:25:04,640 --> 00:25:07,600 that microsoft released 686 00:25:07,600 --> 00:25:09,840 eternal blue is still in the wild and 687 00:25:09,840 --> 00:25:11,440 variants of wannacry have since then 688 00:25:11,440 --> 00:25:13,279 surfaced like ui wix 689 00:25:13,279 --> 00:25:15,200 which did not come with a kill switch 690 00:25:15,200 --> 00:25:16,880 and addressed the bitcoin payment issue 691 00:25:16,880 --> 00:25:18,480 by assigning a new address for each 692 00:25:18,480 --> 00:25:20,320 victim to collect payment 693 00:25:20,320 --> 00:25:21,919 therefore easily allowing to track the 694 00:25:21,919 --> 00:25:23,919 payment back to the victim 695 00:25:23,919 --> 00:25:25,840 however since it did not have an 696 00:25:25,840 --> 00:25:27,760 automatic worm-like functionality that 697 00:25:27,760 --> 00:25:29,279 wannacry exhibited 698 00:25:29,279 --> 00:25:32,159 it did not pose much of a threat the 699 00:25:32,159 --> 00:25:34,880 impact of wannacry is still seen today 700 00:25:34,880 --> 00:25:36,720 trend micros data clearly indicates that 701 00:25:36,720 --> 00:25:38,559 wannacry was the most detected malware 702 00:25:38,559 --> 00:25:40,159 family in 2020 703 00:25:40,159 --> 00:25:42,240 thanks to its vulnerable nature and 704 00:25:42,240 --> 00:25:44,159 f-secure reports that the most seen type 705 00:25:44,159 --> 00:25:46,400 of exploit is against the smb version 1 706 00:25:46,400 --> 00:25:47,360 vulnerability 707 00:25:47,360 --> 00:25:49,600 using eternal blue the fact that 708 00:25:49,600 --> 00:25:51,039 attackers still continue to try and 709 00:25:51,039 --> 00:25:52,080 exploit this 710 00:25:52,080 --> 00:25:54,080 must mean that there are organizations 711 00:25:54,080 --> 00:25:55,919 out there who have not patched against 712 00:25:55,919 --> 00:26:11,840 this vulnerability 713 00:26:15,520 --> 00:26:17,840 four years after the attack there is 714 00:26:17,840 --> 00:26:19,600 still no confirmed identity of the 715 00:26:19,600 --> 00:26:21,760 creators of the wannacry 716 00:26:21,760 --> 00:26:23,760 there have been accusations towards the 717 00:26:23,760 --> 00:26:24,880 lazarus group 718 00:26:24,880 --> 00:26:27,440 who has strong links to north korea 719 00:26:27,440 --> 00:26:28,159 however 720 00:26:28,159 --> 00:26:31,679 this is nothing more than hearsay so 721 00:26:31,679 --> 00:26:33,520 who is to blame for the catastrophic 722 00:26:33,520 --> 00:26:35,520 damage of wannacry 723 00:26:35,520 --> 00:26:37,360 is it the nsa who should not have 724 00:26:37,360 --> 00:26:39,279 stockpiled exploits without alerting the 725 00:26:39,279 --> 00:26:40,640 necessary entities about the 726 00:26:40,640 --> 00:26:42,400 vulnerabilities 727 00:26:42,400 --> 00:26:43,919 is it the shadow brokers who took 728 00:26:43,919 --> 00:26:46,320 advantage of this stole and released it 729 00:26:46,320 --> 00:26:48,000 into the wild 730 00:26:48,000 --> 00:26:50,400 is it the developers of wannacry or is 731 00:26:50,400 --> 00:26:52,320 it the fault of microsoft who did not 732 00:26:52,320 --> 00:26:53,760 identify this vulnerability 733 00:26:53,760 --> 00:26:56,640 sooner while all of this might be true 734 00:26:56,640 --> 00:26:58,080 to some extent 735 00:26:58,080 --> 00:26:59,919 at the end of the day the actions these 736 00:26:59,919 --> 00:27:01,919 organizations take are largely out of 737 00:27:01,919 --> 00:27:03,600 the control of the public 738 00:27:03,600 --> 00:27:05,760 and business owners who are usually the 739 00:27:05,760 --> 00:27:07,840 victims of the attack 740 00:27:07,840 --> 00:27:10,240 regardless of what we claim the solution 741 00:27:10,240 --> 00:27:11,760 is very simple 742 00:27:11,760 --> 00:27:13,360 make sure we follow the guidelines to 743 00:27:13,360 --> 00:27:15,440 have our data secured 744 00:27:15,440 --> 00:27:17,120 the most crucial of it is to have a 745 00:27:17,120 --> 00:27:18,960 consistent schedule for updating our 746 00:27:18,960 --> 00:27:20,240 devices 747 00:27:20,240 --> 00:27:23,279 and to obviously not use outdated 748 00:27:23,279 --> 00:27:24,720 operating systems that put 749 00:27:24,720 --> 00:27:26,960 employee and customer data and their 750 00:27:26,960 --> 00:27:29,360 privacy at huge risks 751 00:27:29,360 --> 00:27:31,039 when it comes to ransomware the most 752 00:27:31,039 --> 00:27:32,880 crucial form of defense is frequent 753 00:27:32,880 --> 00:27:35,200 backup the more frequent it is 754 00:27:35,200 --> 00:27:37,760 the better less than 50 of ransomware 755 00:27:37,760 --> 00:27:39,520 payments actually result in the data 756 00:27:39,520 --> 00:27:41,120 being returned to the victims 757 00:27:41,120 --> 00:27:42,960 and so needless to say payment should 758 00:27:42,960 --> 00:27:44,399 not be an option 759 00:27:44,399 --> 00:27:46,159 lest your goal is to lose money and your 760 00:27:46,159 --> 00:27:47,760 data as well 761 00:27:47,760 --> 00:27:49,520 the biggest mistake that organizations 762 00:27:49,520 --> 00:27:51,760 tend to make is refusing to believe that 763 00:27:51,760 --> 00:27:53,520 they would be a target 764 00:27:53,520 --> 00:27:55,360 according to a study by cloudwords in 765 00:27:55,360 --> 00:27:56,640 2021 766 00:27:56,640 --> 00:27:58,559 every 11 seconds a company is hit by 767 00:27:58,559 --> 00:28:00,640 ransomware and a large proportion of 768 00:28:00,640 --> 00:28:02,240 organizations are small 769 00:28:02,240 --> 00:28:03,919 to medium-sized businesses that never 770 00:28:03,919 --> 00:28:06,080 see it coming as they're often found to 771 00:28:06,080 --> 00:28:07,600 have less than effective security 772 00:28:07,600 --> 00:28:08,960 strategies in place 773 00:28:08,960 --> 00:28:10,480 making them ideal targets for such 774 00:28:10,480 --> 00:28:12,080 attacks 775 00:28:12,080 --> 00:28:13,440 digital transformation during the 776 00:28:13,440 --> 00:28:15,360 coronavirus pandemic has started to move 777 00:28:15,360 --> 00:28:16,960 businesses to the cloud 778 00:28:16,960 --> 00:28:18,799 and so cyber criminals have now shifted 779 00:28:18,799 --> 00:28:20,720 their focus to the cloud as well 780 00:28:20,720 --> 00:28:22,320 giving them an entirely new attack 781 00:28:22,320 --> 00:28:24,000 surface to work with 782 00:28:24,000 --> 00:28:26,480 the cost of ransomware is said to top 20 783 00:28:26,480 --> 00:28:29,039 billion dollars by the end of 2021 784 00:28:29,039 --> 00:28:32,159 and that is ransomware alone by 2025 785 00:28:32,159 --> 00:28:33,919 cyber security ventures estimates that 786 00:28:33,919 --> 00:28:35,840 cyber crime will cost businesses 787 00:28:35,840 --> 00:28:39,279 10.5 trillion dollars annually 788 00:28:39,279 --> 00:28:41,279 which would amount to just 2 trillion 789 00:28:41,279 --> 00:28:43,039 short of china's economy 790 00:28:43,039 --> 00:28:46,000 the second biggest economy in the world 791 00:28:46,000 --> 00:28:46,320 we 792 00:28:46,320 --> 00:28:48,320 are headed towards bigger and more 793 00:28:48,320 --> 00:28:50,640 destructive attacks than wannacry 794 00:28:50,640 --> 00:28:53,440 and our most reliable defense is our 795 00:28:53,440 --> 00:28:54,240 awareness 796 00:28:54,240 --> 00:28:56,840 and our action to better protect 797 00:28:56,840 --> 00:29:13,840 ourselves thank you for watching 798 00:29:16,120 --> 00:29:19,310 [Music] 799 00:29:24,840 --> 00:29:27,840 me 800 00:29:30,810 --> 00:29:33,380 [Applause] 801 00:29:33,380 --> 00:29:43,780 [Music] 802 00:29:46,770 --> 00:29:51,279 [Music] 803 00:29:51,279 --> 00:29:53,360 you