1 00:00:00,000 --> 00:00:09,150 [Music] 2 00:00:10,960 --> 00:00:13,679 A small note before we start, 3 00:00:13,679 --> 00:00:15,599 as much as this video is meant to be a 4 00:00:15,599 --> 00:00:17,440 storytelling experience, 5 00:00:17,440 --> 00:00:18,960 I have also intended it to be 6 00:00:18,960 --> 00:00:20,640 educational, 7 00:00:20,640 --> 00:00:22,480 and so, I have coupled the story along 8 00:00:22,480 --> 00:00:23,840 with how some of these attacks and 9 00:00:23,840 --> 00:00:26,000 technologies work. 10 00:00:26,000 --> 00:00:28,400 This is my first documentary style video, 11 00:00:28,400 --> 00:00:30,800 and so I appreciate any and all feedback 12 00:00:30,800 --> 00:00:33,120 in the comments below. 13 00:00:33,120 --> 00:00:35,680 I really hope you enjoy, and hopefully, 14 00:00:35,680 --> 00:00:38,640 learn a few new things. 15 00:00:40,800 --> 00:00:43,440 Right now, a crippling cyberattack has 16 00:00:43,440 --> 00:00:45,039 businesses around the world 17 00:00:45,039 --> 00:00:47,760 on high alert. The ransomware known as 18 00:00:47,760 --> 00:00:48,719 WannaCry- 19 00:00:48,719 --> 00:00:50,399 We want to move on to the other developing 20 00:00:50,399 --> 00:00:52,333 story this morning, the global cyberattack- 21 00:00:52,333 --> 00:00:54,239 The national security agency 22 00:00:54,239 --> 00:00:56,559 developed this software and it's now 23 00:00:56,559 --> 00:00:58,010 being used by criminals 24 00:00:58,010 --> 00:01:00,051 around the world to demand ransom. 25 00:01:00,051 --> 00:01:01,760 Security experts say this is one 26 00:01:01,760 --> 00:01:03,280 of the worst and most 27 00:01:03,280 --> 00:01:05,439 widespread pieces of malware they've 28 00:01:05,439 --> 00:01:06,870 ever seen- 29 00:01:06,870 --> 00:01:13,861 [Music] 30 00:01:15,607 --> 00:01:19,247 [Typing] 31 00:01:20,080 --> 00:01:23,040 In May of 2017, a worldwide cyberattack 32 00:01:23,040 --> 00:01:24,799 by the name of WannaCry 33 00:01:24,799 --> 00:01:27,840 shot for WannaCryptor, impacted over 150 34 00:01:27,840 --> 00:01:28,720 countries, 35 00:01:28,720 --> 00:01:31,360 and hit around 230,000 computers 36 00:01:31,360 --> 00:01:32,720 globally. 37 00:01:32,720 --> 00:01:34,560 Needless to say it became known as one 38 00:01:34,560 --> 00:01:36,640 of the biggest ransomware attacks in 39 00:01:36,640 --> 00:01:38,159 history. 40 00:01:38,159 --> 00:01:40,799 Let's start at the very beginning. On the 41 00:01:40,799 --> 00:01:43,119 morning of the 12th of May, 2017, 42 00:01:43,119 --> 00:01:45,360 according to Akamai, the content delivery 43 00:01:45,360 --> 00:01:46,240 network, 44 00:01:46,240 --> 00:01:48,720 this was the timeline. Reportedly the 45 00:01:48,720 --> 00:01:51,200 first case identified originated from a 46 00:01:51,200 --> 00:01:53,600 Southeast Asian ISP which was detected 47 00:01:53,600 --> 00:01:56,411 at 7:44 am UTC. 48 00:01:56,901 --> 00:01:58,399 Over the next hour, there were cases 49 00:01:58,399 --> 00:02:00,240 seen from Latin America, 50 00:02:00,240 --> 00:02:02,960 then the Continental Europe and UK, then 51 00:02:02,960 --> 00:02:06,840 Brazil and Argentinian ISPs until at 12:39 pm 52 00:02:06,840 --> 00:02:09,280 UTC, 74% 53 00:02:09,280 --> 00:02:12,720 of all ISPs in Asia were affected. And by 54 00:02:12,720 --> 00:02:14,800 3:28 pm UTC, 55 00:02:14,800 --> 00:02:17,670 the ransomware had taken hold of 65% 56 00:02:17,670 --> 00:02:20,640 of Latin American ISPs. 57 00:02:20,640 --> 00:02:22,879 WannaCry was spreading and at an 58 00:02:22,879 --> 00:02:24,640 incredible rate. 59 00:02:24,640 --> 00:02:26,160 Prior to this, such a quick and 60 00:02:26,160 --> 00:02:28,640 widespread ransomware was unheard of. 61 00:02:28,640 --> 00:02:31,040 A lot of organizations, unable to recover 62 00:02:31,040 --> 00:02:31,840 their losses, 63 00:02:31,840 --> 00:02:34,640 were forced to permanently shut down. 64 00:02:34,640 --> 00:02:36,160 Some had to put a pause on their 65 00:02:36,160 --> 00:02:38,319 networks and services, and reported huge 66 00:02:38,319 --> 00:02:39,360 losses, 67 00:02:39,360 --> 00:02:42,480 some in millions of dollars. The attack 68 00:02:42,480 --> 00:02:44,720 did not discriminate. Small to 69 00:02:44,720 --> 00:02:46,400 medium-sized businesses, 70 00:02:46,400 --> 00:02:48,800 large enterprises, the private sector, the 71 00:02:48,800 --> 00:02:50,160 public sector, 72 00:02:50,160 --> 00:02:52,640 railways, healthcare, banks, malls, 73 00:02:52,640 --> 00:02:53,360 ministries, 74 00:02:53,360 --> 00:02:56,560 police, energy companies, ISPs, and there 75 00:02:56,560 --> 00:02:57,440 just seemed to be 76 00:02:57,440 --> 00:03:00,720 no end to the victims. Within few hours, 77 00:03:00,720 --> 00:03:02,720 it had spread to over 11 countries, 78 00:03:02,720 --> 00:03:04,319 and by the end of the first day of the 79 00:03:04,319 --> 00:03:06,159 attack, the ransomware had been 80 00:03:06,159 --> 00:03:08,480 encountered in 74 countries 81 00:03:08,480 --> 00:03:10,319 within thousands and thousands of 82 00:03:10,319 --> 00:03:12,159 organizations. 83 00:03:12,159 --> 00:03:14,879 And so it begged the question, how much 84 00:03:14,879 --> 00:03:16,640 damage will this really cause over the 85 00:03:16,640 --> 00:03:17,599 next few days 86 00:03:17,599 --> 00:03:20,159 or weeks or months if no solution 87 00:03:20,159 --> 00:03:23,040 presents itself? 88 00:03:23,440 --> 00:03:26,450 Your service has been temporarily disconnected. 89 00:03:26,850 --> 00:03:30,290 [Typing] 90 00:03:31,200 --> 00:03:33,280 [Music] 91 00:03:33,280 --> 00:03:36,239 Ransomware works in a very simple manner. 92 00:03:36,239 --> 00:03:38,080 It is a type of malware most commonly 93 00:03:38,080 --> 00:03:39,920 spread through phishing attacks, 94 00:03:39,920 --> 00:03:41,840 which are essentially emails used to 95 00:03:41,840 --> 00:03:44,000 trick a user into clicking a link that 96 00:03:44,000 --> 00:03:45,599 leads them to a website 97 00:03:45,599 --> 00:03:47,840 where they enter sensitive data, or to 98 00:03:47,840 --> 00:03:50,159 download attachments which if executed 99 00:03:50,159 --> 00:03:52,239 will infect the computer. 100 00:03:52,239 --> 00:03:54,400 Although initially suspected, WannaCry 101 00:03:54,400 --> 00:03:56,799 did not originate from a phishing attack, 102 00:03:56,799 --> 00:03:59,240 but we'll get to that later. 103 00:03:59,240 --> 00:04:01,280 Once a computer is infected, 104 00:04:01,280 --> 00:04:03,040 the ransomware runs an encryption 105 00:04:03,040 --> 00:04:05,280 process, and usually in less than a 106 00:04:05,280 --> 00:04:06,239 minute, 107 00:04:06,239 --> 00:04:08,799 some or all the files depending on what 108 00:04:08,799 --> 00:04:10,879 the ransomware is meant to affect in the 109 00:04:10,879 --> 00:04:12,400 user's computer 110 00:04:12,400 --> 00:04:14,239 is converted from plain text to 111 00:04:14,239 --> 00:04:15,840 ciphertext. 112 00:04:15,840 --> 00:04:18,239 Plain text is readable or comprehensible 113 00:04:18,239 --> 00:04:19,120 data, 114 00:04:19,120 --> 00:04:21,120 and ciphertext is unintelligible 115 00:04:21,120 --> 00:04:22,720 gibberish. 116 00:04:22,720 --> 00:04:24,639 In order to turn this back into plain 117 00:04:24,639 --> 00:04:27,199 text, the user will need what is known as 118 00:04:27,199 --> 00:04:28,800 a decryption key, 119 00:04:28,800 --> 00:04:30,880 which the attacker promises to provide 120 00:04:30,880 --> 00:04:34,560 if the user were to pay the ransom. 121 00:04:34,639 --> 00:04:36,880 What makes ransomware so dreadful is 122 00:04:36,880 --> 00:04:39,360 that once your files have been encrypted, 123 00:04:39,360 --> 00:04:41,040 you can't exactly decrypt it and 124 00:04:41,040 --> 00:04:42,960 retrieve your data. 125 00:04:42,960 --> 00:04:44,720 Well, you can, but with the current 126 00:04:44,720 --> 00:04:46,639 technology we have, to break common 127 00:04:46,639 --> 00:04:48,720 encryption algorithms used in ransomware 128 00:04:48,720 --> 00:04:49,600 attacks 129 00:04:49,600 --> 00:04:52,800 such as the RSA, it would take millions 130 00:04:52,800 --> 00:04:56,270 to billions to trillions of years. 131 00:04:56,270 --> 00:05:00,410 [Music] 132 00:05:01,465 --> 00:05:03,200 [Typing] 133 00:05:03,520 --> 00:05:05,440 This is what you'd see if you were to 134 00:05:05,440 --> 00:05:07,199 become infected with the WannaCry 135 00:05:07,199 --> 00:05:08,639 ransomware. 136 00:05:08,639 --> 00:05:10,160 In addition to this intimidating 137 00:05:10,160 --> 00:05:12,479 wallpaper, your documents, 138 00:05:12,479 --> 00:05:16,160 spreadsheets, images, videos, 139 00:05:16,160 --> 00:05:18,639 music, and most everyday productivity and 140 00:05:18,639 --> 00:05:21,039 multimedia files become encrypted, 141 00:05:21,039 --> 00:05:22,800 essentially being held hostage till the 142 00:05:22,800 --> 00:05:26,240 ransom payment has been made. 143 00:05:27,120 --> 00:05:29,199 The Wanna Decryptor 2.0 comes with a set 144 00:05:29,199 --> 00:05:30,240 of instructions 145 00:05:30,240 --> 00:05:31,919 and in 28 different languages for 146 00:05:31,919 --> 00:05:33,680 victims to follow in order to recover 147 00:05:33,680 --> 00:05:35,199 their files. 148 00:05:35,199 --> 00:05:37,759 The attackers demanded for $300 worth of 149 00:05:37,759 --> 00:05:38,639 bitcoin, 150 00:05:38,639 --> 00:05:40,560 and after three days it would be updated to 151 00:05:40,560 --> 00:05:42,479 $600. 152 00:05:42,479 --> 00:05:44,080 If the payment were to be made seven 153 00:05:44,080 --> 00:05:45,919 days after the infection, the files would 154 00:05:45,919 --> 00:05:47,680 be recoverable. 155 00:05:47,680 --> 00:05:49,840 However, despite this, they also go on to 156 00:05:49,840 --> 00:05:51,759 state that they will return the files 157 00:05:51,759 --> 00:05:54,800 for free to "Users who are so poor 158 00:05:54,800 --> 00:05:56,510 that they couldn't pay" 159 00:05:56,510 --> 00:05:58,720 after six months. The method of 160 00:05:58,720 --> 00:05:59,840 payment, 161 00:05:59,840 --> 00:06:00,950 bitcoin. 162 00:06:00,950 --> 00:06:04,160 [Music] 163 00:06:04,160 --> 00:06:06,400 The reason the attackers chose bitcoin 164 00:06:06,400 --> 00:06:07,840 was because it is what we know 165 00:06:07,840 --> 00:06:10,479 as a private cryptocurrency. This allows 166 00:06:10,479 --> 00:06:12,080 the holder of the currency to remain 167 00:06:12,080 --> 00:06:13,280 anonymous. 168 00:06:13,280 --> 00:06:14,639 Though the money could be traced to a 169 00:06:14,639 --> 00:06:16,560 cryptocurrency wallet, which is where the 170 00:06:16,560 --> 00:06:18,160 currency itself is stored, 171 00:06:18,160 --> 00:06:19,840 it would be exponentially difficult to 172 00:06:19,840 --> 00:06:21,360 find the owner of the wallet without 173 00:06:21,360 --> 00:06:24,319 extensive forensic analysis. 174 00:06:24,319 --> 00:06:26,560 This is the reason that bitcoin is used 175 00:06:26,560 --> 00:06:27,840 widely in the dark web 176 00:06:27,840 --> 00:06:30,639 to purchase guns, drugs, and other illegal 177 00:06:30,639 --> 00:06:32,260 goods and services that for obvious 178 00:06:32,260 --> 00:06:33,199 reasons, 179 00:06:33,199 --> 00:06:35,039 you would not be able to find on the 180 00:06:35,039 --> 00:06:36,359 surface web. 181 00:06:38,879 --> 00:06:42,517 [Typing] 182 00:06:48,000 --> 00:06:50,080 The problem with WannaCry and what made it 183 00:06:50,080 --> 00:06:51,919 exponentially more dangerous than your 184 00:06:51,919 --> 00:06:53,280 average ransomware 185 00:06:53,280 --> 00:06:56,319 was its propagating capabilities. 186 00:06:56,319 --> 00:06:58,240 But to understand this fully, we need to 187 00:06:58,240 --> 00:06:59,840 go back in time a little bit 188 00:06:59,840 --> 00:07:04,000 to 2016. In August of 2016, the equation 189 00:07:04,000 --> 00:07:05,680 group, suspected to have ties with the 190 00:07:05,680 --> 00:07:07,520 National Security Agency's tailored 191 00:07:07,520 --> 00:07:08,800 operations unit, 192 00:07:08,800 --> 00:07:10,880 and described by Kaspersky as one of the 193 00:07:10,880 --> 00:07:12,880 most sophisticated cyberattack groups 194 00:07:12,880 --> 00:07:14,080 in the world, 195 00:07:14,080 --> 00:07:15,759 was said to be hacked by a group called 196 00:07:15,759 --> 00:07:17,680 the shadow brokers. 197 00:07:17,680 --> 00:07:19,919 In this hack, disks full of the NSA's 198 00:07:19,919 --> 00:07:21,630 secrets were stolen. 199 00:07:22,800 --> 00:07:25,039 This was bad because the NSA houses what 200 00:07:25,039 --> 00:07:27,520 we know as Nation State Attacks 201 00:07:27,520 --> 00:07:29,759 which are exploits or hacking tools that 202 00:07:29,759 --> 00:07:31,280 are used to carry out a hack for their 203 00:07:31,280 --> 00:07:32,479 home country 204 00:07:32,479 --> 00:07:35,199 against another country. The NSA would 205 00:07:35,199 --> 00:07:37,120 essentially recruit a skilled hacker and 206 00:07:37,120 --> 00:07:39,280 give them a license to hack 207 00:07:39,280 --> 00:07:41,199 which means if they did carry it out, it 208 00:07:41,199 --> 00:07:42,560 wouldn't be illegal 209 00:07:42,560 --> 00:07:44,800 at least in that country, and the hacker 210 00:07:44,800 --> 00:07:46,679 would not be charged. 211 00:07:48,639 --> 00:07:50,639 The danger here is that the Nation State 212 00:07:50,639 --> 00:07:52,400 Tools in itself are usually pretty 213 00:07:52,400 --> 00:07:53,440 effective, 214 00:07:53,440 --> 00:07:55,120 especially considering they are to be 215 00:07:55,120 --> 00:07:57,280 used as weapons against entire states 216 00:07:57,280 --> 00:07:58,500 and countries. 217 00:08:00,459 --> 00:08:03,599 [Music] 218 00:08:03,599 --> 00:08:05,440 The NSA is said to have discovered a 219 00:08:05,440 --> 00:08:07,199 multitude of other vulnerabilities in 220 00:08:07,199 --> 00:08:08,160 the Windows OS 221 00:08:08,160 --> 00:08:11,280 as early as 2013, but was speculated to 222 00:08:11,280 --> 00:08:13,280 have developed exploits secretly and 223 00:08:13,280 --> 00:08:14,560 stockpile them, 224 00:08:14,560 --> 00:08:16,560 rather than reporting it to Microsoft or 225 00:08:16,560 --> 00:08:18,240 the InfoSec community, 226 00:08:18,240 --> 00:08:20,000 so that they could weaponize it and 227 00:08:20,000 --> 00:08:21,919 utilize them in their nation state and 228 00:08:21,919 --> 00:08:23,690 other attacks. 229 00:08:25,440 --> 00:08:27,199 The shadow brokers would go on to 230 00:08:27,199 --> 00:08:28,720 auction off some of these tools that 231 00:08:28,720 --> 00:08:30,000 were developed, 232 00:08:30,000 --> 00:08:32,080 but due to skepticism online on whether 233 00:08:32,080 --> 00:08:34,080 the hackers really did have files as 234 00:08:34,080 --> 00:08:36,159 dangerous as they had claimed, 235 00:08:36,159 --> 00:08:37,919 this would essentially go on to become a 236 00:08:37,919 --> 00:08:40,719 catastrophic failure. 237 00:08:40,719 --> 00:08:42,399 We can talk quite a bit about the shadow 238 00:08:42,399 --> 00:08:44,800 brokers. The story is itself worth 239 00:08:44,800 --> 00:08:46,720 examining individually and maybe even on 240 00:08:46,720 --> 00:08:48,080 a separate video, 241 00:08:48,080 --> 00:08:49,760 but let's narrow our focus down to the 242 00:08:49,760 --> 00:08:51,839 leak that made WannaCry possible 243 00:08:51,839 --> 00:08:54,000 which at that point was the fifth leak 244 00:08:54,000 --> 00:08:55,760 by the group and was said to be the most 245 00:08:55,760 --> 00:08:58,640 damaging one yet. 246 00:08:59,360 --> 00:09:02,080 On April 14, 2017, the shadow brokers 247 00:09:02,080 --> 00:09:03,600 would post a tweet that linked to their 248 00:09:03,600 --> 00:09:05,120 Steem blockchain 249 00:09:05,120 --> 00:09:08,880 on a post titled lost in translation. 250 00:09:08,880 --> 00:09:10,399 This leak contained files from the 251 00:09:10,399 --> 00:09:12,160 initial failed auction which they now 252 00:09:12,160 --> 00:09:14,160 decided to release to the public 253 00:09:14,160 --> 00:09:18,080 for free. The description accompanying 254 00:09:18,080 --> 00:09:19,839 the leaked files doesn't really contain 255 00:09:19,839 --> 00:09:21,279 much worth noting. 256 00:09:21,279 --> 00:09:23,120 As always the shadow brokers would use 257 00:09:23,120 --> 00:09:25,040 broken, but still somewhat comprehensible 258 00:09:25,040 --> 00:09:26,399 English. 259 00:09:26,399 --> 00:09:28,480 However, this is widely speculated not to 260 00:09:28,480 --> 00:09:29,839 speak to their proficiency in the 261 00:09:29,839 --> 00:09:30,640 language, 262 00:09:30,640 --> 00:09:32,160 but rather an attempt to mislead 263 00:09:32,160 --> 00:09:33,920 analysts and prevent them from yielding 264 00:09:33,920 --> 00:09:36,240 any results regarding their identity 265 00:09:36,240 --> 00:09:39,519 characterized by how they type. 266 00:09:39,519 --> 00:09:41,200 The link, which has now been taken down, 267 00:09:41,200 --> 00:09:42,800 takes you to an archive filled with a 268 00:09:42,800 --> 00:09:44,640 number of Windows exploits developed by 269 00:09:44,640 --> 00:09:46,240 the NSA. 270 00:09:46,240 --> 00:09:48,160 It did contain many other valuable tools 271 00:09:48,160 --> 00:09:49,440 worth examining, 272 00:09:49,440 --> 00:09:51,279 but the ones relevant to our story and 273 00:09:51,279 --> 00:09:53,040 what made a regular ransomware so 274 00:09:53,040 --> 00:09:54,160 destructive 275 00:09:54,160 --> 00:09:56,880 were the payload, Doublepulsar and the 276 00:09:56,880 --> 00:09:58,560 now infamous exploit used in the 277 00:09:58,560 --> 00:09:59,839 WannaCry attack, 278 00:09:59,839 --> 00:10:01,329 Eternalblue. 279 00:10:01,329 --> 00:10:05,664 [Music] 280 00:10:08,112 --> 00:10:11,441 [Typing] 281 00:10:15,440 --> 00:10:18,800 Server Message Block version 1 or SMBv1 282 00:10:18,800 --> 00:10:20,720 is a network communication protocol 283 00:10:20,720 --> 00:10:23,519 which was developed in 1983. 284 00:10:23,519 --> 00:10:25,440 The function of this protocol would be 285 00:10:25,440 --> 00:10:27,200 to allow one Windows computer to 286 00:10:27,200 --> 00:10:28,720 communicate with another 287 00:10:28,720 --> 00:10:30,880 and share files and printers on a local 288 00:10:30,880 --> 00:10:32,399 network. 289 00:10:32,399 --> 00:10:34,880 However, SMB version 1 had a critical 290 00:10:34,880 --> 00:10:36,160 vulnerability 291 00:10:36,160 --> 00:10:39,040 which allowed for what is known as a 292 00:10:39,040 --> 00:10:41,760 Remote Arbitrary Code Execution 293 00:10:41,760 --> 00:10:43,440 in which an attacker would be able to 294 00:10:43,440 --> 00:10:45,440 execute whatever code that they'd like 295 00:10:45,440 --> 00:10:47,680 on their target or victim's computer 296 00:10:47,680 --> 00:10:48,800 over the Internet 297 00:10:48,800 --> 00:10:51,600 usually with malicious intent. The 298 00:10:51,600 --> 00:10:53,360 function of Eternalblue was to take 299 00:10:53,360 --> 00:10:55,839 advantage of this vulnerability. 300 00:10:55,839 --> 00:10:58,000 Essentially, and I'm going to try and strip 301 00:10:58,000 --> 00:10:59,519 it down to simplify it as much as 302 00:10:59,519 --> 00:11:00,800 possible, 303 00:11:00,800 --> 00:11:02,640 when the shadow brokers first leaked the 304 00:11:02,640 --> 00:11:03,920 NSA tools, 305 00:11:03,920 --> 00:11:05,920 hackers took this opportunity to install 306 00:11:05,920 --> 00:11:07,519 Doublepulsar 307 00:11:07,519 --> 00:11:09,200 which is a tool which opens what we 308 00:11:09,200 --> 00:11:10,880 commonly know in security 309 00:11:10,880 --> 00:11:14,000 as a backdoor. Backdoors allows hackers 310 00:11:14,000 --> 00:11:16,560 to create an entry point into the system 311 00:11:16,560 --> 00:11:18,560 or a network of systems and gain easy 312 00:11:18,560 --> 00:11:20,880 access later on. 313 00:11:20,880 --> 00:11:22,880 The initial infection of WannaCry is not 314 00:11:22,880 --> 00:11:23,920 known, 315 00:11:23,920 --> 00:11:25,680 but it is speculated that the attackers 316 00:11:25,680 --> 00:11:27,120 took advantage of the backdoor to 317 00:11:27,120 --> 00:11:28,880 deliver the payload. 318 00:11:28,880 --> 00:11:30,399 The payload in this case is the 319 00:11:30,399 --> 00:11:32,800 ransomware WannaCry. 320 00:11:32,800 --> 00:11:34,399 When a computer is infected with 321 00:11:34,399 --> 00:11:36,160 WannaCry, oddly 322 00:11:36,160 --> 00:11:37,440 it then tries to connect to the 323 00:11:37,440 --> 00:11:39,600 following unregistered domain 324 00:11:39,600 --> 00:11:41,519 which is basically a random string of 325 00:11:41,519 --> 00:11:43,360 numbers and letters. 326 00:11:43,360 --> 00:11:45,120 If it cannot establish a connection to 327 00:11:45,120 --> 00:11:48,000 this domain, then the real damage begins. 328 00:11:48,000 --> 00:11:50,880 It scans for port 445 on the network 329 00:11:50,880 --> 00:11:52,560 which is the port that is used to host 330 00:11:52,560 --> 00:11:54,079 SMB version 1, 331 00:11:54,079 --> 00:11:56,079 and if the port is deemed to be open, it 332 00:11:56,079 --> 00:11:57,600 would then proceed to spread to that 333 00:11:57,600 --> 00:11:59,280 computer. 334 00:11:59,680 --> 00:12:02,200 This is how it propagated so quickly. 335 00:12:03,120 --> 00:12:04,800 Whether the other users in the network 336 00:12:04,800 --> 00:12:06,560 actually downloaded or clicked on 337 00:12:06,560 --> 00:12:08,000 anything malicious, 338 00:12:08,000 --> 00:12:10,399 regardless, they would be infected, and in 339 00:12:10,399 --> 00:12:12,000 seconds all their data would be 340 00:12:12,000 --> 00:12:13,140 encrypted. 341 00:12:14,399 --> 00:12:17,360 So the damage came in two parts, the 342 00:12:17,360 --> 00:12:19,120 ransomware that encrypts the data 343 00:12:19,120 --> 00:12:20,959 and the worm-like component that is used 344 00:12:20,959 --> 00:12:22,480 to spread the ransomware to any 345 00:12:22,480 --> 00:12:23,279 connected, 346 00:12:23,279 --> 00:12:25,600 vulnerable devices in the network as a 347 00:12:25,600 --> 00:12:28,880 result of Eternalblue and Doublepulsar. 348 00:12:28,880 --> 00:12:31,360 The attack only affected Windows systems, 349 00:12:31,360 --> 00:12:33,360 mainly targeting Windows XP, 350 00:12:33,360 --> 00:12:36,320 Vista, Windows 7, Windows 8, and Windows 351 00:12:36,320 --> 00:12:37,519 10. 352 00:12:37,519 --> 00:12:39,519 However, a month prior to the leak by the 353 00:12:39,519 --> 00:12:42,480 shadow brokers on March 14, 2017, 354 00:12:42,480 --> 00:12:44,079 Microsoft was made aware of this 355 00:12:44,079 --> 00:12:45,920 vulnerability after it was publicly 356 00:12:45,920 --> 00:12:46,800 reported 357 00:12:46,800 --> 00:12:50,480 almost five years after its discovery. 358 00:12:50,480 --> 00:12:52,320 Microsoft then released a critical patch 359 00:12:52,320 --> 00:12:54,070 to fix this vulnerability, 360 00:12:54,070 --> 00:12:57,040 MS17-010. 361 00:12:57,040 --> 00:12:59,600 However, despite the release of the patch, 362 00:12:59,600 --> 00:13:01,519 a significant number of organizations 363 00:13:01,519 --> 00:13:03,360 never updated their systems, 364 00:13:03,360 --> 00:13:05,680 and unfortunately there were still major 365 00:13:05,680 --> 00:13:08,000 organizations running Windows XP 366 00:13:08,000 --> 00:13:11,680 or Server 2003. These devices were at end 367 00:13:11,680 --> 00:13:12,959 of support 368 00:13:12,959 --> 00:13:14,800 which means that even if updates were 369 00:13:14,800 --> 00:13:16,639 out, they would not receive them 370 00:13:16,639 --> 00:13:18,309 and be completely vulnerable to the 371 00:13:18,309 --> 00:13:19,710 exploit. 372 00:13:20,800 --> 00:13:22,160 If you want to know more about the 373 00:13:22,160 --> 00:13:23,760 vulnerability that the Eternalblue 374 00:13:23,760 --> 00:13:24,720 exploited, 375 00:13:24,720 --> 00:13:26,160 it is now logged in the national 376 00:13:26,160 --> 00:13:27,760 vulnerability database 377 00:13:27,760 --> 00:13:32,447 as CVE-2017-0144 378 00:13:32,447 --> 00:13:36,056 [Music] 379 00:13:38,048 --> 00:13:40,889 [Typing] 380 00:13:47,920 --> 00:13:50,560 Marcus Hutchins, also known online by his 381 00:13:50,560 --> 00:13:52,320 alias MalwareTech, 382 00:13:52,320 --> 00:13:54,320 was a 23 year old British security 383 00:13:54,320 --> 00:13:56,160 researcher at Kryptos Logic 384 00:13:56,160 --> 00:13:59,519 in LA. After returning from lunch with a 385 00:13:59,519 --> 00:14:01,839 friend on the afternoon of the attack, 386 00:14:01,839 --> 00:14:03,600 he found himself scouring messaging 387 00:14:03,600 --> 00:14:04,880 boards where he came across 388 00:14:04,880 --> 00:14:07,519 news of a ransomware rapidly taking down 389 00:14:07,519 --> 00:14:09,680 systems in the National Health Service 390 00:14:09,680 --> 00:14:13,519 or NHS all over the UK. 391 00:14:13,519 --> 00:14:14,959 Hutchins, who found it odd that the 392 00:14:14,959 --> 00:14:17,040 ransomware was consistently affecting so 393 00:14:17,040 --> 00:14:18,399 many devices, 394 00:14:18,399 --> 00:14:20,320 concluded that the attack was probably a 395 00:14:20,320 --> 00:14:21,760 computer worm and not just 396 00:14:21,760 --> 00:14:25,120 a simple ransomware. He quickly requested 397 00:14:25,120 --> 00:14:27,040 one of his friends to pass him a sample 398 00:14:27,040 --> 00:14:28,160 of the malware 399 00:14:28,160 --> 00:14:30,000 so that he could examine it and reverse 400 00:14:30,000 --> 00:14:32,000 engineer it to analyze exactly how it 401 00:14:32,000 --> 00:14:33,279 worked. 402 00:14:33,279 --> 00:14:34,880 Once he had gotten his hands on the 403 00:14:34,880 --> 00:14:36,320 malware sample, 404 00:14:36,320 --> 00:14:38,079 he had run it using a virtual 405 00:14:38,079 --> 00:14:40,160 environment with fake files 406 00:14:40,160 --> 00:14:41,680 and found out that it was trying to 407 00:14:41,680 --> 00:14:44,480 connect to an unregistered domain, 408 00:14:44,480 --> 00:14:48,079 which we discussed earlier in Chapter 4. 409 00:14:48,079 --> 00:14:49,839 Hutchins would go on to register this 410 00:14:49,839 --> 00:14:53,708 domain for only $10.69, 411 00:14:53,708 --> 00:14:55,120 which unbeknownst to him, 412 00:14:55,120 --> 00:14:56,839 would actually halt the wannacry 413 00:14:56,839 --> 00:14:58,560 infection. 414 00:14:58,560 --> 00:15:00,240 He would later admit in a tweet that 415 00:15:00,240 --> 00:15:02,560 same day that the domain registration 416 00:15:02,560 --> 00:15:04,079 leading to a pause in the rapid 417 00:15:04,079 --> 00:15:05,120 infection 418 00:15:05,120 --> 00:15:08,399 was indeed an accident dubbing Marcus 419 00:15:08,399 --> 00:15:09,120 Hutchins 420 00:15:09,120 --> 00:15:12,621 as the accidental hero. 421 00:15:12,621 --> 00:15:17,371 [Music] 422 00:15:18,360 --> 00:15:23,350 [Music] 423 00:15:23,440 --> 00:15:25,680 To Hutchins, taking control of 424 00:15:25,680 --> 00:15:27,680 unregistered domains was just a part of 425 00:15:27,680 --> 00:15:28,880 his workflow 426 00:15:28,880 --> 00:15:30,480 when it came to stopping botnets and 427 00:15:30,480 --> 00:15:32,320 tracking malware. 428 00:15:32,320 --> 00:15:33,839 This was so that he could get further 429 00:15:33,839 --> 00:15:35,839 insight into how the malware or botnets 430 00:15:35,839 --> 00:15:37,440 were spreading. 431 00:15:37,440 --> 00:15:38,959 For those of you unaware of what a 432 00:15:38,959 --> 00:15:41,199 botnet is, it is essentially a group of 433 00:15:41,199 --> 00:15:42,800 computers that have been hijacked by 434 00:15:42,800 --> 00:15:44,240 malicious actors 435 00:15:44,240 --> 00:15:46,160 or hackers in order to be used in their 436 00:15:46,160 --> 00:15:47,440 attacks to drive 437 00:15:47,440 --> 00:15:50,560 excess network traffic or steal data. 438 00:15:50,560 --> 00:15:52,399 One computer that has been hijacked is 439 00:15:52,399 --> 00:15:54,560 called a bot and a network of them 440 00:15:54,560 --> 00:15:57,680 is called a botnet, however, 441 00:15:57,680 --> 00:16:00,399 since, as we discussed earlier, the attack 442 00:16:00,399 --> 00:16:02,320 only executes if it's unable to reach 443 00:16:02,320 --> 00:16:04,639 the domains that it checks for. 444 00:16:04,639 --> 00:16:06,839 Think of it as a simple if then 445 00:16:06,839 --> 00:16:08,160 statement. 446 00:16:08,160 --> 00:16:09,920 If the infection cannot connect to x 447 00:16:09,920 --> 00:16:12,639 domain, then proceed with the infection. 448 00:16:12,639 --> 00:16:16,560 If it can reach x domain, stop the attack. 449 00:16:16,560 --> 00:16:18,320 And so the malware being able to connect 450 00:16:18,320 --> 00:16:20,160 to the domain was known as the kill 451 00:16:20,160 --> 00:16:21,199 switch, 452 00:16:21,199 --> 00:16:23,199 the big red button that stops the attack 453 00:16:23,199 --> 00:16:25,839 from spreading any further. 454 00:16:25,839 --> 00:16:28,240 But why would the attackers implement a 455 00:16:28,240 --> 00:16:30,399 kill switch at all? 456 00:16:30,399 --> 00:16:32,240 The first theory is that the creators of 457 00:16:32,240 --> 00:16:34,160 WannaCry wanted a way to stop the attack 458 00:16:34,160 --> 00:16:36,480 if it ever got out of hand or had any 459 00:16:36,480 --> 00:16:38,560 unintentional effects. 460 00:16:38,560 --> 00:16:40,399 The second and the most likely theory 461 00:16:40,399 --> 00:16:42,320 proposed by Hutchins and other security 462 00:16:42,320 --> 00:16:43,519 researchers 463 00:16:43,519 --> 00:16:45,360 was that the kill switch was present in 464 00:16:45,360 --> 00:16:46,800 order to prevent researchers from 465 00:16:46,800 --> 00:16:49,279 looking into the behavior of WannaCry 466 00:16:49,279 --> 00:16:51,120 if it was being executed within what is 467 00:16:51,120 --> 00:16:52,320 known in security 468 00:16:52,320 --> 00:16:55,759 as a sandbox. A sandbox is usually a 469 00:16:55,759 --> 00:16:57,519 virtual computer that is used to run 470 00:16:57,519 --> 00:16:58,800 malware. 471 00:16:58,800 --> 00:17:00,320 It is a contained environment with 472 00:17:00,320 --> 00:17:02,000 measures that have been taken to not 473 00:17:02,000 --> 00:17:04,559 infect any important files or spread to 474 00:17:04,559 --> 00:17:06,480 other networks, 475 00:17:06,480 --> 00:17:08,240 much like what I used in Chapter 2 to 476 00:17:08,240 --> 00:17:10,109 demonstrate the WannaCry ransomware. 477 00:17:12,160 --> 00:17:14,240 Researchers use these sandboxes to run 478 00:17:14,240 --> 00:17:16,240 malware and then use tools to determine 479 00:17:16,240 --> 00:17:18,480 the behavior of the attack. 480 00:17:18,480 --> 00:17:20,240 This is what Hutchins did with fake 481 00:17:20,240 --> 00:17:22,640 files as well. 482 00:17:22,640 --> 00:17:24,559 So the intent behind this kill switch 483 00:17:24,559 --> 00:17:26,240 was to destroy the ransomware if it 484 00:17:26,240 --> 00:17:28,960 existed within a sandbox environment, 485 00:17:28,960 --> 00:17:30,720 again, since they didn't want researchers 486 00:17:30,720 --> 00:17:32,480 to be able to analyze exactly how it 487 00:17:32,480 --> 00:17:34,000 worked. 488 00:17:34,000 --> 00:17:35,919 However, since the attackers used a 489 00:17:35,919 --> 00:17:37,280 static domain, 490 00:17:37,280 --> 00:17:38,960 a domain name that did not change for 491 00:17:38,960 --> 00:17:41,039 each infection, instead of using 492 00:17:41,039 --> 00:17:43,280 dynamically generated domain names 493 00:17:43,280 --> 00:17:45,039 like other renditions of this concept 494 00:17:45,039 --> 00:17:46,480 would usually do, 495 00:17:46,480 --> 00:17:48,400 the WannaCry infections around the world 496 00:17:48,400 --> 00:17:50,240 believed that it was being analyzed in a 497 00:17:50,240 --> 00:17:51,760 sandbox environment 498 00:17:51,760 --> 00:17:54,160 and essentially killed itself since 499 00:17:54,160 --> 00:17:56,080 every single infection was trying to reach 500 00:17:56,080 --> 00:17:58,880 one single hard-coded domain, and now 501 00:17:58,880 --> 00:18:00,720 they could after Hutchins had purchased 502 00:18:00,720 --> 00:18:03,039 it and put it online. 503 00:18:03,039 --> 00:18:05,039 If it had been a randomly generated 504 00:18:05,039 --> 00:18:06,160 domain name, 505 00:18:06,160 --> 00:18:07,520 then the infection would only have 506 00:18:07,520 --> 00:18:09,520 removed itself from Hutchins's sandbox 507 00:18:09,520 --> 00:18:10,880 environment 508 00:18:10,880 --> 00:18:12,400 because the domain he registered would 509 00:18:12,400 --> 00:18:14,000 be unique to him and would not 510 00:18:14,000 --> 00:18:17,200 affect anyone else. This 511 00:18:17,200 --> 00:18:20,160 seems to be an amateur mistake. So 512 00:18:20,160 --> 00:18:21,840 amateur in fact, that the researchers 513 00:18:21,840 --> 00:18:23,760 have speculated that maybe the intent of 514 00:18:23,760 --> 00:18:24,799 the attackers 515 00:18:24,799 --> 00:18:27,679 was not monetary gain, but rather a more 516 00:18:27,679 --> 00:18:29,039 political intention 517 00:18:29,039 --> 00:18:31,600 such as to bring shame to the NSA. 518 00:18:31,600 --> 00:18:32,480 However, 519 00:18:32,480 --> 00:18:34,160 to this date, there is nothing that 520 00:18:34,160 --> 00:18:36,000 confirms nor denies the motive 521 00:18:36,000 --> 00:18:37,620 of the WannaCry attack. 522 00:18:37,620 --> 00:18:43,692 [Music] 523 00:18:45,846 --> 00:18:50,720 [Music] 524 00:18:50,720 --> 00:18:53,360 The rapid infection had seemed to stop, 525 00:18:53,360 --> 00:18:55,360 but for Hutchins or MalwareTech and his 526 00:18:55,360 --> 00:18:58,640 team, the nightmare had only just begun. 527 00:18:58,640 --> 00:19:00,240 Less than an hour from when he had 528 00:19:00,240 --> 00:19:03,120 activated the domain, it was under attack. 529 00:19:03,120 --> 00:19:04,880 The motive of the attackers were to use 530 00:19:04,880 --> 00:19:07,280 the Mirai botnet to host a distributed 531 00:19:07,280 --> 00:19:08,960 denial of service attack, 532 00:19:08,960 --> 00:19:11,440 also known as DDoS, to shut down the 533 00:19:11,440 --> 00:19:13,360 domain so that it would be unreachable 534 00:19:13,360 --> 00:19:16,160 once again and all the halted infections 535 00:19:16,160 --> 00:19:18,000 would resume. 536 00:19:18,000 --> 00:19:20,000 A DDoS attack is usually performed to 537 00:19:20,000 --> 00:19:21,280 flood a domain with 538 00:19:21,280 --> 00:19:23,120 junk traffic 'till it can't handle 539 00:19:23,120 --> 00:19:25,840 anymore and is driven offline. 540 00:19:25,840 --> 00:19:27,679 The Mirai botnet that the attackers were 541 00:19:27,679 --> 00:19:29,679 employing was previously used in one of 542 00:19:29,679 --> 00:19:31,760 the largest ever DDoS attacks 543 00:19:31,760 --> 00:19:33,600 and was comprised of hundreds and 544 00:19:33,600 --> 00:19:35,760 thousands of devices. 545 00:19:35,760 --> 00:19:37,520 The haunting realization that they were 546 00:19:37,520 --> 00:19:39,360 the wall between a flood of infections 547 00:19:39,360 --> 00:19:41,120 that was currently being blocked 548 00:19:41,120 --> 00:19:43,039 slowly dawned on Hutchins and the other 549 00:19:43,039 --> 00:19:46,080 researchers working on the case. 550 00:19:46,080 --> 00:19:47,760 They eventually dealt with the issue by 551 00:19:47,760 --> 00:19:50,000 taking the site to a cached version 552 00:19:50,000 --> 00:19:51,760 which was capable of handling a much 553 00:19:51,760 --> 00:19:55,200 higher traffic load than a live site. 554 00:19:55,200 --> 00:19:57,280 Two days after the domain went live, the 555 00:19:57,280 --> 00:19:59,200 data showed that two million infections 556 00:19:59,200 --> 00:20:00,480 had been halted 557 00:20:00,480 --> 00:20:02,159 showing us what the extent of the damage 558 00:20:02,159 --> 00:20:03,760 could have been if it was not for the 559 00:20:03,760 --> 00:20:06,310 discovery of the kill switch. 560 00:20:19,785 --> 00:20:25,360 [Music] 561 00:20:25,360 --> 00:20:28,320 Marcus Hutchins's story does not stop here. 562 00:20:28,320 --> 00:20:30,070 He would go on to be named as a 563 00:20:30,070 --> 00:20:31,760 cybercrime hero, 564 00:20:31,760 --> 00:20:34,159 a title which he didn't enjoy as it 565 00:20:34,159 --> 00:20:36,880 would bring to him unwanted attention, 566 00:20:36,880 --> 00:20:38,320 people trying to piece together his 567 00:20:38,320 --> 00:20:40,480 address, media camping outside of his 568 00:20:40,480 --> 00:20:41,360 house, 569 00:20:41,360 --> 00:20:43,440 and in addition to all of this, he was 570 00:20:43,440 --> 00:20:45,039 still under the pressure of the domain 571 00:20:45,039 --> 00:20:46,840 going offline any minute and wreaking 572 00:20:46,840 --> 00:20:48,400 havoc. 573 00:20:48,400 --> 00:20:50,400 However, he was able to get through these 574 00:20:50,400 --> 00:20:52,960 weary days and sleepless nights 575 00:20:52,960 --> 00:20:57,039 only to be thrown back into chaos. 576 00:20:57,200 --> 00:20:59,440 Three months after the WannaCry attack, 577 00:20:59,440 --> 00:21:01,600 in August of 2017, 578 00:21:01,600 --> 00:21:03,919 Marcus Hutchins, after partying in Vegas 579 00:21:03,919 --> 00:21:05,280 for a week and a half 580 00:21:05,280 --> 00:21:08,240 during DEFCON, a hacker convention, was 581 00:21:08,240 --> 00:21:10,320 arrested in the airport by the FBI on 582 00:21:10,320 --> 00:21:12,080 his way back home. 583 00:21:12,080 --> 00:21:13,760 It seemed that Hutchins in his teenage 584 00:21:13,760 --> 00:21:15,360 years had developed a malware named 585 00:21:15,360 --> 00:21:16,080 Kronos 586 00:21:16,080 --> 00:21:18,720 that would steal banking credentials. He 587 00:21:18,720 --> 00:21:20,240 would go on to sell this malware to 588 00:21:20,240 --> 00:21:21,919 multiple individuals with the help of 589 00:21:21,919 --> 00:21:23,440 someone he met online 590 00:21:23,440 --> 00:21:27,360 named Vinny K. Kronos is still an 591 00:21:27,360 --> 00:21:30,880 ongoing threat to banks around the world. 592 00:21:30,880 --> 00:21:32,559 Hutchins initially battled the charges 593 00:21:32,559 --> 00:21:34,320 with a non-guilty plea, 594 00:21:34,320 --> 00:21:36,400 but after a long and exhausting ordeal 595 00:21:36,400 --> 00:21:38,000 that lasted for years, 596 00:21:38,000 --> 00:21:40,880 in April 2019, he took a plea deal that 597 00:21:40,880 --> 00:21:42,080 would essentially dismiss 598 00:21:42,080 --> 00:21:45,120 all but two counts set against him, 599 00:21:45,120 --> 00:21:47,679 conspiracy to defraud the united states 600 00:21:47,679 --> 00:21:49,280 and actively marketing the kronos 601 00:21:49,280 --> 00:21:50,799 malware. 602 00:21:50,799 --> 00:21:52,720 He faced the possibility of a maximum 603 00:21:52,720 --> 00:21:54,960 prison sentence of ten years, 604 00:21:54,960 --> 00:21:56,640 but because of his contribution towards 605 00:21:56,640 --> 00:21:58,880 WannaCry and as the community had 606 00:21:58,880 --> 00:22:00,480 constantly pointed out 607 00:22:00,480 --> 00:22:02,240 his active involvement in defending the 608 00:22:02,240 --> 00:22:04,240 world against cyber attacks, 609 00:22:04,240 --> 00:22:07,520 the judge ruled in his favor. He was then 610 00:22:07,520 --> 00:22:08,159 released 611 00:22:08,159 --> 00:22:10,656 with zero jail time and is now a free 612 00:22:10,656 --> 00:22:11,424 man. 613 00:22:16,247 --> 00:22:19,512 [Typing] 614 00:22:22,775 --> 00:22:26,559 [Music] 615 00:22:26,559 --> 00:22:28,799 As stated before, the WannaCry attack 616 00:22:28,799 --> 00:22:31,200 impacted over 150 countries 617 00:22:31,200 --> 00:22:33,919 and approximately 230,000 computers 618 00:22:33,919 --> 00:22:35,200 globally. 619 00:22:35,200 --> 00:22:37,520 Russia was the most severely infected 620 00:22:37,520 --> 00:22:40,400 with over half the affected computers. 621 00:22:40,400 --> 00:22:43,280 India, Ukraine, and Taiwan also suffered 622 00:22:43,280 --> 00:22:44,960 significant disruption. 623 00:22:48,559 --> 00:22:50,559 The most popular victim to emerge out of 624 00:22:50,559 --> 00:22:52,159 the attacks were the UK's National 625 00:22:52,159 --> 00:22:53,280 Health Service 626 00:22:53,280 --> 00:22:57,200 or the NHS. In the NHS, over 70,000 627 00:22:57,200 --> 00:22:59,039 devices such as computers, 628 00:22:59,039 --> 00:23:02,400 MRI scanners, devices used to test blood, 629 00:23:02,400 --> 00:23:04,720 theater equipment, and over 1200 pieces 630 00:23:04,720 --> 00:23:09,840 of diagnostic equipment were affected. 631 00:23:10,159 --> 00:23:12,400 Approximately, the attack cost the NHS 632 00:23:12,400 --> 00:23:14,480 over 92 million euros, 633 00:23:14,480 --> 00:23:16,080 and globally, the cost amounted to 634 00:23:16,080 --> 00:23:17,919 somewhere between four and eight billion 635 00:23:17,919 --> 00:23:19,840 dollars. 636 00:23:19,840 --> 00:23:21,200 You'd think that the attackers who 637 00:23:21,200 --> 00:23:22,720 launched WannaCry would have made a 638 00:23:22,720 --> 00:23:24,400 decent amount considering how many 639 00:23:24,400 --> 00:23:25,200 countries 640 00:23:25,200 --> 00:23:28,480 and devices were affected, however, as of 641 00:23:28,480 --> 00:23:30,400 June 14, 2017, 642 00:23:30,400 --> 00:23:32,640 when the attacks had begun to subside, 643 00:23:32,640 --> 00:23:38,880 they had only made $130,634.77. 644 00:23:38,880 --> 00:23:41,120 Victims were urged not to pay the ransom 645 00:23:41,120 --> 00:23:42,720 since not only did it encourage the 646 00:23:42,720 --> 00:23:43,520 hackers, 647 00:23:43,520 --> 00:23:45,279 but it also did not guarantee the return 648 00:23:45,279 --> 00:23:47,520 of their data due to skepticism of 649 00:23:47,520 --> 00:23:48,880 whether the attackers could actually 650 00:23:48,880 --> 00:23:50,320 place the paid ransom 651 00:23:50,320 --> 00:23:52,880 to the correct victim. This was clearly 652 00:23:52,880 --> 00:23:54,400 evident from the fact that a large 653 00:23:54,400 --> 00:23:55,360 proportion, 654 00:23:55,360 --> 00:23:57,279 almost all of the affected victims who 655 00:23:57,279 --> 00:23:58,400 had paid the ransom 656 00:23:58,400 --> 00:24:01,355 had still not been returned their data. 657 00:24:01,355 --> 00:24:07,870 [Music] 658 00:24:08,824 --> 00:24:13,679 [Music] 659 00:24:13,679 --> 00:24:15,360 Although initially the prime victims of 660 00:24:15,360 --> 00:24:17,360 WannaCry were said to be Windows XP 661 00:24:17,360 --> 00:24:20,080 clients, over 98% of the victims were 662 00:24:20,080 --> 00:24:21,919 actually running unpatched versions of 663 00:24:21,919 --> 00:24:23,120 Windows 7, 664 00:24:23,120 --> 00:24:25,760 and less than 0.1% of the victims 665 00:24:25,760 --> 00:24:28,240 were using Windows XP. 666 00:24:28,240 --> 00:24:29,919 In the case of Russia, they believed 667 00:24:29,919 --> 00:24:31,760 updates did more to break their devices 668 00:24:31,760 --> 00:24:34,240 rather than fix them, 669 00:24:34,240 --> 00:24:35,919 partly due to the fact that a majority 670 00:24:35,919 --> 00:24:37,679 of people use cracked or pirated 671 00:24:37,679 --> 00:24:38,960 versions of Windows 672 00:24:38,960 --> 00:24:40,400 which means they wouldn't have received 673 00:24:40,400 --> 00:24:41,760 the updates which were released by 674 00:24:41,760 --> 00:24:45,120 Microsoft months prior to the attack. 675 00:24:45,120 --> 00:24:46,559 Microsoft eventually released the 676 00:24:46,559 --> 00:24:48,320 updates for systems that were at end of 677 00:24:48,320 --> 00:24:49,200 support 678 00:24:49,200 --> 00:24:51,120 including Windows XP and other older 679 00:24:51,120 --> 00:24:53,679 versions of Windows. 680 00:24:53,679 --> 00:24:55,520 To this day, if the domain that Marcus 681 00:24:55,520 --> 00:24:57,440 Hutchins acquired were to go down, 682 00:24:57,440 --> 00:24:59,279 the millions of infections that it has 683 00:24:59,279 --> 00:25:01,120 at bay would be released, 684 00:25:01,120 --> 00:25:02,960 but possibly ineffective if the 685 00:25:02,960 --> 00:25:04,640 computers had already applied the patch 686 00:25:04,640 --> 00:25:07,600 that microsoft released. 687 00:25:07,600 --> 00:25:09,840 Eternalblue is still in the wild and 688 00:25:09,840 --> 00:25:11,440 variants of WannaCry have since then 689 00:25:11,440 --> 00:25:13,279 surfaced like Uiwix 690 00:25:13,279 --> 00:25:15,200 which did not come with a kill switch 691 00:25:15,200 --> 00:25:16,880 and addressed the bitcoin payment issue 692 00:25:16,880 --> 00:25:18,480 by assigning a new address for each 693 00:25:18,480 --> 00:25:20,320 victim to collect payment 694 00:25:20,320 --> 00:25:21,919 therefore easily allowing to track the 695 00:25:21,919 --> 00:25:23,919 payment back to the victim. 696 00:25:23,919 --> 00:25:25,840 However, since it did not have an 697 00:25:25,840 --> 00:25:27,760 automatic worm-like functionality that 698 00:25:27,760 --> 00:25:29,279 WannaCry exhibited 699 00:25:29,279 --> 00:25:32,159 it did not pose much of a threat. The 700 00:25:32,159 --> 00:25:34,880 impact of WannaCry is still seen today. 701 00:25:34,880 --> 00:25:36,720 Trend Micro's data clearly indicates that 702 00:25:36,720 --> 00:25:38,559 WannaCry was the most detected malware 703 00:25:38,559 --> 00:25:40,159 family in 2020 704 00:25:40,159 --> 00:25:42,240 thanks to its vulnerable nature. And 705 00:25:42,240 --> 00:25:44,159 F-Secure reports that the most seen type 706 00:25:44,159 --> 00:25:46,400 of exploit is against the SMB version 1 707 00:25:46,400 --> 00:25:47,360 vulnerability 708 00:25:47,360 --> 00:25:49,600 using Eternalblue. The fact that 709 00:25:49,600 --> 00:25:51,039 attackers still continue to try and 710 00:25:51,039 --> 00:25:52,080 exploit this 711 00:25:52,080 --> 00:25:54,080 must mean that there are organizations 712 00:25:54,080 --> 00:25:55,919 out there who have not patched against 713 00:25:55,919 --> 00:25:57,650 this vulnerability. 714 00:25:57,650 --> 00:25:59,982 [Music] 715 00:26:02,631 --> 00:26:06,061 [Typing] 716 00:26:09,580 --> 00:26:15,520 [Music] 717 00:26:15,520 --> 00:26:17,840 Four years after the attack, there is 718 00:26:17,840 --> 00:26:19,600 still no confirmed identity of the 719 00:26:19,600 --> 00:26:21,760 creators of the WannaCry. 720 00:26:21,760 --> 00:26:23,760 There have been accusations towards the 721 00:26:23,760 --> 00:26:24,880 Lazarus Group 722 00:26:24,880 --> 00:26:27,440 who has strong links to North Korea. 723 00:26:27,440 --> 00:26:28,159 However, 724 00:26:28,159 --> 00:26:31,679 this is nothing more than hearsay. So 725 00:26:31,679 --> 00:26:33,520 who is to blame for the catastrophic 726 00:26:33,520 --> 00:26:35,520 damage of WannaCry? 727 00:26:35,520 --> 00:26:37,360 Is it the NSHA who should not have 728 00:26:37,360 --> 00:26:39,279 stockpiled exploits without alerting the 729 00:26:39,279 --> 00:26:40,640 necessary entities about the 730 00:26:40,640 --> 00:26:42,400 vulnerabilities? 731 00:26:42,400 --> 00:26:43,919 Is it the shadow brokers who took 732 00:26:43,919 --> 00:26:46,320 advantage of this, stole, and released it 733 00:26:46,320 --> 00:26:48,000 into the wild? 734 00:26:48,000 --> 00:26:50,400 Is it the developers of WannaCry? Or is 735 00:26:50,400 --> 00:26:52,320 it the fault of microsoft who did not 736 00:26:52,320 --> 00:26:53,760 identify this vulnerability 737 00:26:53,760 --> 00:26:56,640 sooner? While all of this might be true 738 00:26:56,640 --> 00:26:58,080 to some extent, 739 00:26:58,080 --> 00:26:59,919 at the end of the day, the actions these 740 00:26:59,919 --> 00:27:01,919 organizations take are largely out of 741 00:27:01,919 --> 00:27:03,600 the control of the public 742 00:27:03,600 --> 00:27:05,760 and business owners who are usually the 743 00:27:05,760 --> 00:27:07,840 victims of the attack. 744 00:27:07,840 --> 00:27:10,240 Regardless of what we claim, the solution 745 00:27:10,240 --> 00:27:11,760 is very simple. 746 00:27:11,760 --> 00:27:13,360 Make sure we follow the guidelines to 747 00:27:13,360 --> 00:27:15,440 have our data secured. 748 00:27:15,440 --> 00:27:17,120 The most crucial of it is to have a 749 00:27:17,120 --> 00:27:18,960 consistent schedule for updating our 750 00:27:18,960 --> 00:27:20,240 devices, 751 00:27:20,240 --> 00:27:23,279 and to obviously not use outdated 752 00:27:23,279 --> 00:27:24,720 operating systems that put 753 00:27:24,720 --> 00:27:26,960 employee and customer data and their 754 00:27:26,960 --> 00:27:29,360 privacy at huge risks. 755 00:27:29,360 --> 00:27:31,039 When it comes to ransomware, the most 756 00:27:31,039 --> 00:27:32,880 crucial form of defense is frequent 757 00:27:32,880 --> 00:27:35,200 backup. The more frequent it is, 758 00:27:35,200 --> 00:27:37,760 the better. Less than 50% of ransomware 759 00:27:37,760 --> 00:27:39,520 payments actually result in the data 760 00:27:39,520 --> 00:27:41,120 being returned to the victims, 761 00:27:41,120 --> 00:27:42,960 and so needless to say, payment should 762 00:27:42,960 --> 00:27:44,399 not be an option 763 00:27:44,399 --> 00:27:46,159 lest your goal is to lose money and your 764 00:27:46,159 --> 00:27:47,760 data as well. 765 00:27:47,760 --> 00:27:49,520 The biggest mistake that organizations 766 00:27:49,520 --> 00:27:51,760 tend to make is refusing to believe that 767 00:27:51,760 --> 00:27:53,520 they would be a target. 768 00:27:53,520 --> 00:27:55,360 According to a study by Cloudwords in 769 00:27:55,360 --> 00:27:56,640 2021, 770 00:27:56,640 --> 00:27:58,559 every 11 seconds a company is hit by 771 00:27:58,559 --> 00:28:00,640 ransomware, and a large proportion of 772 00:28:00,640 --> 00:28:02,240 organizations are small 773 00:28:02,240 --> 00:28:03,919 to medium-sized businesses that never 774 00:28:03,919 --> 00:28:06,080 see it coming as they're often found to 775 00:28:06,080 --> 00:28:07,600 have less than effective security 776 00:28:07,600 --> 00:28:08,960 strategies in place 777 00:28:08,960 --> 00:28:10,480 making them ideal targets for such 778 00:28:10,480 --> 00:28:12,080 attacks. 779 00:28:12,080 --> 00:28:13,440 Digital transformation during the 780 00:28:13,440 --> 00:28:15,360 Coronavirus pandemic has started to move 781 00:28:15,360 --> 00:28:16,960 businesses to the cloud, 782 00:28:16,960 --> 00:28:18,799 and so cyber criminals have now shifted 783 00:28:18,799 --> 00:28:20,720 their focus to the cloud as well 784 00:28:20,720 --> 00:28:22,320 giving them an entirely new attack 785 00:28:22,320 --> 00:28:24,000 surface to work with. 786 00:28:24,000 --> 00:28:26,480 The cost of ransomware is said to top 20 787 00:28:26,480 --> 00:28:29,039 billion dollars by the end of 2021 788 00:28:29,039 --> 00:28:32,159 and that is ransomware alone. By 2025, 789 00:28:32,159 --> 00:28:33,919 cybersecurity ventures estimates that 790 00:28:33,919 --> 00:28:35,840 cybercrime will cost businesses 791 00:28:35,840 --> 00:28:39,279 10.5 trillion dollars annually 792 00:28:39,279 --> 00:28:41,279 which would amount to just 2 trillion 793 00:28:41,279 --> 00:28:43,039 short of China's economy, 794 00:28:43,039 --> 00:28:46,000 the second biggest economy in the world. 795 00:28:46,000 --> 00:28:48,320 We are headed towards bigger and more 796 00:28:48,320 --> 00:28:50,640 destructive attacks than WannaCry, 797 00:28:50,640 --> 00:28:53,440 and our most reliable defense is our 798 00:28:53,440 --> 00:28:54,240 awareness 799 00:28:54,240 --> 00:28:55,960 and our action to better protect 800 00:28:55,960 --> 00:28:59,480 ourselves. Thank you for watching. 801 00:28:59,480 --> 00:29:03,850 [Music] 802 00:29:05,810 --> 00:29:30,810 [Music] 803 00:29:30,810 --> 00:29:46,770 [Music] 804 00:29:46,770 --> 00:29:51,279 [Music]