[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.00,0:00:09.15,Default,,0000,0000,0000,,[Music]
Dialogue: 0,0:00:10.96,0:00:13.68,Default,,0000,0000,0000,,A small note before we start,
Dialogue: 0,0:00:13.68,0:00:15.60,Default,,0000,0000,0000,,as much as this video is meant to be a
Dialogue: 0,0:00:15.60,0:00:17.44,Default,,0000,0000,0000,,storytelling experience,
Dialogue: 0,0:00:17.44,0:00:18.96,Default,,0000,0000,0000,,I have also intended it to be
Dialogue: 0,0:00:18.96,0:00:20.64,Default,,0000,0000,0000,,educational,
Dialogue: 0,0:00:20.64,0:00:22.48,Default,,0000,0000,0000,,and so, I have coupled the story along
Dialogue: 0,0:00:22.48,0:00:23.84,Default,,0000,0000,0000,,with how some of these attacks and
Dialogue: 0,0:00:23.84,0:00:26.00,Default,,0000,0000,0000,,technologies work.
Dialogue: 0,0:00:26.00,0:00:28.40,Default,,0000,0000,0000,,This is my first documentary style video,
Dialogue: 0,0:00:28.40,0:00:30.80,Default,,0000,0000,0000,,and so I appreciate any and all feedback
Dialogue: 0,0:00:30.80,0:00:33.12,Default,,0000,0000,0000,,in the comments below.
Dialogue: 0,0:00:33.12,0:00:35.68,Default,,0000,0000,0000,,I really hope you enjoy, and hopefully,
Dialogue: 0,0:00:35.68,0:00:38.64,Default,,0000,0000,0000,,learn a few new things.
Dialogue: 0,0:00:40.80,0:00:43.44,Default,,0000,0000,0000,,Right now, a crippling cyberattack has
Dialogue: 0,0:00:43.44,0:00:45.04,Default,,0000,0000,0000,,businesses around the world
Dialogue: 0,0:00:45.04,0:00:47.76,Default,,0000,0000,0000,,on high alert. The ransomware known as
Dialogue: 0,0:00:47.76,0:00:48.72,Default,,0000,0000,0000,,WannaCry-
Dialogue: 0,0:00:48.72,0:00:50.40,Default,,0000,0000,0000,,We want to move on to the other developing
Dialogue: 0,0:00:50.40,0:00:52.33,Default,,0000,0000,0000,,story this morning, the global cyberattack-
Dialogue: 0,0:00:52.33,0:00:54.24,Default,,0000,0000,0000,,The national security agency
Dialogue: 0,0:00:54.24,0:00:56.56,Default,,0000,0000,0000,,developed this software and it's now
Dialogue: 0,0:00:56.56,0:00:58.01,Default,,0000,0000,0000,,being used by criminals
Dialogue: 0,0:00:58.01,0:01:00.05,Default,,0000,0000,0000,,around the world to demand ransom.
Dialogue: 0,0:01:00.05,0:01:01.76,Default,,0000,0000,0000,,Security experts say this is one
Dialogue: 0,0:01:01.76,0:01:03.28,Default,,0000,0000,0000,,of the worst and most
Dialogue: 0,0:01:03.28,0:01:05.44,Default,,0000,0000,0000,,widespread pieces of malware they've
Dialogue: 0,0:01:05.44,0:01:06.87,Default,,0000,0000,0000,,ever seen-
Dialogue: 0,0:01:06.87,0:01:13.86,Default,,0000,0000,0000,,[Music]
Dialogue: 0,0:01:15.61,0:01:19.25,Default,,0000,0000,0000,,[Typing]
Dialogue: 0,0:01:20.08,0:01:23.04,Default,,0000,0000,0000,,In May of 2017, a worldwide cyberattack
Dialogue: 0,0:01:23.04,0:01:24.80,Default,,0000,0000,0000,,by the name of WannaCry
Dialogue: 0,0:01:24.80,0:01:27.84,Default,,0000,0000,0000,,shot for WannaCryptor, impacted over 150
Dialogue: 0,0:01:27.84,0:01:28.72,Default,,0000,0000,0000,,countries,
Dialogue: 0,0:01:28.72,0:01:31.36,Default,,0000,0000,0000,,and hit around 230,000 computers
Dialogue: 0,0:01:31.36,0:01:32.72,Default,,0000,0000,0000,,globally.
Dialogue: 0,0:01:32.72,0:01:34.56,Default,,0000,0000,0000,,Needless to say it became known as one
Dialogue: 0,0:01:34.56,0:01:36.64,Default,,0000,0000,0000,,of the biggest ransomware attacks in
Dialogue: 0,0:01:36.64,0:01:38.16,Default,,0000,0000,0000,,history.
Dialogue: 0,0:01:38.16,0:01:40.80,Default,,0000,0000,0000,,Let's start at the very beginning. On the
Dialogue: 0,0:01:40.80,0:01:43.12,Default,,0000,0000,0000,,morning of the 12th of May, 2017,
Dialogue: 0,0:01:43.12,0:01:45.36,Default,,0000,0000,0000,,according to Akamai, the content delivery
Dialogue: 0,0:01:45.36,0:01:46.24,Default,,0000,0000,0000,,network,
Dialogue: 0,0:01:46.24,0:01:48.72,Default,,0000,0000,0000,,this was the timeline. Reportedly the
Dialogue: 0,0:01:48.72,0:01:51.20,Default,,0000,0000,0000,,first case identified originated from a
Dialogue: 0,0:01:51.20,0:01:53.60,Default,,0000,0000,0000,,Southeast Asian ISP which was detected
Dialogue: 0,0:01:53.60,0:01:56.41,Default,,0000,0000,0000,,at 7:44 am UTC.
Dialogue: 0,0:01:56.90,0:01:58.40,Default,,0000,0000,0000,,Over the next hour, there were cases
Dialogue: 0,0:01:58.40,0:02:00.24,Default,,0000,0000,0000,,seen from Latin America,
Dialogue: 0,0:02:00.24,0:02:02.96,Default,,0000,0000,0000,,then the Continental Europe and UK, then
Dialogue: 0,0:02:02.96,0:02:06.84,Default,,0000,0000,0000,,Brazil and Argentinian ISPs until at 12:39 pm
Dialogue: 0,0:02:06.84,0:02:09.28,Default,,0000,0000,0000,,UTC, 74%
Dialogue: 0,0:02:09.28,0:02:12.72,Default,,0000,0000,0000,,of all ISPs in Asia were affected. And by
Dialogue: 0,0:02:12.72,0:02:14.80,Default,,0000,0000,0000,,3:28 pm UTC,
Dialogue: 0,0:02:14.80,0:02:17.67,Default,,0000,0000,0000,,the ransomware had taken hold of 65%
Dialogue: 0,0:02:17.67,0:02:20.64,Default,,0000,0000,0000,,of Latin American ISPs.
Dialogue: 0,0:02:20.64,0:02:22.88,Default,,0000,0000,0000,,WannaCry was spreading and at an
Dialogue: 0,0:02:22.88,0:02:24.64,Default,,0000,0000,0000,,incredible rate.
Dialogue: 0,0:02:24.64,0:02:26.16,Default,,0000,0000,0000,,Prior to this, such a quick and
Dialogue: 0,0:02:26.16,0:02:28.64,Default,,0000,0000,0000,,widespread ransomware was unheard of.
Dialogue: 0,0:02:28.64,0:02:31.04,Default,,0000,0000,0000,,A lot of organizations, unable to recover
Dialogue: 0,0:02:31.04,0:02:31.84,Default,,0000,0000,0000,,their losses,
Dialogue: 0,0:02:31.84,0:02:34.64,Default,,0000,0000,0000,,were forced to permanently shut down.
Dialogue: 0,0:02:34.64,0:02:36.16,Default,,0000,0000,0000,,Some had to put a pause on their
Dialogue: 0,0:02:36.16,0:02:38.32,Default,,0000,0000,0000,,networks and services, and reported huge
Dialogue: 0,0:02:38.32,0:02:39.36,Default,,0000,0000,0000,,losses,
Dialogue: 0,0:02:39.36,0:02:42.48,Default,,0000,0000,0000,,some in millions of dollars. The attack
Dialogue: 0,0:02:42.48,0:02:44.72,Default,,0000,0000,0000,,did not discriminate. Small to
Dialogue: 0,0:02:44.72,0:02:46.40,Default,,0000,0000,0000,,medium-sized businesses,
Dialogue: 0,0:02:46.40,0:02:48.80,Default,,0000,0000,0000,,large enterprises, the private sector, the
Dialogue: 0,0:02:48.80,0:02:50.16,Default,,0000,0000,0000,,public sector,
Dialogue: 0,0:02:50.16,0:02:52.64,Default,,0000,0000,0000,,railways, healthcare, banks, malls,
Dialogue: 0,0:02:52.64,0:02:53.36,Default,,0000,0000,0000,,ministries,
Dialogue: 0,0:02:53.36,0:02:56.56,Default,,0000,0000,0000,,police, energy companies, ISPs, and there
Dialogue: 0,0:02:56.56,0:02:57.44,Default,,0000,0000,0000,,just seemed to be
Dialogue: 0,0:02:57.44,0:03:00.72,Default,,0000,0000,0000,,no end to the victims. Within few hours,
Dialogue: 0,0:03:00.72,0:03:02.72,Default,,0000,0000,0000,,it had spread to over 11 countries,
Dialogue: 0,0:03:02.72,0:03:04.32,Default,,0000,0000,0000,,and by the end of the first day of the
Dialogue: 0,0:03:04.32,0:03:06.16,Default,,0000,0000,0000,,attack, the ransomware had been
Dialogue: 0,0:03:06.16,0:03:08.48,Default,,0000,0000,0000,,encountered in 74 countries
Dialogue: 0,0:03:08.48,0:03:10.32,Default,,0000,0000,0000,,within thousands and thousands of
Dialogue: 0,0:03:10.32,0:03:12.16,Default,,0000,0000,0000,,organizations.
Dialogue: 0,0:03:12.16,0:03:14.88,Default,,0000,0000,0000,,And so it begged the question, how much
Dialogue: 0,0:03:14.88,0:03:16.64,Default,,0000,0000,0000,,damage will this really cause over the
Dialogue: 0,0:03:16.64,0:03:17.60,Default,,0000,0000,0000,,next few days
Dialogue: 0,0:03:17.60,0:03:20.16,Default,,0000,0000,0000,,or weeks or months if no solution
Dialogue: 0,0:03:20.16,0:03:23.04,Default,,0000,0000,0000,,presents itself?
Dialogue: 0,0:03:23.44,0:03:26.45,Default,,0000,0000,0000,,Your service has been temporarily disconnected.
Dialogue: 0,0:03:26.85,0:03:30.29,Default,,0000,0000,0000,,[Typing]
Dialogue: 0,0:03:31.20,0:03:33.28,Default,,0000,0000,0000,,[Music]
Dialogue: 0,0:03:33.28,0:03:36.24,Default,,0000,0000,0000,,Ransomware works in a very simple manner.
Dialogue: 0,0:03:36.24,0:03:38.08,Default,,0000,0000,0000,,It is a type of malware most commonly
Dialogue: 0,0:03:38.08,0:03:39.92,Default,,0000,0000,0000,,spread through phishing attacks,
Dialogue: 0,0:03:39.92,0:03:41.84,Default,,0000,0000,0000,,which are essentially emails used to
Dialogue: 0,0:03:41.84,0:03:44.00,Default,,0000,0000,0000,,trick a user into clicking a link that
Dialogue: 0,0:03:44.00,0:03:45.60,Default,,0000,0000,0000,,leads them to a website
Dialogue: 0,0:03:45.60,0:03:47.84,Default,,0000,0000,0000,,where they enter sensitive data, or to
Dialogue: 0,0:03:47.84,0:03:50.16,Default,,0000,0000,0000,,download attachments which if executed
Dialogue: 0,0:03:50.16,0:03:52.24,Default,,0000,0000,0000,,will infect the computer.
Dialogue: 0,0:03:52.24,0:03:54.40,Default,,0000,0000,0000,,Although initially suspected, WannaCry
Dialogue: 0,0:03:54.40,0:03:56.80,Default,,0000,0000,0000,,did not originate from a phishing attack,
Dialogue: 0,0:03:56.80,0:03:59.24,Default,,0000,0000,0000,,but we'll get to that later.
Dialogue: 0,0:03:59.24,0:04:01.28,Default,,0000,0000,0000,,Once a computer is infected,
Dialogue: 0,0:04:01.28,0:04:03.04,Default,,0000,0000,0000,,the ransomware runs an encryption
Dialogue: 0,0:04:03.04,0:04:05.28,Default,,0000,0000,0000,,process, and usually in less than a
Dialogue: 0,0:04:05.28,0:04:06.24,Default,,0000,0000,0000,,minute,
Dialogue: 0,0:04:06.24,0:04:08.80,Default,,0000,0000,0000,,some or all the files depending on what
Dialogue: 0,0:04:08.80,0:04:10.88,Default,,0000,0000,0000,,the ransomware is meant to affect in the
Dialogue: 0,0:04:10.88,0:04:12.40,Default,,0000,0000,0000,,user's computer
Dialogue: 0,0:04:12.40,0:04:14.24,Default,,0000,0000,0000,,is converted from plain text to
Dialogue: 0,0:04:14.24,0:04:15.84,Default,,0000,0000,0000,,ciphertext.
Dialogue: 0,0:04:15.84,0:04:18.24,Default,,0000,0000,0000,,Plain text is readable or comprehensible
Dialogue: 0,0:04:18.24,0:04:19.12,Default,,0000,0000,0000,,data,
Dialogue: 0,0:04:19.12,0:04:21.12,Default,,0000,0000,0000,,and ciphertext is unintelligible
Dialogue: 0,0:04:21.12,0:04:22.72,Default,,0000,0000,0000,,gibberish.
Dialogue: 0,0:04:22.72,0:04:24.64,Default,,0000,0000,0000,,In order to turn this back into plain
Dialogue: 0,0:04:24.64,0:04:27.20,Default,,0000,0000,0000,,text, the user will need what is known as
Dialogue: 0,0:04:27.20,0:04:28.80,Default,,0000,0000,0000,,a decryption key,
Dialogue: 0,0:04:28.80,0:04:30.88,Default,,0000,0000,0000,,which the attacker promises to provide
Dialogue: 0,0:04:30.88,0:04:34.56,Default,,0000,0000,0000,,if the user were to pay the ransom.
Dialogue: 0,0:04:34.64,0:04:36.88,Default,,0000,0000,0000,,What makes ransomware so dreadful is
Dialogue: 0,0:04:36.88,0:04:39.36,Default,,0000,0000,0000,,that once your files have been encrypted,
Dialogue: 0,0:04:39.36,0:04:41.04,Default,,0000,0000,0000,,you can't exactly decrypt it and
Dialogue: 0,0:04:41.04,0:04:42.96,Default,,0000,0000,0000,,retrieve your data.
Dialogue: 0,0:04:42.96,0:04:44.72,Default,,0000,0000,0000,,Well, you can, but with the current
Dialogue: 0,0:04:44.72,0:04:46.64,Default,,0000,0000,0000,,technology we have, to break common
Dialogue: 0,0:04:46.64,0:04:48.72,Default,,0000,0000,0000,,encryption algorithms used in ransomware
Dialogue: 0,0:04:48.72,0:04:49.60,Default,,0000,0000,0000,,attacks
Dialogue: 0,0:04:49.60,0:04:52.80,Default,,0000,0000,0000,,such as the RSA, it would take millions
Dialogue: 0,0:04:52.80,0:04:56.27,Default,,0000,0000,0000,,to billions to trillions of years.
Dialogue: 0,0:04:56.27,0:05:00.41,Default,,0000,0000,0000,,[Music]
Dialogue: 0,0:05:01.46,0:05:03.20,Default,,0000,0000,0000,,[Typing]
Dialogue: 0,0:05:03.52,0:05:05.44,Default,,0000,0000,0000,,This is what you'd see if you were to
Dialogue: 0,0:05:05.44,0:05:07.20,Default,,0000,0000,0000,,become infected with the WannaCry
Dialogue: 0,0:05:07.20,0:05:08.64,Default,,0000,0000,0000,,ransomware.
Dialogue: 0,0:05:08.64,0:05:10.16,Default,,0000,0000,0000,,In addition to this intimidating
Dialogue: 0,0:05:10.16,0:05:12.48,Default,,0000,0000,0000,,wallpaper, your documents,
Dialogue: 0,0:05:12.48,0:05:16.16,Default,,0000,0000,0000,,spreadsheets, images, videos,
Dialogue: 0,0:05:16.16,0:05:18.64,Default,,0000,0000,0000,,music, and most everyday productivity and
Dialogue: 0,0:05:18.64,0:05:21.04,Default,,0000,0000,0000,,multimedia files become encrypted,
Dialogue: 0,0:05:21.04,0:05:22.80,Default,,0000,0000,0000,,essentially being held hostage till the
Dialogue: 0,0:05:22.80,0:05:26.24,Default,,0000,0000,0000,,ransom payment has been made.
Dialogue: 0,0:05:27.12,0:05:29.20,Default,,0000,0000,0000,,The Wanna Decryptor 2.0 comes with a set
Dialogue: 0,0:05:29.20,0:05:30.24,Default,,0000,0000,0000,,of instructions
Dialogue: 0,0:05:30.24,0:05:31.92,Default,,0000,0000,0000,,and in 28 different languages for
Dialogue: 0,0:05:31.92,0:05:33.68,Default,,0000,0000,0000,,victims to follow in order to recover
Dialogue: 0,0:05:33.68,0:05:35.20,Default,,0000,0000,0000,,their files.
Dialogue: 0,0:05:35.20,0:05:37.76,Default,,0000,0000,0000,,The attackers demanded for $300 worth of
Dialogue: 0,0:05:37.76,0:05:38.64,Default,,0000,0000,0000,,bitcoin,
Dialogue: 0,0:05:38.64,0:05:40.56,Default,,0000,0000,0000,,and after three days it would be updated to
Dialogue: 0,0:05:40.56,0:05:42.48,Default,,0000,0000,0000,,$600.
Dialogue: 0,0:05:42.48,0:05:44.08,Default,,0000,0000,0000,,If the payment were to be made seven
Dialogue: 0,0:05:44.08,0:05:45.92,Default,,0000,0000,0000,,days after the infection, the files would
Dialogue: 0,0:05:45.92,0:05:47.68,Default,,0000,0000,0000,,be recoverable.
Dialogue: 0,0:05:47.68,0:05:49.84,Default,,0000,0000,0000,,However, despite this, they also go on to
Dialogue: 0,0:05:49.84,0:05:51.76,Default,,0000,0000,0000,,state that they will return the files
Dialogue: 0,0:05:51.76,0:05:54.80,Default,,0000,0000,0000,,for free to "Users who are so poor
Dialogue: 0,0:05:54.80,0:05:56.51,Default,,0000,0000,0000,,that they couldn't pay"
Dialogue: 0,0:05:56.51,0:05:58.72,Default,,0000,0000,0000,,after six months. The method of
Dialogue: 0,0:05:58.72,0:05:59.84,Default,,0000,0000,0000,,payment,
Dialogue: 0,0:05:59.84,0:06:00.95,Default,,0000,0000,0000,,bitcoin.
Dialogue: 0,0:06:00.95,0:06:04.16,Default,,0000,0000,0000,,[Music]
Dialogue: 0,0:06:04.16,0:06:06.40,Default,,0000,0000,0000,,The reason the attackers chose bitcoin
Dialogue: 0,0:06:06.40,0:06:07.84,Default,,0000,0000,0000,,was because it is what we know
Dialogue: 0,0:06:07.84,0:06:10.48,Default,,0000,0000,0000,,as a private cryptocurrency. This allows
Dialogue: 0,0:06:10.48,0:06:12.08,Default,,0000,0000,0000,,the holder of the currency to remain
Dialogue: 0,0:06:12.08,0:06:13.28,Default,,0000,0000,0000,,anonymous.
Dialogue: 0,0:06:13.28,0:06:14.64,Default,,0000,0000,0000,,Though the money could be traced to a
Dialogue: 0,0:06:14.64,0:06:16.56,Default,,0000,0000,0000,,cryptocurrency wallet, which is where the
Dialogue: 0,0:06:16.56,0:06:18.16,Default,,0000,0000,0000,,currency itself is stored,
Dialogue: 0,0:06:18.16,0:06:19.84,Default,,0000,0000,0000,,it would be exponentially difficult to
Dialogue: 0,0:06:19.84,0:06:21.36,Default,,0000,0000,0000,,find the owner of the wallet without
Dialogue: 0,0:06:21.36,0:06:24.32,Default,,0000,0000,0000,,extensive forensic analysis.
Dialogue: 0,0:06:24.32,0:06:26.56,Default,,0000,0000,0000,,This is the reason that bitcoin is used
Dialogue: 0,0:06:26.56,0:06:27.84,Default,,0000,0000,0000,,widely in the dark web
Dialogue: 0,0:06:27.84,0:06:30.64,Default,,0000,0000,0000,,to purchase guns, drugs, and other illegal
Dialogue: 0,0:06:30.64,0:06:32.26,Default,,0000,0000,0000,,goods and services that for obvious
Dialogue: 0,0:06:32.26,0:06:33.20,Default,,0000,0000,0000,,reasons,
Dialogue: 0,0:06:33.20,0:06:35.04,Default,,0000,0000,0000,,you would not be able to find on the
Dialogue: 0,0:06:35.04,0:06:36.36,Default,,0000,0000,0000,,surface web.
Dialogue: 0,0:06:38.88,0:06:42.52,Default,,0000,0000,0000,,[Typing]
Dialogue: 0,0:06:48.00,0:06:50.08,Default,,0000,0000,0000,,The problem with WannaCry and what made it
Dialogue: 0,0:06:50.08,0:06:51.92,Default,,0000,0000,0000,,exponentially more dangerous than your
Dialogue: 0,0:06:51.92,0:06:53.28,Default,,0000,0000,0000,,average ransomware
Dialogue: 0,0:06:53.28,0:06:56.32,Default,,0000,0000,0000,,was its propagating capabilities.
Dialogue: 0,0:06:56.32,0:06:58.24,Default,,0000,0000,0000,,But to understand this fully, we need to
Dialogue: 0,0:06:58.24,0:06:59.84,Default,,0000,0000,0000,,go back in time a little bit
Dialogue: 0,0:06:59.84,0:07:04.00,Default,,0000,0000,0000,,to 2016. In August of 2016, the equation
Dialogue: 0,0:07:04.00,0:07:05.68,Default,,0000,0000,0000,,group, suspected to have ties with the
Dialogue: 0,0:07:05.68,0:07:07.52,Default,,0000,0000,0000,,National Security Agency's tailored
Dialogue: 0,0:07:07.52,0:07:08.80,Default,,0000,0000,0000,,operations unit,
Dialogue: 0,0:07:08.80,0:07:10.88,Default,,0000,0000,0000,,and described by Kaspersky as one of the
Dialogue: 0,0:07:10.88,0:07:12.88,Default,,0000,0000,0000,,most sophisticated cyberattack groups
Dialogue: 0,0:07:12.88,0:07:14.08,Default,,0000,0000,0000,,in the world,
Dialogue: 0,0:07:14.08,0:07:15.76,Default,,0000,0000,0000,,was said to be hacked by a group called
Dialogue: 0,0:07:15.76,0:07:17.68,Default,,0000,0000,0000,,the shadow brokers.
Dialogue: 0,0:07:17.68,0:07:19.92,Default,,0000,0000,0000,,In this hack, disks full of the NSA's
Dialogue: 0,0:07:19.92,0:07:21.63,Default,,0000,0000,0000,,secrets were stolen.
Dialogue: 0,0:07:22.80,0:07:25.04,Default,,0000,0000,0000,,This was bad because the NSA houses what
Dialogue: 0,0:07:25.04,0:07:27.52,Default,,0000,0000,0000,,we know as Nation State Attacks
Dialogue: 0,0:07:27.52,0:07:29.76,Default,,0000,0000,0000,,which are exploits or hacking tools that
Dialogue: 0,0:07:29.76,0:07:31.28,Default,,0000,0000,0000,,are used to carry out a hack for their
Dialogue: 0,0:07:31.28,0:07:32.48,Default,,0000,0000,0000,,home country
Dialogue: 0,0:07:32.48,0:07:35.20,Default,,0000,0000,0000,,against another country. The NSA would
Dialogue: 0,0:07:35.20,0:07:37.12,Default,,0000,0000,0000,,essentially recruit a skilled hacker and
Dialogue: 0,0:07:37.12,0:07:39.28,Default,,0000,0000,0000,,give them a license to hack
Dialogue: 0,0:07:39.28,0:07:41.20,Default,,0000,0000,0000,,which means if they did carry it out, it
Dialogue: 0,0:07:41.20,0:07:42.56,Default,,0000,0000,0000,,wouldn't be illegal
Dialogue: 0,0:07:42.56,0:07:44.80,Default,,0000,0000,0000,,at least in that country, and the hacker
Dialogue: 0,0:07:44.80,0:07:46.68,Default,,0000,0000,0000,,would not be charged.
Dialogue: 0,0:07:48.64,0:07:50.64,Default,,0000,0000,0000,,The danger here is that the Nation State
Dialogue: 0,0:07:50.64,0:07:52.40,Default,,0000,0000,0000,,Tools in itself are usually pretty
Dialogue: 0,0:07:52.40,0:07:53.44,Default,,0000,0000,0000,,effective,
Dialogue: 0,0:07:53.44,0:07:55.12,Default,,0000,0000,0000,,especially considering they are to be
Dialogue: 0,0:07:55.12,0:07:57.28,Default,,0000,0000,0000,,used as weapons against entire states
Dialogue: 0,0:07:57.28,0:07:58.50,Default,,0000,0000,0000,,and countries.
Dialogue: 0,0:08:00.46,0:08:03.60,Default,,0000,0000,0000,,[Music]
Dialogue: 0,0:08:03.60,0:08:05.44,Default,,0000,0000,0000,,The NSA is said to have discovered a
Dialogue: 0,0:08:05.44,0:08:07.20,Default,,0000,0000,0000,,multitude of other vulnerabilities in
Dialogue: 0,0:08:07.20,0:08:08.16,Default,,0000,0000,0000,,the Windows OS
Dialogue: 0,0:08:08.16,0:08:11.28,Default,,0000,0000,0000,,as early as 2013, but was speculated to
Dialogue: 0,0:08:11.28,0:08:13.28,Default,,0000,0000,0000,,have developed exploits secretly and
Dialogue: 0,0:08:13.28,0:08:14.56,Default,,0000,0000,0000,,stockpile them,
Dialogue: 0,0:08:14.56,0:08:16.56,Default,,0000,0000,0000,,rather than reporting it to Microsoft or
Dialogue: 0,0:08:16.56,0:08:18.24,Default,,0000,0000,0000,,the InfoSec community,
Dialogue: 0,0:08:18.24,0:08:20.00,Default,,0000,0000,0000,,so that they could weaponize it and
Dialogue: 0,0:08:20.00,0:08:21.92,Default,,0000,0000,0000,,utilize them in their nation state and
Dialogue: 0,0:08:21.92,0:08:23.69,Default,,0000,0000,0000,,other attacks.
Dialogue: 0,0:08:25.44,0:08:27.20,Default,,0000,0000,0000,,The shadow brokers would go on to
Dialogue: 0,0:08:27.20,0:08:28.72,Default,,0000,0000,0000,,auction off some of these tools that
Dialogue: 0,0:08:28.72,0:08:30.00,Default,,0000,0000,0000,,were developed,
Dialogue: 0,0:08:30.00,0:08:32.08,Default,,0000,0000,0000,,but due to skepticism online on whether
Dialogue: 0,0:08:32.08,0:08:34.08,Default,,0000,0000,0000,,the hackers really did have files as
Dialogue: 0,0:08:34.08,0:08:36.16,Default,,0000,0000,0000,,dangerous as they had claimed,
Dialogue: 0,0:08:36.16,0:08:37.92,Default,,0000,0000,0000,,this would essentially go on to become a
Dialogue: 0,0:08:37.92,0:08:40.72,Default,,0000,0000,0000,,catastrophic failure.
Dialogue: 0,0:08:40.72,0:08:42.40,Default,,0000,0000,0000,,We can talk quite a bit about the shadow
Dialogue: 0,0:08:42.40,0:08:44.80,Default,,0000,0000,0000,,brokers. The story is itself worth
Dialogue: 0,0:08:44.80,0:08:46.72,Default,,0000,0000,0000,,examining individually and maybe even on
Dialogue: 0,0:08:46.72,0:08:48.08,Default,,0000,0000,0000,,a separate video,
Dialogue: 0,0:08:48.08,0:08:49.76,Default,,0000,0000,0000,,but let's narrow our focus down to the
Dialogue: 0,0:08:49.76,0:08:51.84,Default,,0000,0000,0000,,leak that made WannaCry possible
Dialogue: 0,0:08:51.84,0:08:54.00,Default,,0000,0000,0000,,which at that point was the fifth leak
Dialogue: 0,0:08:54.00,0:08:55.76,Default,,0000,0000,0000,,by the group and was said to be the most
Dialogue: 0,0:08:55.76,0:08:58.64,Default,,0000,0000,0000,,damaging one yet.
Dialogue: 0,0:08:59.36,0:09:02.08,Default,,0000,0000,0000,,On April 14, 2017, the shadow brokers
Dialogue: 0,0:09:02.08,0:09:03.60,Default,,0000,0000,0000,,would post a tweet that linked to their
Dialogue: 0,0:09:03.60,0:09:05.12,Default,,0000,0000,0000,,Steem blockchain
Dialogue: 0,0:09:05.12,0:09:08.88,Default,,0000,0000,0000,,on a post titled lost in translation.
Dialogue: 0,0:09:08.88,0:09:10.40,Default,,0000,0000,0000,,This leak contained files from the
Dialogue: 0,0:09:10.40,0:09:12.16,Default,,0000,0000,0000,,initial failed auction which they now
Dialogue: 0,0:09:12.16,0:09:14.16,Default,,0000,0000,0000,,decided to release to the public
Dialogue: 0,0:09:14.16,0:09:18.08,Default,,0000,0000,0000,,for free. The description accompanying
Dialogue: 0,0:09:18.08,0:09:19.84,Default,,0000,0000,0000,,the leaked files doesn't really contain
Dialogue: 0,0:09:19.84,0:09:21.28,Default,,0000,0000,0000,,much worth noting.
Dialogue: 0,0:09:21.28,0:09:23.12,Default,,0000,0000,0000,,As always the shadow brokers would use
Dialogue: 0,0:09:23.12,0:09:25.04,Default,,0000,0000,0000,,broken, but still somewhat comprehensible
Dialogue: 0,0:09:25.04,0:09:26.40,Default,,0000,0000,0000,,English.
Dialogue: 0,0:09:26.40,0:09:28.48,Default,,0000,0000,0000,,However, this is widely speculated not to
Dialogue: 0,0:09:28.48,0:09:29.84,Default,,0000,0000,0000,,speak to their proficiency in the
Dialogue: 0,0:09:29.84,0:09:30.64,Default,,0000,0000,0000,,language,
Dialogue: 0,0:09:30.64,0:09:32.16,Default,,0000,0000,0000,,but rather an attempt to mislead
Dialogue: 0,0:09:32.16,0:09:33.92,Default,,0000,0000,0000,,analysts and prevent them from yielding
Dialogue: 0,0:09:33.92,0:09:36.24,Default,,0000,0000,0000,,any results regarding their identity
Dialogue: 0,0:09:36.24,0:09:39.52,Default,,0000,0000,0000,,characterized by how they type.
Dialogue: 0,0:09:39.52,0:09:41.20,Default,,0000,0000,0000,,The link, which has now been taken down,
Dialogue: 0,0:09:41.20,0:09:42.80,Default,,0000,0000,0000,,takes you to an archive filled with a
Dialogue: 0,0:09:42.80,0:09:44.64,Default,,0000,0000,0000,,number of Windows exploits developed by
Dialogue: 0,0:09:44.64,0:09:46.24,Default,,0000,0000,0000,,the NSA.
Dialogue: 0,0:09:46.24,0:09:48.16,Default,,0000,0000,0000,,It did contain many other valuable tools
Dialogue: 0,0:09:48.16,0:09:49.44,Default,,0000,0000,0000,,worth examining,
Dialogue: 0,0:09:49.44,0:09:51.28,Default,,0000,0000,0000,,but the ones relevant to our story and
Dialogue: 0,0:09:51.28,0:09:53.04,Default,,0000,0000,0000,,what made a regular ransomware so
Dialogue: 0,0:09:53.04,0:09:54.16,Default,,0000,0000,0000,,destructive
Dialogue: 0,0:09:54.16,0:09:56.88,Default,,0000,0000,0000,,were the payload, Doublepulsar and the
Dialogue: 0,0:09:56.88,0:09:58.56,Default,,0000,0000,0000,,now infamous exploit used in the
Dialogue: 0,0:09:58.56,0:09:59.84,Default,,0000,0000,0000,,WannaCry attack,
Dialogue: 0,0:09:59.84,0:10:01.33,Default,,0000,0000,0000,,Eternalblue.
Dialogue: 0,0:10:01.33,0:10:05.66,Default,,0000,0000,0000,,[Music]
Dialogue: 0,0:10:08.11,0:10:11.44,Default,,0000,0000,0000,,[Typing]
Dialogue: 0,0:10:15.44,0:10:18.80,Default,,0000,0000,0000,,Server Message Block version 1 or SMBv1
Dialogue: 0,0:10:18.80,0:10:20.72,Default,,0000,0000,0000,,is a network communication protocol
Dialogue: 0,0:10:20.72,0:10:23.52,Default,,0000,0000,0000,,which was developed in 1983.
Dialogue: 0,0:10:23.52,0:10:25.44,Default,,0000,0000,0000,,The function of this protocol would be
Dialogue: 0,0:10:25.44,0:10:27.20,Default,,0000,0000,0000,,to allow one Windows computer to
Dialogue: 0,0:10:27.20,0:10:28.72,Default,,0000,0000,0000,,communicate with another
Dialogue: 0,0:10:28.72,0:10:30.88,Default,,0000,0000,0000,,and share files and printers on a local
Dialogue: 0,0:10:30.88,0:10:32.40,Default,,0000,0000,0000,,network.
Dialogue: 0,0:10:32.40,0:10:34.88,Default,,0000,0000,0000,,However, SMB version 1 had a critical
Dialogue: 0,0:10:34.88,0:10:36.16,Default,,0000,0000,0000,,vulnerability
Dialogue: 0,0:10:36.16,0:10:39.04,Default,,0000,0000,0000,,which allowed for what is known as a
Dialogue: 0,0:10:39.04,0:10:41.76,Default,,0000,0000,0000,,Remote Arbitrary Code Execution
Dialogue: 0,0:10:41.76,0:10:43.44,Default,,0000,0000,0000,,in which an attacker would be able to
Dialogue: 0,0:10:43.44,0:10:45.44,Default,,0000,0000,0000,,execute whatever code that they'd like
Dialogue: 0,0:10:45.44,0:10:47.68,Default,,0000,0000,0000,,on their target or victim's computer
Dialogue: 0,0:10:47.68,0:10:48.80,Default,,0000,0000,0000,,over the Internet
Dialogue: 0,0:10:48.80,0:10:51.60,Default,,0000,0000,0000,,usually with malicious intent. The
Dialogue: 0,0:10:51.60,0:10:53.36,Default,,0000,0000,0000,,function of Eternalblue was to take
Dialogue: 0,0:10:53.36,0:10:55.84,Default,,0000,0000,0000,,advantage of this vulnerability.
Dialogue: 0,0:10:55.84,0:10:58.00,Default,,0000,0000,0000,,Essentially, and I'm going to try and strip
Dialogue: 0,0:10:58.00,0:10:59.52,Default,,0000,0000,0000,,it down to simplify it as much as
Dialogue: 0,0:10:59.52,0:11:00.80,Default,,0000,0000,0000,,possible,
Dialogue: 0,0:11:00.80,0:11:02.64,Default,,0000,0000,0000,,when the shadow brokers first leaked the
Dialogue: 0,0:11:02.64,0:11:03.92,Default,,0000,0000,0000,,NSA tools,
Dialogue: 0,0:11:03.92,0:11:05.92,Default,,0000,0000,0000,,hackers took this opportunity to install
Dialogue: 0,0:11:05.92,0:11:07.52,Default,,0000,0000,0000,,Doublepulsar
Dialogue: 0,0:11:07.52,0:11:09.20,Default,,0000,0000,0000,,which is a tool which opens what we
Dialogue: 0,0:11:09.20,0:11:10.88,Default,,0000,0000,0000,,commonly know in security
Dialogue: 0,0:11:10.88,0:11:14.00,Default,,0000,0000,0000,,as a backdoor. Backdoors allows hackers
Dialogue: 0,0:11:14.00,0:11:16.56,Default,,0000,0000,0000,,to create an entry point into the system
Dialogue: 0,0:11:16.56,0:11:18.56,Default,,0000,0000,0000,,or a network of systems and gain easy
Dialogue: 0,0:11:18.56,0:11:20.88,Default,,0000,0000,0000,,access later on.
Dialogue: 0,0:11:20.88,0:11:22.88,Default,,0000,0000,0000,,The initial infection of WannaCry is not
Dialogue: 0,0:11:22.88,0:11:23.92,Default,,0000,0000,0000,,known,
Dialogue: 0,0:11:23.92,0:11:25.68,Default,,0000,0000,0000,,but it is speculated that the attackers
Dialogue: 0,0:11:25.68,0:11:27.12,Default,,0000,0000,0000,,took advantage of the backdoor to
Dialogue: 0,0:11:27.12,0:11:28.88,Default,,0000,0000,0000,,deliver the payload.
Dialogue: 0,0:11:28.88,0:11:30.40,Default,,0000,0000,0000,,The payload in this case is the
Dialogue: 0,0:11:30.40,0:11:32.80,Default,,0000,0000,0000,,ransomware WannaCry.
Dialogue: 0,0:11:32.80,0:11:34.40,Default,,0000,0000,0000,,When a computer is infected with
Dialogue: 0,0:11:34.40,0:11:36.16,Default,,0000,0000,0000,,WannaCry, oddly
Dialogue: 0,0:11:36.16,0:11:37.44,Default,,0000,0000,0000,,it then tries to connect to the
Dialogue: 0,0:11:37.44,0:11:39.60,Default,,0000,0000,0000,,following unregistered domain
Dialogue: 0,0:11:39.60,0:11:41.52,Default,,0000,0000,0000,,which is basically a random string of
Dialogue: 0,0:11:41.52,0:11:43.36,Default,,0000,0000,0000,,numbers and letters.
Dialogue: 0,0:11:43.36,0:11:45.12,Default,,0000,0000,0000,,If it cannot establish a connection to
Dialogue: 0,0:11:45.12,0:11:48.00,Default,,0000,0000,0000,,this domain, then the real damage begins.
Dialogue: 0,0:11:48.00,0:11:50.88,Default,,0000,0000,0000,,It scans for port 445 on the network
Dialogue: 0,0:11:50.88,0:11:52.56,Default,,0000,0000,0000,,which is the port that is used to host
Dialogue: 0,0:11:52.56,0:11:54.08,Default,,0000,0000,0000,,SMB version 1,
Dialogue: 0,0:11:54.08,0:11:56.08,Default,,0000,0000,0000,,and if the port is deemed to be open, it
Dialogue: 0,0:11:56.08,0:11:57.60,Default,,0000,0000,0000,,would then proceed to spread to that
Dialogue: 0,0:11:57.60,0:11:59.28,Default,,0000,0000,0000,,computer.
Dialogue: 0,0:11:59.68,0:12:02.20,Default,,0000,0000,0000,,This is how it propagated so quickly.
Dialogue: 0,0:12:03.12,0:12:04.80,Default,,0000,0000,0000,,Whether the other users in the network
Dialogue: 0,0:12:04.80,0:12:06.56,Default,,0000,0000,0000,,actually downloaded or clicked on
Dialogue: 0,0:12:06.56,0:12:08.00,Default,,0000,0000,0000,,anything malicious,
Dialogue: 0,0:12:08.00,0:12:10.40,Default,,0000,0000,0000,,regardless, they would be infected, and in
Dialogue: 0,0:12:10.40,0:12:12.00,Default,,0000,0000,0000,,seconds all their data would be
Dialogue: 0,0:12:12.00,0:12:13.14,Default,,0000,0000,0000,,encrypted.
Dialogue: 0,0:12:14.40,0:12:17.36,Default,,0000,0000,0000,,So the damage came in two parts, the
Dialogue: 0,0:12:17.36,0:12:19.12,Default,,0000,0000,0000,,ransomware that encrypts the data
Dialogue: 0,0:12:19.12,0:12:20.96,Default,,0000,0000,0000,,and the worm-like component that is used
Dialogue: 0,0:12:20.96,0:12:22.48,Default,,0000,0000,0000,,to spread the ransomware to any
Dialogue: 0,0:12:22.48,0:12:23.28,Default,,0000,0000,0000,,connected,
Dialogue: 0,0:12:23.28,0:12:25.60,Default,,0000,0000,0000,,vulnerable devices in the network as a
Dialogue: 0,0:12:25.60,0:12:28.88,Default,,0000,0000,0000,,result of Eternalblue and Doublepulsar.
Dialogue: 0,0:12:28.88,0:12:31.36,Default,,0000,0000,0000,,The attack only affected Windows systems,
Dialogue: 0,0:12:31.36,0:12:33.36,Default,,0000,0000,0000,,mainly targeting Windows XP,
Dialogue: 0,0:12:33.36,0:12:36.32,Default,,0000,0000,0000,,Vista, Windows 7, Windows 8, and Windows
Dialogue: 0,0:12:36.32,0:12:37.52,Default,,0000,0000,0000,,10.
Dialogue: 0,0:12:37.52,0:12:39.52,Default,,0000,0000,0000,,However, a month prior to the leak by the
Dialogue: 0,0:12:39.52,0:12:42.48,Default,,0000,0000,0000,,shadow brokers on March 14, 2017,
Dialogue: 0,0:12:42.48,0:12:44.08,Default,,0000,0000,0000,,Microsoft was made aware of this
Dialogue: 0,0:12:44.08,0:12:45.92,Default,,0000,0000,0000,,vulnerability after it was publicly
Dialogue: 0,0:12:45.92,0:12:46.80,Default,,0000,0000,0000,,reported
Dialogue: 0,0:12:46.80,0:12:50.48,Default,,0000,0000,0000,,almost five years after its discovery.
Dialogue: 0,0:12:50.48,0:12:52.32,Default,,0000,0000,0000,,Microsoft then released a critical patch
Dialogue: 0,0:12:52.32,0:12:54.07,Default,,0000,0000,0000,,to fix this vulnerability,
Dialogue: 0,0:12:54.07,0:12:57.04,Default,,0000,0000,0000,,MS17-010.
Dialogue: 0,0:12:57.04,0:12:59.60,Default,,0000,0000,0000,,However, despite the release of the patch,
Dialogue: 0,0:12:59.60,0:13:01.52,Default,,0000,0000,0000,,a significant number of organizations
Dialogue: 0,0:13:01.52,0:13:03.36,Default,,0000,0000,0000,,never updated their systems,
Dialogue: 0,0:13:03.36,0:13:05.68,Default,,0000,0000,0000,,and unfortunately there were still major
Dialogue: 0,0:13:05.68,0:13:08.00,Default,,0000,0000,0000,,organizations running Windows XP
Dialogue: 0,0:13:08.00,0:13:11.68,Default,,0000,0000,0000,,or Server 2003. These devices were at end
Dialogue: 0,0:13:11.68,0:13:12.96,Default,,0000,0000,0000,,of support
Dialogue: 0,0:13:12.96,0:13:14.80,Default,,0000,0000,0000,,which means that even if updates were
Dialogue: 0,0:13:14.80,0:13:16.64,Default,,0000,0000,0000,,out, they would not receive them
Dialogue: 0,0:13:16.64,0:13:18.31,Default,,0000,0000,0000,,and be completely vulnerable to the
Dialogue: 0,0:13:18.31,0:13:19.71,Default,,0000,0000,0000,,exploit.
Dialogue: 0,0:13:20.80,0:13:22.16,Default,,0000,0000,0000,,If you want to know more about the
Dialogue: 0,0:13:22.16,0:13:23.76,Default,,0000,0000,0000,,vulnerability that the Eternalblue
Dialogue: 0,0:13:23.76,0:13:24.72,Default,,0000,0000,0000,,exploited,
Dialogue: 0,0:13:24.72,0:13:26.16,Default,,0000,0000,0000,,it is now logged in the national
Dialogue: 0,0:13:26.16,0:13:27.76,Default,,0000,0000,0000,,vulnerability database
Dialogue: 0,0:13:27.76,0:13:32.45,Default,,0000,0000,0000,,as CVE-2017-0144
Dialogue: 0,0:13:32.45,0:13:36.06,Default,,0000,0000,0000,,[Music]
Dialogue: 0,0:13:38.05,0:13:40.89,Default,,0000,0000,0000,,[Typing]
Dialogue: 0,0:13:47.92,0:13:50.56,Default,,0000,0000,0000,,Marcus Hutchins, also known online by his
Dialogue: 0,0:13:50.56,0:13:52.32,Default,,0000,0000,0000,,alias MalwareTech,
Dialogue: 0,0:13:52.32,0:13:54.32,Default,,0000,0000,0000,,was a 23 year old British security
Dialogue: 0,0:13:54.32,0:13:56.16,Default,,0000,0000,0000,,researcher at Kryptos Logic
Dialogue: 0,0:13:56.16,0:13:59.52,Default,,0000,0000,0000,,in LA. After returning from lunch with a
Dialogue: 0,0:13:59.52,0:14:01.84,Default,,0000,0000,0000,,friend on the afternoon of the attack,
Dialogue: 0,0:14:01.84,0:14:03.60,Default,,0000,0000,0000,,he found himself scouring messaging
Dialogue: 0,0:14:03.60,0:14:04.88,Default,,0000,0000,0000,,boards where he came across
Dialogue: 0,0:14:04.88,0:14:07.52,Default,,0000,0000,0000,,news of a ransomware rapidly taking down
Dialogue: 0,0:14:07.52,0:14:09.68,Default,,0000,0000,0000,,systems in the National Health Service
Dialogue: 0,0:14:09.68,0:14:13.52,Default,,0000,0000,0000,,or NHS all over the UK.
Dialogue: 0,0:14:13.52,0:14:14.96,Default,,0000,0000,0000,,Hutchins, who found it odd that the
Dialogue: 0,0:14:14.96,0:14:17.04,Default,,0000,0000,0000,,ransomware was consistently affecting so
Dialogue: 0,0:14:17.04,0:14:18.40,Default,,0000,0000,0000,,many devices,
Dialogue: 0,0:14:18.40,0:14:20.32,Default,,0000,0000,0000,,concluded that the attack was probably a
Dialogue: 0,0:14:20.32,0:14:21.76,Default,,0000,0000,0000,,computer worm and not just
Dialogue: 0,0:14:21.76,0:14:25.12,Default,,0000,0000,0000,,a simple ransomware. He quickly requested
Dialogue: 0,0:14:25.12,0:14:27.04,Default,,0000,0000,0000,,one of his friends to pass him a sample
Dialogue: 0,0:14:27.04,0:14:28.16,Default,,0000,0000,0000,,of the malware
Dialogue: 0,0:14:28.16,0:14:30.00,Default,,0000,0000,0000,,so that he could examine it and reverse
Dialogue: 0,0:14:30.00,0:14:32.00,Default,,0000,0000,0000,,engineer it to analyze exactly how it
Dialogue: 0,0:14:32.00,0:14:33.28,Default,,0000,0000,0000,,worked.
Dialogue: 0,0:14:33.28,0:14:34.88,Default,,0000,0000,0000,,Once he had gotten his hands on the
Dialogue: 0,0:14:34.88,0:14:36.32,Default,,0000,0000,0000,,malware sample,
Dialogue: 0,0:14:36.32,0:14:38.08,Default,,0000,0000,0000,,he had run it using a virtual
Dialogue: 0,0:14:38.08,0:14:40.16,Default,,0000,0000,0000,,environment with fake files
Dialogue: 0,0:14:40.16,0:14:41.68,Default,,0000,0000,0000,,and found out that it was trying to
Dialogue: 0,0:14:41.68,0:14:44.48,Default,,0000,0000,0000,,connect to an unregistered domain,
Dialogue: 0,0:14:44.48,0:14:48.08,Default,,0000,0000,0000,,which we discussed earlier in Chapter 4.
Dialogue: 0,0:14:48.08,0:14:49.84,Default,,0000,0000,0000,,Hutchins would go on to register this
Dialogue: 0,0:14:49.84,0:14:53.71,Default,,0000,0000,0000,,domain for only $10.69,
Dialogue: 0,0:14:53.71,0:14:55.12,Default,,0000,0000,0000,,which unbeknownst to him,
Dialogue: 0,0:14:55.12,0:14:56.84,Default,,0000,0000,0000,,would actually halt the wannacry
Dialogue: 0,0:14:56.84,0:14:58.56,Default,,0000,0000,0000,,infection.
Dialogue: 0,0:14:58.56,0:15:00.24,Default,,0000,0000,0000,,He would later admit in a tweet that
Dialogue: 0,0:15:00.24,0:15:02.56,Default,,0000,0000,0000,,same day that the domain registration
Dialogue: 0,0:15:02.56,0:15:04.08,Default,,0000,0000,0000,,leading to a pause in the rapid
Dialogue: 0,0:15:04.08,0:15:05.12,Default,,0000,0000,0000,,infection
Dialogue: 0,0:15:05.12,0:15:08.40,Default,,0000,0000,0000,,was indeed an accident dubbing Marcus
Dialogue: 0,0:15:08.40,0:15:09.12,Default,,0000,0000,0000,,Hutchins
Dialogue: 0,0:15:09.12,0:15:12.62,Default,,0000,0000,0000,,as the accidental hero.
Dialogue: 0,0:15:12.62,0:15:17.37,Default,,0000,0000,0000,,[Music]
Dialogue: 0,0:15:18.36,0:15:23.35,Default,,0000,0000,0000,,[Music]
Dialogue: 0,0:15:23.44,0:15:25.68,Default,,0000,0000,0000,,To Hutchins, taking control of
Dialogue: 0,0:15:25.68,0:15:27.68,Default,,0000,0000,0000,,unregistered domains was just a part of
Dialogue: 0,0:15:27.68,0:15:28.88,Default,,0000,0000,0000,,his workflow
Dialogue: 0,0:15:28.88,0:15:30.48,Default,,0000,0000,0000,,when it came to stopping botnets and
Dialogue: 0,0:15:30.48,0:15:32.32,Default,,0000,0000,0000,,tracking malware.
Dialogue: 0,0:15:32.32,0:15:33.84,Default,,0000,0000,0000,,This was so that he could get further
Dialogue: 0,0:15:33.84,0:15:35.84,Default,,0000,0000,0000,,insight into how the malware or botnets
Dialogue: 0,0:15:35.84,0:15:37.44,Default,,0000,0000,0000,,were spreading.
Dialogue: 0,0:15:37.44,0:15:38.96,Default,,0000,0000,0000,,For those of you unaware of what a
Dialogue: 0,0:15:38.96,0:15:41.20,Default,,0000,0000,0000,,botnet is, it is essentially a group of
Dialogue: 0,0:15:41.20,0:15:42.80,Default,,0000,0000,0000,,computers that have been hijacked by
Dialogue: 0,0:15:42.80,0:15:44.24,Default,,0000,0000,0000,,malicious actors
Dialogue: 0,0:15:44.24,0:15:46.16,Default,,0000,0000,0000,,or hackers in order to be used in their
Dialogue: 0,0:15:46.16,0:15:47.44,Default,,0000,0000,0000,,attacks to drive
Dialogue: 0,0:15:47.44,0:15:50.56,Default,,0000,0000,0000,,excess network traffic or steal data.
Dialogue: 0,0:15:50.56,0:15:52.40,Default,,0000,0000,0000,,One computer that has been hijacked is
Dialogue: 0,0:15:52.40,0:15:54.56,Default,,0000,0000,0000,,called a bot and a network of them
Dialogue: 0,0:15:54.56,0:15:57.68,Default,,0000,0000,0000,,is called a botnet, however,
Dialogue: 0,0:15:57.68,0:16:00.40,Default,,0000,0000,0000,,since, as we discussed earlier, the attack
Dialogue: 0,0:16:00.40,0:16:02.32,Default,,0000,0000,0000,,only executes if it's unable to reach
Dialogue: 0,0:16:02.32,0:16:04.64,Default,,0000,0000,0000,,the domains that it checks for.
Dialogue: 0,0:16:04.64,0:16:06.84,Default,,0000,0000,0000,,Think of it as a simple if then
Dialogue: 0,0:16:06.84,0:16:08.16,Default,,0000,0000,0000,,statement.
Dialogue: 0,0:16:08.16,0:16:09.92,Default,,0000,0000,0000,,If the infection cannot connect to x
Dialogue: 0,0:16:09.92,0:16:12.64,Default,,0000,0000,0000,,domain, then proceed with the infection.
Dialogue: 0,0:16:12.64,0:16:16.56,Default,,0000,0000,0000,,If it can reach x domain, stop the attack.
Dialogue: 0,0:16:16.56,0:16:18.32,Default,,0000,0000,0000,,And so the malware being able to connect
Dialogue: 0,0:16:18.32,0:16:20.16,Default,,0000,0000,0000,,to the domain was known as the kill
Dialogue: 0,0:16:20.16,0:16:21.20,Default,,0000,0000,0000,,switch,
Dialogue: 0,0:16:21.20,0:16:23.20,Default,,0000,0000,0000,,the big red button that stops the attack
Dialogue: 0,0:16:23.20,0:16:25.84,Default,,0000,0000,0000,,from spreading any further.
Dialogue: 0,0:16:25.84,0:16:28.24,Default,,0000,0000,0000,,But why would the attackers implement a
Dialogue: 0,0:16:28.24,0:16:30.40,Default,,0000,0000,0000,,kill switch at all?
Dialogue: 0,0:16:30.40,0:16:32.24,Default,,0000,0000,0000,,The first theory is that the creators of
Dialogue: 0,0:16:32.24,0:16:34.16,Default,,0000,0000,0000,,WannaCry wanted a way to stop the attack
Dialogue: 0,0:16:34.16,0:16:36.48,Default,,0000,0000,0000,,if it ever got out of hand or had any
Dialogue: 0,0:16:36.48,0:16:38.56,Default,,0000,0000,0000,,unintentional effects.
Dialogue: 0,0:16:38.56,0:16:40.40,Default,,0000,0000,0000,,The second and the most likely theory
Dialogue: 0,0:16:40.40,0:16:42.32,Default,,0000,0000,0000,,proposed by Hutchins and other security
Dialogue: 0,0:16:42.32,0:16:43.52,Default,,0000,0000,0000,,researchers
Dialogue: 0,0:16:43.52,0:16:45.36,Default,,0000,0000,0000,,was that the kill switch was present in
Dialogue: 0,0:16:45.36,0:16:46.80,Default,,0000,0000,0000,,order to prevent researchers from
Dialogue: 0,0:16:46.80,0:16:49.28,Default,,0000,0000,0000,,looking into the behavior of WannaCry
Dialogue: 0,0:16:49.28,0:16:51.12,Default,,0000,0000,0000,,if it was being executed within what is
Dialogue: 0,0:16:51.12,0:16:52.32,Default,,0000,0000,0000,,known in security
Dialogue: 0,0:16:52.32,0:16:55.76,Default,,0000,0000,0000,,as a sandbox. A sandbox is usually a
Dialogue: 0,0:16:55.76,0:16:57.52,Default,,0000,0000,0000,,virtual computer that is used to run
Dialogue: 0,0:16:57.52,0:16:58.80,Default,,0000,0000,0000,,malware.
Dialogue: 0,0:16:58.80,0:17:00.32,Default,,0000,0000,0000,,It is a contained environment with
Dialogue: 0,0:17:00.32,0:17:02.00,Default,,0000,0000,0000,,measures that have been taken to not
Dialogue: 0,0:17:02.00,0:17:04.56,Default,,0000,0000,0000,,infect any important files or spread to
Dialogue: 0,0:17:04.56,0:17:06.48,Default,,0000,0000,0000,,other networks,
Dialogue: 0,0:17:06.48,0:17:08.24,Default,,0000,0000,0000,,much like what I used in Chapter 2 to
Dialogue: 0,0:17:08.24,0:17:10.11,Default,,0000,0000,0000,,demonstrate the WannaCry ransomware.
Dialogue: 0,0:17:12.16,0:17:14.24,Default,,0000,0000,0000,,Researchers use these sandboxes to run
Dialogue: 0,0:17:14.24,0:17:16.24,Default,,0000,0000,0000,,malware and then use tools to determine
Dialogue: 0,0:17:16.24,0:17:18.48,Default,,0000,0000,0000,,the behavior of the attack.
Dialogue: 0,0:17:18.48,0:17:20.24,Default,,0000,0000,0000,,This is what Hutchins did with fake
Dialogue: 0,0:17:20.24,0:17:22.64,Default,,0000,0000,0000,,files as well.
Dialogue: 0,0:17:22.64,0:17:24.56,Default,,0000,0000,0000,,So the intent behind this kill switch
Dialogue: 0,0:17:24.56,0:17:26.24,Default,,0000,0000,0000,,was to destroy the ransomware if it
Dialogue: 0,0:17:26.24,0:17:28.96,Default,,0000,0000,0000,,existed within a sandbox environment,
Dialogue: 0,0:17:28.96,0:17:30.72,Default,,0000,0000,0000,,again, since they didn't want researchers
Dialogue: 0,0:17:30.72,0:17:32.48,Default,,0000,0000,0000,,to be able to analyze exactly how it
Dialogue: 0,0:17:32.48,0:17:34.00,Default,,0000,0000,0000,,worked.
Dialogue: 0,0:17:34.00,0:17:35.92,Default,,0000,0000,0000,,However, since the attackers used a
Dialogue: 0,0:17:35.92,0:17:37.28,Default,,0000,0000,0000,,static domain,
Dialogue: 0,0:17:37.28,0:17:38.96,Default,,0000,0000,0000,,a domain name that did not change for
Dialogue: 0,0:17:38.96,0:17:41.04,Default,,0000,0000,0000,,each infection, instead of using
Dialogue: 0,0:17:41.04,0:17:43.28,Default,,0000,0000,0000,,dynamically generated domain names
Dialogue: 0,0:17:43.28,0:17:45.04,Default,,0000,0000,0000,,like other renditions of this concept
Dialogue: 0,0:17:45.04,0:17:46.48,Default,,0000,0000,0000,,would usually do,
Dialogue: 0,0:17:46.48,0:17:48.40,Default,,0000,0000,0000,,the WannaCry infections around the world
Dialogue: 0,0:17:48.40,0:17:50.24,Default,,0000,0000,0000,,believed that it was being analyzed in a
Dialogue: 0,0:17:50.24,0:17:51.76,Default,,0000,0000,0000,,sandbox environment
Dialogue: 0,0:17:51.76,0:17:54.16,Default,,0000,0000,0000,,and essentially killed itself since
Dialogue: 0,0:17:54.16,0:17:56.08,Default,,0000,0000,0000,,every single infection was trying to reach
Dialogue: 0,0:17:56.08,0:17:58.88,Default,,0000,0000,0000,,one single hard-coded domain, and now
Dialogue: 0,0:17:58.88,0:18:00.72,Default,,0000,0000,0000,,they could after Hutchins had purchased
Dialogue: 0,0:18:00.72,0:18:03.04,Default,,0000,0000,0000,,it and put it online.
Dialogue: 0,0:18:03.04,0:18:05.04,Default,,0000,0000,0000,,If it had been a randomly generated
Dialogue: 0,0:18:05.04,0:18:06.16,Default,,0000,0000,0000,,domain name,
Dialogue: 0,0:18:06.16,0:18:07.52,Default,,0000,0000,0000,,then the infection would only have
Dialogue: 0,0:18:07.52,0:18:09.52,Default,,0000,0000,0000,,removed itself from Hutchins's sandbox
Dialogue: 0,0:18:09.52,0:18:10.88,Default,,0000,0000,0000,,environment
Dialogue: 0,0:18:10.88,0:18:12.40,Default,,0000,0000,0000,,because the domain he registered would
Dialogue: 0,0:18:12.40,0:18:14.00,Default,,0000,0000,0000,,be unique to him and would not
Dialogue: 0,0:18:14.00,0:18:17.20,Default,,0000,0000,0000,,affect anyone else. This
Dialogue: 0,0:18:17.20,0:18:20.16,Default,,0000,0000,0000,,seems to be an amateur mistake. So
Dialogue: 0,0:18:20.16,0:18:21.84,Default,,0000,0000,0000,,amateur in fact, that the researchers
Dialogue: 0,0:18:21.84,0:18:23.76,Default,,0000,0000,0000,,have speculated that maybe the intent of
Dialogue: 0,0:18:23.76,0:18:24.80,Default,,0000,0000,0000,,the attackers
Dialogue: 0,0:18:24.80,0:18:27.68,Default,,0000,0000,0000,,was not monetary gain, but rather a more
Dialogue: 0,0:18:27.68,0:18:29.04,Default,,0000,0000,0000,,political intention
Dialogue: 0,0:18:29.04,0:18:31.60,Default,,0000,0000,0000,,such as to bring shame to the NSA.
Dialogue: 0,0:18:31.60,0:18:32.48,Default,,0000,0000,0000,,However,
Dialogue: 0,0:18:32.48,0:18:34.16,Default,,0000,0000,0000,,to this date, there is nothing that
Dialogue: 0,0:18:34.16,0:18:36.00,Default,,0000,0000,0000,,confirms nor denies the motive
Dialogue: 0,0:18:36.00,0:18:37.62,Default,,0000,0000,0000,,of the WannaCry attack.
Dialogue: 0,0:18:37.62,0:18:43.69,Default,,0000,0000,0000,,[Music]
Dialogue: 0,0:18:45.85,0:18:50.72,Default,,0000,0000,0000,,[Music]
Dialogue: 0,0:18:50.72,0:18:53.36,Default,,0000,0000,0000,,The rapid infection had seemed to stop,
Dialogue: 0,0:18:53.36,0:18:55.36,Default,,0000,0000,0000,,but for Hutchins or MalwareTech and his
Dialogue: 0,0:18:55.36,0:18:58.64,Default,,0000,0000,0000,,team, the nightmare had only just begun.
Dialogue: 0,0:18:58.64,0:19:00.24,Default,,0000,0000,0000,,Less than an hour from when he had
Dialogue: 0,0:19:00.24,0:19:03.12,Default,,0000,0000,0000,,activated the domain, it was under attack.
Dialogue: 0,0:19:03.12,0:19:04.88,Default,,0000,0000,0000,,The motive of the attackers were to use
Dialogue: 0,0:19:04.88,0:19:07.28,Default,,0000,0000,0000,,the Mirai botnet to host a distributed
Dialogue: 0,0:19:07.28,0:19:08.96,Default,,0000,0000,0000,,denial of service attack,
Dialogue: 0,0:19:08.96,0:19:11.44,Default,,0000,0000,0000,,also known as DDoS, to shut down the
Dialogue: 0,0:19:11.44,0:19:13.36,Default,,0000,0000,0000,,domain so that it would be unreachable
Dialogue: 0,0:19:13.36,0:19:16.16,Default,,0000,0000,0000,,once again and all the halted infections
Dialogue: 0,0:19:16.16,0:19:18.00,Default,,0000,0000,0000,,would resume.
Dialogue: 0,0:19:18.00,0:19:20.00,Default,,0000,0000,0000,,A DDoS attack is usually performed to
Dialogue: 0,0:19:20.00,0:19:21.28,Default,,0000,0000,0000,,flood a domain with
Dialogue: 0,0:19:21.28,0:19:23.12,Default,,0000,0000,0000,,junk traffic 'till it can't handle
Dialogue: 0,0:19:23.12,0:19:25.84,Default,,0000,0000,0000,,anymore and is driven offline.
Dialogue: 0,0:19:25.84,0:19:27.68,Default,,0000,0000,0000,,The Mirai botnet that the attackers were
Dialogue: 0,0:19:27.68,0:19:29.68,Default,,0000,0000,0000,,employing was previously used in one of
Dialogue: 0,0:19:29.68,0:19:31.76,Default,,0000,0000,0000,,the largest ever DDoS attacks
Dialogue: 0,0:19:31.76,0:19:33.60,Default,,0000,0000,0000,,and was comprised of hundreds and
Dialogue: 0,0:19:33.60,0:19:35.76,Default,,0000,0000,0000,,thousands of devices.
Dialogue: 0,0:19:35.76,0:19:37.52,Default,,0000,0000,0000,,The haunting realization that they were
Dialogue: 0,0:19:37.52,0:19:39.36,Default,,0000,0000,0000,,the wall between a flood of infections
Dialogue: 0,0:19:39.36,0:19:41.12,Default,,0000,0000,0000,,that was currently being blocked
Dialogue: 0,0:19:41.12,0:19:43.04,Default,,0000,0000,0000,,slowly dawned on Hutchins and the other
Dialogue: 0,0:19:43.04,0:19:46.08,Default,,0000,0000,0000,,researchers working on the case.
Dialogue: 0,0:19:46.08,0:19:47.76,Default,,0000,0000,0000,,They eventually dealt with the issue by
Dialogue: 0,0:19:47.76,0:19:50.00,Default,,0000,0000,0000,,taking the site to a cached version
Dialogue: 0,0:19:50.00,0:19:51.76,Default,,0000,0000,0000,,which was capable of handling a much
Dialogue: 0,0:19:51.76,0:19:55.20,Default,,0000,0000,0000,,higher traffic load than a live site.
Dialogue: 0,0:19:55.20,0:19:57.28,Default,,0000,0000,0000,,Two days after the domain went live, the
Dialogue: 0,0:19:57.28,0:19:59.20,Default,,0000,0000,0000,,data showed that two million infections
Dialogue: 0,0:19:59.20,0:20:00.48,Default,,0000,0000,0000,,had been halted
Dialogue: 0,0:20:00.48,0:20:02.16,Default,,0000,0000,0000,,showing us what the extent of the damage
Dialogue: 0,0:20:02.16,0:20:03.76,Default,,0000,0000,0000,,could have been if it was not for the
Dialogue: 0,0:20:03.76,0:20:06.31,Default,,0000,0000,0000,,discovery of the kill switch.
Dialogue: 0,0:20:19.78,0:20:25.36,Default,,0000,0000,0000,,[Music]
Dialogue: 0,0:20:25.36,0:20:28.32,Default,,0000,0000,0000,,Marcus Hutchins's story does not stop here.
Dialogue: 0,0:20:28.32,0:20:30.07,Default,,0000,0000,0000,,He would go on to be named as a
Dialogue: 0,0:20:30.07,0:20:31.76,Default,,0000,0000,0000,,cybercrime hero,
Dialogue: 0,0:20:31.76,0:20:34.16,Default,,0000,0000,0000,,a title which he didn't enjoy as it
Dialogue: 0,0:20:34.16,0:20:36.88,Default,,0000,0000,0000,,would bring to him unwanted attention,
Dialogue: 0,0:20:36.88,0:20:38.32,Default,,0000,0000,0000,,people trying to piece together his
Dialogue: 0,0:20:38.32,0:20:40.48,Default,,0000,0000,0000,,address, media camping outside of his
Dialogue: 0,0:20:40.48,0:20:41.36,Default,,0000,0000,0000,,house,
Dialogue: 0,0:20:41.36,0:20:43.44,Default,,0000,0000,0000,,and in addition to all of this, he was
Dialogue: 0,0:20:43.44,0:20:45.04,Default,,0000,0000,0000,,still under the pressure of the domain
Dialogue: 0,0:20:45.04,0:20:46.84,Default,,0000,0000,0000,,going offline any minute and wreaking
Dialogue: 0,0:20:46.84,0:20:48.40,Default,,0000,0000,0000,,havoc.
Dialogue: 0,0:20:48.40,0:20:50.40,Default,,0000,0000,0000,,However, he was able to get through these
Dialogue: 0,0:20:50.40,0:20:52.96,Default,,0000,0000,0000,,weary days and sleepless nights
Dialogue: 0,0:20:52.96,0:20:57.04,Default,,0000,0000,0000,,only to be thrown back into chaos.
Dialogue: 0,0:20:57.20,0:20:59.44,Default,,0000,0000,0000,,Three months after the WannaCry attack,
Dialogue: 0,0:20:59.44,0:21:01.60,Default,,0000,0000,0000,,in August of 2017,
Dialogue: 0,0:21:01.60,0:21:03.92,Default,,0000,0000,0000,,Marcus Hutchins, after partying in Vegas
Dialogue: 0,0:21:03.92,0:21:05.28,Default,,0000,0000,0000,,for a week and a half
Dialogue: 0,0:21:05.28,0:21:08.24,Default,,0000,0000,0000,,during DEFCON, a hacker convention, was
Dialogue: 0,0:21:08.24,0:21:10.32,Default,,0000,0000,0000,,arrested in the airport by the FBI on
Dialogue: 0,0:21:10.32,0:21:12.08,Default,,0000,0000,0000,,his way back home.
Dialogue: 0,0:21:12.08,0:21:13.76,Default,,0000,0000,0000,,It seemed that Hutchins in his teenage
Dialogue: 0,0:21:13.76,0:21:15.36,Default,,0000,0000,0000,,years had developed a malware named
Dialogue: 0,0:21:15.36,0:21:16.08,Default,,0000,0000,0000,,Kronos
Dialogue: 0,0:21:16.08,0:21:18.72,Default,,0000,0000,0000,,that would steal banking credentials. He
Dialogue: 0,0:21:18.72,0:21:20.24,Default,,0000,0000,0000,,would go on to sell this malware to
Dialogue: 0,0:21:20.24,0:21:21.92,Default,,0000,0000,0000,,multiple individuals with the help of
Dialogue: 0,0:21:21.92,0:21:23.44,Default,,0000,0000,0000,,someone he met online
Dialogue: 0,0:21:23.44,0:21:27.36,Default,,0000,0000,0000,,named Vinny K. Kronos is still an
Dialogue: 0,0:21:27.36,0:21:30.88,Default,,0000,0000,0000,,ongoing threat to banks around the world.
Dialogue: 0,0:21:30.88,0:21:32.56,Default,,0000,0000,0000,,Hutchins initially battled the charges
Dialogue: 0,0:21:32.56,0:21:34.32,Default,,0000,0000,0000,,with a non-guilty plea,
Dialogue: 0,0:21:34.32,0:21:36.40,Default,,0000,0000,0000,,but after a long and exhausting ordeal
Dialogue: 0,0:21:36.40,0:21:38.00,Default,,0000,0000,0000,,that lasted for years,
Dialogue: 0,0:21:38.00,0:21:40.88,Default,,0000,0000,0000,,in April 2019, he took a plea deal that
Dialogue: 0,0:21:40.88,0:21:42.08,Default,,0000,0000,0000,,would essentially dismiss
Dialogue: 0,0:21:42.08,0:21:45.12,Default,,0000,0000,0000,,all but two counts set against him,
Dialogue: 0,0:21:45.12,0:21:47.68,Default,,0000,0000,0000,,conspiracy to defraud the united states
Dialogue: 0,0:21:47.68,0:21:49.28,Default,,0000,0000,0000,,and actively marketing the kronos
Dialogue: 0,0:21:49.28,0:21:50.80,Default,,0000,0000,0000,,malware.
Dialogue: 0,0:21:50.80,0:21:52.72,Default,,0000,0000,0000,,He faced the possibility of a maximum
Dialogue: 0,0:21:52.72,0:21:54.96,Default,,0000,0000,0000,,prison sentence of ten years,
Dialogue: 0,0:21:54.96,0:21:56.64,Default,,0000,0000,0000,,but because of his contribution towards
Dialogue: 0,0:21:56.64,0:21:58.88,Default,,0000,0000,0000,,WannaCry and as the community had
Dialogue: 0,0:21:58.88,0:22:00.48,Default,,0000,0000,0000,,constantly pointed out
Dialogue: 0,0:22:00.48,0:22:02.24,Default,,0000,0000,0000,,his active involvement in defending the
Dialogue: 0,0:22:02.24,0:22:04.24,Default,,0000,0000,0000,,world against cyber attacks,
Dialogue: 0,0:22:04.24,0:22:07.52,Default,,0000,0000,0000,,the judge ruled in his favor. He was then
Dialogue: 0,0:22:07.52,0:22:08.16,Default,,0000,0000,0000,,released
Dialogue: 0,0:22:08.16,0:22:10.66,Default,,0000,0000,0000,,with zero jail time and is now a free
Dialogue: 0,0:22:10.66,0:22:11.42,Default,,0000,0000,0000,,man.
Dialogue: 0,0:22:16.25,0:22:19.51,Default,,0000,0000,0000,,[Typing]
Dialogue: 0,0:22:22.78,0:22:26.56,Default,,0000,0000,0000,,[Music]
Dialogue: 0,0:22:26.56,0:22:28.80,Default,,0000,0000,0000,,As stated before, the WannaCry attack
Dialogue: 0,0:22:28.80,0:22:31.20,Default,,0000,0000,0000,,impacted over 150 countries
Dialogue: 0,0:22:31.20,0:22:33.92,Default,,0000,0000,0000,,and approximately 230,000 computers
Dialogue: 0,0:22:33.92,0:22:35.20,Default,,0000,0000,0000,,globally.
Dialogue: 0,0:22:35.20,0:22:37.52,Default,,0000,0000,0000,,Russia was the most severely infected
Dialogue: 0,0:22:37.52,0:22:40.40,Default,,0000,0000,0000,,with over half the affected computers.
Dialogue: 0,0:22:40.40,0:22:43.28,Default,,0000,0000,0000,,India, Ukraine, and Taiwan also suffered
Dialogue: 0,0:22:43.28,0:22:44.96,Default,,0000,0000,0000,,significant disruption.
Dialogue: 0,0:22:48.56,0:22:50.56,Default,,0000,0000,0000,,The most popular victim to emerge out of
Dialogue: 0,0:22:50.56,0:22:52.16,Default,,0000,0000,0000,,the attacks were the UK's National
Dialogue: 0,0:22:52.16,0:22:53.28,Default,,0000,0000,0000,,Health Service
Dialogue: 0,0:22:53.28,0:22:57.20,Default,,0000,0000,0000,,or the NHS. In the NHS, over 70,000
Dialogue: 0,0:22:57.20,0:22:59.04,Default,,0000,0000,0000,,devices such as computers,
Dialogue: 0,0:22:59.04,0:23:02.40,Default,,0000,0000,0000,,MRI scanners, devices used to test blood,
Dialogue: 0,0:23:02.40,0:23:04.72,Default,,0000,0000,0000,,theater equipment, and over 1200 pieces
Dialogue: 0,0:23:04.72,0:23:09.84,Default,,0000,0000,0000,,of diagnostic equipment were affected.
Dialogue: 0,0:23:10.16,0:23:12.40,Default,,0000,0000,0000,,Approximately, the attack cost the NHS
Dialogue: 0,0:23:12.40,0:23:14.48,Default,,0000,0000,0000,,over 92 million euros,
Dialogue: 0,0:23:14.48,0:23:16.08,Default,,0000,0000,0000,,and globally, the cost amounted to
Dialogue: 0,0:23:16.08,0:23:17.92,Default,,0000,0000,0000,,somewhere between four and eight billion
Dialogue: 0,0:23:17.92,0:23:19.84,Default,,0000,0000,0000,,dollars.
Dialogue: 0,0:23:19.84,0:23:21.20,Default,,0000,0000,0000,,You'd think that the attackers who
Dialogue: 0,0:23:21.20,0:23:22.72,Default,,0000,0000,0000,,launched WannaCry would have made a
Dialogue: 0,0:23:22.72,0:23:24.40,Default,,0000,0000,0000,,decent amount considering how many
Dialogue: 0,0:23:24.40,0:23:25.20,Default,,0000,0000,0000,,countries
Dialogue: 0,0:23:25.20,0:23:28.48,Default,,0000,0000,0000,,and devices were affected, however, as of
Dialogue: 0,0:23:28.48,0:23:30.40,Default,,0000,0000,0000,,June 14, 2017,
Dialogue: 0,0:23:30.40,0:23:32.64,Default,,0000,0000,0000,,when the attacks had begun to subside,
Dialogue: 0,0:23:32.64,0:23:38.88,Default,,0000,0000,0000,,they had only made $130,634.77.
Dialogue: 0,0:23:38.88,0:23:41.12,Default,,0000,0000,0000,,Victims were urged not to pay the ransom
Dialogue: 0,0:23:41.12,0:23:42.72,Default,,0000,0000,0000,,since not only did it encourage the
Dialogue: 0,0:23:42.72,0:23:43.52,Default,,0000,0000,0000,,hackers,
Dialogue: 0,0:23:43.52,0:23:45.28,Default,,0000,0000,0000,,but it also did not guarantee the return
Dialogue: 0,0:23:45.28,0:23:47.52,Default,,0000,0000,0000,,of their data due to skepticism of
Dialogue: 0,0:23:47.52,0:23:48.88,Default,,0000,0000,0000,,whether the attackers could actually
Dialogue: 0,0:23:48.88,0:23:50.32,Default,,0000,0000,0000,,place the paid ransom
Dialogue: 0,0:23:50.32,0:23:52.88,Default,,0000,0000,0000,,to the correct victim. This was clearly
Dialogue: 0,0:23:52.88,0:23:54.40,Default,,0000,0000,0000,,evident from the fact that a large
Dialogue: 0,0:23:54.40,0:23:55.36,Default,,0000,0000,0000,,proportion,
Dialogue: 0,0:23:55.36,0:23:57.28,Default,,0000,0000,0000,,almost all of the affected victims who
Dialogue: 0,0:23:57.28,0:23:58.40,Default,,0000,0000,0000,,had paid the ransom
Dialogue: 0,0:23:58.40,0:24:01.36,Default,,0000,0000,0000,,had still not been returned their data.
Dialogue: 0,0:24:01.36,0:24:07.87,Default,,0000,0000,0000,,[Music]
Dialogue: 0,0:24:08.82,0:24:13.68,Default,,0000,0000,0000,,[Music]
Dialogue: 0,0:24:13.68,0:24:15.36,Default,,0000,0000,0000,,Although initially the prime victims of
Dialogue: 0,0:24:15.36,0:24:17.36,Default,,0000,0000,0000,,WannaCry were said to be Windows XP
Dialogue: 0,0:24:17.36,0:24:20.08,Default,,0000,0000,0000,,clients, over 98% of the victims were
Dialogue: 0,0:24:20.08,0:24:21.92,Default,,0000,0000,0000,,actually running unpatched versions of
Dialogue: 0,0:24:21.92,0:24:23.12,Default,,0000,0000,0000,,Windows 7,
Dialogue: 0,0:24:23.12,0:24:25.76,Default,,0000,0000,0000,,and less than 0.1% of the victims
Dialogue: 0,0:24:25.76,0:24:28.24,Default,,0000,0000,0000,,were using Windows XP.
Dialogue: 0,0:24:28.24,0:24:29.92,Default,,0000,0000,0000,,In the case of Russia, they believed
Dialogue: 0,0:24:29.92,0:24:31.76,Default,,0000,0000,0000,,updates did more to break their devices
Dialogue: 0,0:24:31.76,0:24:34.24,Default,,0000,0000,0000,,rather than fix them,
Dialogue: 0,0:24:34.24,0:24:35.92,Default,,0000,0000,0000,,partly due to the fact that a majority
Dialogue: 0,0:24:35.92,0:24:37.68,Default,,0000,0000,0000,,of people use cracked or pirated
Dialogue: 0,0:24:37.68,0:24:38.96,Default,,0000,0000,0000,,versions of Windows
Dialogue: 0,0:24:38.96,0:24:40.40,Default,,0000,0000,0000,,which means they wouldn't have received
Dialogue: 0,0:24:40.40,0:24:41.76,Default,,0000,0000,0000,,the updates which were released by
Dialogue: 0,0:24:41.76,0:24:45.12,Default,,0000,0000,0000,,Microsoft months prior to the attack.
Dialogue: 0,0:24:45.12,0:24:46.56,Default,,0000,0000,0000,,Microsoft eventually released the
Dialogue: 0,0:24:46.56,0:24:48.32,Default,,0000,0000,0000,,updates for systems that were at end of
Dialogue: 0,0:24:48.32,0:24:49.20,Default,,0000,0000,0000,,support
Dialogue: 0,0:24:49.20,0:24:51.12,Default,,0000,0000,0000,,including Windows XP and other older
Dialogue: 0,0:24:51.12,0:24:53.68,Default,,0000,0000,0000,,versions of Windows.
Dialogue: 0,0:24:53.68,0:24:55.52,Default,,0000,0000,0000,,To this day, if the domain that Marcus
Dialogue: 0,0:24:55.52,0:24:57.44,Default,,0000,0000,0000,,Hutchins acquired were to go down,
Dialogue: 0,0:24:57.44,0:24:59.28,Default,,0000,0000,0000,,the millions of infections that it has
Dialogue: 0,0:24:59.28,0:25:01.12,Default,,0000,0000,0000,,at bay would be released,
Dialogue: 0,0:25:01.12,0:25:02.96,Default,,0000,0000,0000,,but possibly ineffective if the
Dialogue: 0,0:25:02.96,0:25:04.64,Default,,0000,0000,0000,,computers had already applied the patch
Dialogue: 0,0:25:04.64,0:25:07.60,Default,,0000,0000,0000,,that microsoft released.
Dialogue: 0,0:25:07.60,0:25:09.84,Default,,0000,0000,0000,,Eternalblue is still in the wild and
Dialogue: 0,0:25:09.84,0:25:11.44,Default,,0000,0000,0000,,variants of WannaCry have since then
Dialogue: 0,0:25:11.44,0:25:13.28,Default,,0000,0000,0000,,surfaced like Uiwix
Dialogue: 0,0:25:13.28,0:25:15.20,Default,,0000,0000,0000,,which did not come with a kill switch
Dialogue: 0,0:25:15.20,0:25:16.88,Default,,0000,0000,0000,,and addressed the bitcoin payment issue
Dialogue: 0,0:25:16.88,0:25:18.48,Default,,0000,0000,0000,,by assigning a new address for each
Dialogue: 0,0:25:18.48,0:25:20.32,Default,,0000,0000,0000,,victim to collect payment
Dialogue: 0,0:25:20.32,0:25:21.92,Default,,0000,0000,0000,,therefore easily allowing to track the
Dialogue: 0,0:25:21.92,0:25:23.92,Default,,0000,0000,0000,,payment back to the victim.
Dialogue: 0,0:25:23.92,0:25:25.84,Default,,0000,0000,0000,,However, since it did not have an
Dialogue: 0,0:25:25.84,0:25:27.76,Default,,0000,0000,0000,,automatic worm-like functionality that
Dialogue: 0,0:25:27.76,0:25:29.28,Default,,0000,0000,0000,,WannaCry exhibited
Dialogue: 0,0:25:29.28,0:25:32.16,Default,,0000,0000,0000,,it did not pose much of a threat. The
Dialogue: 0,0:25:32.16,0:25:34.88,Default,,0000,0000,0000,,impact of WannaCry is still seen today.
Dialogue: 0,0:25:34.88,0:25:36.72,Default,,0000,0000,0000,,Trend Micro's data clearly indicates that
Dialogue: 0,0:25:36.72,0:25:38.56,Default,,0000,0000,0000,,WannaCry was the most detected malware
Dialogue: 0,0:25:38.56,0:25:40.16,Default,,0000,0000,0000,,family in 2020
Dialogue: 0,0:25:40.16,0:25:42.24,Default,,0000,0000,0000,,thanks to its vulnerable nature. And
Dialogue: 0,0:25:42.24,0:25:44.16,Default,,0000,0000,0000,,F-Secure reports that the most seen type
Dialogue: 0,0:25:44.16,0:25:46.40,Default,,0000,0000,0000,,of exploit is against the SMB version 1
Dialogue: 0,0:25:46.40,0:25:47.36,Default,,0000,0000,0000,,vulnerability
Dialogue: 0,0:25:47.36,0:25:49.60,Default,,0000,0000,0000,,using Eternalblue. The fact that
Dialogue: 0,0:25:49.60,0:25:51.04,Default,,0000,0000,0000,,attackers still continue to try and
Dialogue: 0,0:25:51.04,0:25:52.08,Default,,0000,0000,0000,,exploit this
Dialogue: 0,0:25:52.08,0:25:54.08,Default,,0000,0000,0000,,must mean that there are organizations
Dialogue: 0,0:25:54.08,0:25:55.92,Default,,0000,0000,0000,,out there who have not patched against
Dialogue: 0,0:25:55.92,0:25:57.65,Default,,0000,0000,0000,,this vulnerability.
Dialogue: 0,0:25:57.65,0:25:59.98,Default,,0000,0000,0000,,[Music]
Dialogue: 0,0:26:02.63,0:26:06.06,Default,,0000,0000,0000,,[Typing]
Dialogue: 0,0:26:09.58,0:26:15.52,Default,,0000,0000,0000,,[Music]
Dialogue: 0,0:26:15.52,0:26:17.84,Default,,0000,0000,0000,,Four years after the attack, there is
Dialogue: 0,0:26:17.84,0:26:19.60,Default,,0000,0000,0000,,still no confirmed identity of the
Dialogue: 0,0:26:19.60,0:26:21.76,Default,,0000,0000,0000,,creators of the WannaCry.
Dialogue: 0,0:26:21.76,0:26:23.76,Default,,0000,0000,0000,,There have been accusations towards the
Dialogue: 0,0:26:23.76,0:26:24.88,Default,,0000,0000,0000,,Lazarus Group
Dialogue: 0,0:26:24.88,0:26:27.44,Default,,0000,0000,0000,,who has strong links to North Korea.
Dialogue: 0,0:26:27.44,0:26:28.16,Default,,0000,0000,0000,,However,
Dialogue: 0,0:26:28.16,0:26:31.68,Default,,0000,0000,0000,,this is nothing more than hearsay. So
Dialogue: 0,0:26:31.68,0:26:33.52,Default,,0000,0000,0000,,who is to blame for the catastrophic
Dialogue: 0,0:26:33.52,0:26:35.52,Default,,0000,0000,0000,,damage of WannaCry?
Dialogue: 0,0:26:35.52,0:26:37.36,Default,,0000,0000,0000,,Is it the NSHA who should not have
Dialogue: 0,0:26:37.36,0:26:39.28,Default,,0000,0000,0000,,stockpiled exploits without alerting the
Dialogue: 0,0:26:39.28,0:26:40.64,Default,,0000,0000,0000,,necessary entities about the
Dialogue: 0,0:26:40.64,0:26:42.40,Default,,0000,0000,0000,,vulnerabilities?
Dialogue: 0,0:26:42.40,0:26:43.92,Default,,0000,0000,0000,,Is it the shadow brokers who took
Dialogue: 0,0:26:43.92,0:26:46.32,Default,,0000,0000,0000,,advantage of this, stole, and released it
Dialogue: 0,0:26:46.32,0:26:48.00,Default,,0000,0000,0000,,into the wild?
Dialogue: 0,0:26:48.00,0:26:50.40,Default,,0000,0000,0000,,Is it the developers of WannaCry? Or is
Dialogue: 0,0:26:50.40,0:26:52.32,Default,,0000,0000,0000,,it the fault of microsoft who did not
Dialogue: 0,0:26:52.32,0:26:53.76,Default,,0000,0000,0000,,identify this vulnerability
Dialogue: 0,0:26:53.76,0:26:56.64,Default,,0000,0000,0000,,sooner? While all of this might be true
Dialogue: 0,0:26:56.64,0:26:58.08,Default,,0000,0000,0000,,to some extent,
Dialogue: 0,0:26:58.08,0:26:59.92,Default,,0000,0000,0000,,at the end of the day, the actions these
Dialogue: 0,0:26:59.92,0:27:01.92,Default,,0000,0000,0000,,organizations take are largely out of
Dialogue: 0,0:27:01.92,0:27:03.60,Default,,0000,0000,0000,,the control of the public
Dialogue: 0,0:27:03.60,0:27:05.76,Default,,0000,0000,0000,,and business owners who are usually the
Dialogue: 0,0:27:05.76,0:27:07.84,Default,,0000,0000,0000,,victims of the attack.
Dialogue: 0,0:27:07.84,0:27:10.24,Default,,0000,0000,0000,,Regardless of what we claim, the solution
Dialogue: 0,0:27:10.24,0:27:11.76,Default,,0000,0000,0000,,is very simple.
Dialogue: 0,0:27:11.76,0:27:13.36,Default,,0000,0000,0000,,Make sure we follow the guidelines to
Dialogue: 0,0:27:13.36,0:27:15.44,Default,,0000,0000,0000,,have our data secured.
Dialogue: 0,0:27:15.44,0:27:17.12,Default,,0000,0000,0000,,The most crucial of it is to have a
Dialogue: 0,0:27:17.12,0:27:18.96,Default,,0000,0000,0000,,consistent schedule for updating our
Dialogue: 0,0:27:18.96,0:27:20.24,Default,,0000,0000,0000,,devices,
Dialogue: 0,0:27:20.24,0:27:23.28,Default,,0000,0000,0000,,and to obviously not use outdated
Dialogue: 0,0:27:23.28,0:27:24.72,Default,,0000,0000,0000,,operating systems that put
Dialogue: 0,0:27:24.72,0:27:26.96,Default,,0000,0000,0000,,employee and customer data and their
Dialogue: 0,0:27:26.96,0:27:29.36,Default,,0000,0000,0000,,privacy at huge risks.
Dialogue: 0,0:27:29.36,0:27:31.04,Default,,0000,0000,0000,,When it comes to ransomware, the most
Dialogue: 0,0:27:31.04,0:27:32.88,Default,,0000,0000,0000,,crucial form of defense is frequent
Dialogue: 0,0:27:32.88,0:27:35.20,Default,,0000,0000,0000,,backup. The more frequent it is,
Dialogue: 0,0:27:35.20,0:27:37.76,Default,,0000,0000,0000,,the better. Less than 50% of ransomware
Dialogue: 0,0:27:37.76,0:27:39.52,Default,,0000,0000,0000,,payments actually result in the data
Dialogue: 0,0:27:39.52,0:27:41.12,Default,,0000,0000,0000,,being returned to the victims,
Dialogue: 0,0:27:41.12,0:27:42.96,Default,,0000,0000,0000,,and so needless to say, payment should
Dialogue: 0,0:27:42.96,0:27:44.40,Default,,0000,0000,0000,,not be an option
Dialogue: 0,0:27:44.40,0:27:46.16,Default,,0000,0000,0000,,lest your goal is to lose money and your
Dialogue: 0,0:27:46.16,0:27:47.76,Default,,0000,0000,0000,,data as well.
Dialogue: 0,0:27:47.76,0:27:49.52,Default,,0000,0000,0000,,The biggest mistake that organizations
Dialogue: 0,0:27:49.52,0:27:51.76,Default,,0000,0000,0000,,tend to make is refusing to believe that
Dialogue: 0,0:27:51.76,0:27:53.52,Default,,0000,0000,0000,,they would be a target.
Dialogue: 0,0:27:53.52,0:27:55.36,Default,,0000,0000,0000,,According to a study by Cloudwords in
Dialogue: 0,0:27:55.36,0:27:56.64,Default,,0000,0000,0000,,2021,
Dialogue: 0,0:27:56.64,0:27:58.56,Default,,0000,0000,0000,,every 11 seconds a company is hit by
Dialogue: 0,0:27:58.56,0:28:00.64,Default,,0000,0000,0000,,ransomware, and a large proportion of
Dialogue: 0,0:28:00.64,0:28:02.24,Default,,0000,0000,0000,,organizations are small
Dialogue: 0,0:28:02.24,0:28:03.92,Default,,0000,0000,0000,,to medium-sized businesses that never
Dialogue: 0,0:28:03.92,0:28:06.08,Default,,0000,0000,0000,,see it coming as they're often found to
Dialogue: 0,0:28:06.08,0:28:07.60,Default,,0000,0000,0000,,have less than effective security
Dialogue: 0,0:28:07.60,0:28:08.96,Default,,0000,0000,0000,,strategies in place
Dialogue: 0,0:28:08.96,0:28:10.48,Default,,0000,0000,0000,,making them ideal targets for such
Dialogue: 0,0:28:10.48,0:28:12.08,Default,,0000,0000,0000,,attacks.
Dialogue: 0,0:28:12.08,0:28:13.44,Default,,0000,0000,0000,,Digital transformation during the
Dialogue: 0,0:28:13.44,0:28:15.36,Default,,0000,0000,0000,,Coronavirus pandemic has started to move
Dialogue: 0,0:28:15.36,0:28:16.96,Default,,0000,0000,0000,,businesses to the cloud,
Dialogue: 0,0:28:16.96,0:28:18.80,Default,,0000,0000,0000,,and so cyber criminals have now shifted
Dialogue: 0,0:28:18.80,0:28:20.72,Default,,0000,0000,0000,,their focus to the cloud as well
Dialogue: 0,0:28:20.72,0:28:22.32,Default,,0000,0000,0000,,giving them an entirely new attack
Dialogue: 0,0:28:22.32,0:28:24.00,Default,,0000,0000,0000,,surface to work with.
Dialogue: 0,0:28:24.00,0:28:26.48,Default,,0000,0000,0000,,The cost of ransomware is said to top 20
Dialogue: 0,0:28:26.48,0:28:29.04,Default,,0000,0000,0000,,billion dollars by the end of 2021
Dialogue: 0,0:28:29.04,0:28:32.16,Default,,0000,0000,0000,,and that is ransomware alone. By 2025,
Dialogue: 0,0:28:32.16,0:28:33.92,Default,,0000,0000,0000,,cybersecurity ventures estimates that
Dialogue: 0,0:28:33.92,0:28:35.84,Default,,0000,0000,0000,,cybercrime will cost businesses
Dialogue: 0,0:28:35.84,0:28:39.28,Default,,0000,0000,0000,,10.5 trillion dollars annually
Dialogue: 0,0:28:39.28,0:28:41.28,Default,,0000,0000,0000,,which would amount to just 2 trillion
Dialogue: 0,0:28:41.28,0:28:43.04,Default,,0000,0000,0000,,short of China's economy,
Dialogue: 0,0:28:43.04,0:28:46.00,Default,,0000,0000,0000,,the second biggest economy in the world.
Dialogue: 0,0:28:46.00,0:28:48.32,Default,,0000,0000,0000,,We are headed towards bigger and more
Dialogue: 0,0:28:48.32,0:28:50.64,Default,,0000,0000,0000,,destructive attacks than WannaCry,
Dialogue: 0,0:28:50.64,0:28:53.44,Default,,0000,0000,0000,,and our most reliable defense is our
Dialogue: 0,0:28:53.44,0:28:54.24,Default,,0000,0000,0000,,awareness
Dialogue: 0,0:28:54.24,0:28:55.96,Default,,0000,0000,0000,,and our action to better protect
Dialogue: 0,0:28:55.96,0:28:59.48,Default,,0000,0000,0000,,ourselves. Thank you for watching.
Dialogue: 0,0:28:59.48,0:29:03.85,Default,,0000,0000,0000,,[Music]
Dialogue: 0,0:29:05.81,0:29:30.81,Default,,0000,0000,0000,,[Music]
Dialogue: 0,0:29:30.81,0:29:46.77,Default,,0000,0000,0000,,[Music]
Dialogue: 0,0:29:46.77,0:29:51.28,Default,,0000,0000,0000,,[Music]