WEBVTT 00:00:00.000 --> 00:00:09.150 [Music] 00:00:10.960 --> 00:00:13.679 A small note before we start, 00:00:13.679 --> 00:00:15.599 as much as this video is meant to be a 00:00:15.599 --> 00:00:17.440 storytelling experience, 00:00:17.440 --> 00:00:18.960 I have also intended it to be 00:00:18.960 --> 00:00:20.640 educational, 00:00:20.640 --> 00:00:22.480 and so, I have coupled the story along 00:00:22.480 --> 00:00:23.840 with how some of these attacks and 00:00:23.840 --> 00:00:26.000 technologies work. 00:00:26.000 --> 00:00:28.400 This is my first documentary style video, 00:00:28.400 --> 00:00:30.800 and so I appreciate any and all feedback 00:00:30.800 --> 00:00:33.120 in the comments below. 00:00:33.120 --> 00:00:35.680 I really hope you enjoy, and hopefully, 00:00:35.680 --> 00:00:38.640 learn a few new things. 00:00:40.800 --> 00:00:43.440 Right now, a crippling cyberattack has 00:00:43.440 --> 00:00:45.039 businesses around the world 00:00:45.039 --> 00:00:47.760 on high alert. The ransomware known as 00:00:47.760 --> 00:00:48.719 WannaCry- 00:00:48.719 --> 00:00:50.399 We want to move on to the other developing 00:00:50.399 --> 00:00:52.333 story this morning, the global cyberattack- 00:00:52.333 --> 00:00:54.239 The national security agency 00:00:54.239 --> 00:00:56.559 developed this software and it's now 00:00:56.559 --> 00:00:58.010 being used by criminals 00:00:58.010 --> 00:01:00.051 around the world to demand ransom. 00:01:00.051 --> 00:01:01.760 Security experts say this is one 00:01:01.760 --> 00:01:03.280 of the worst and most 00:01:03.280 --> 00:01:05.439 widespread pieces of malware they've 00:01:05.439 --> 00:01:06.870 ever seen- 00:01:06.870 --> 00:01:13.861 [Music] 00:01:15.607 --> 00:01:19.247 [Typing] 00:01:20.080 --> 00:01:23.040 In May of 2017, a worldwide cyberattack 00:01:23.040 --> 00:01:24.799 by the name of WannaCry 00:01:24.799 --> 00:01:27.840 shot for WannaCryptor, impacted over 150 00:01:27.840 --> 00:01:28.720 countries, 00:01:28.720 --> 00:01:31.360 and hit around 230,000 computers 00:01:31.360 --> 00:01:32.720 globally. 00:01:32.720 --> 00:01:34.560 Needless to say it became known as one 00:01:34.560 --> 00:01:36.640 of the biggest ransomware attacks in 00:01:36.640 --> 00:01:38.159 history. 00:01:38.159 --> 00:01:40.799 Let's start at the very beginning. On the 00:01:40.799 --> 00:01:43.119 morning of the 12th of May, 2017, 00:01:43.119 --> 00:01:45.360 according to Akamai, the content delivery 00:01:45.360 --> 00:01:46.240 network, 00:01:46.240 --> 00:01:48.720 this was the timeline. Reportedly the 00:01:48.720 --> 00:01:51.200 first case identified originated from a 00:01:51.200 --> 00:01:53.600 Southeast Asian ISP which was detected 00:01:53.600 --> 00:01:56.411 at 7:44 am UTC. 00:01:56.901 --> 00:01:58.399 Over the next hour, there were cases 00:01:58.399 --> 00:02:00.240 seen from Latin America, 00:02:00.240 --> 00:02:02.960 then the Continental Europe and UK, then 00:02:02.960 --> 00:02:06.840 Brazil and Argentinian ISPs until at 12:39 pm 00:02:06.840 --> 00:02:09.280 UTC, 74% 00:02:09.280 --> 00:02:12.720 of all ISPs in Asia were affected. And by 00:02:12.720 --> 00:02:14.800 3:28 pm UTC, 00:02:14.800 --> 00:02:17.670 the ransomware had taken hold of 65% 00:02:17.670 --> 00:02:20.640 of Latin American ISPs. 00:02:20.640 --> 00:02:22.879 WannaCry was spreading and at an 00:02:22.879 --> 00:02:24.640 incredible rate. 00:02:24.640 --> 00:02:26.160 Prior to this, such a quick and 00:02:26.160 --> 00:02:28.640 widespread ransomware was unheard of. 00:02:28.640 --> 00:02:31.040 A lot of organizations, unable to recover 00:02:31.040 --> 00:02:31.840 their losses, 00:02:31.840 --> 00:02:34.640 were forced to permanently shut down. 00:02:34.640 --> 00:02:36.160 Some had to put a pause on their 00:02:36.160 --> 00:02:38.319 networks and services, and reported huge 00:02:38.319 --> 00:02:39.360 losses, 00:02:39.360 --> 00:02:42.480 some in millions of dollars. The attack 00:02:42.480 --> 00:02:44.720 did not discriminate. Small to 00:02:44.720 --> 00:02:46.400 medium-sized businesses, 00:02:46.400 --> 00:02:48.800 large enterprises, the private sector, the 00:02:48.800 --> 00:02:50.160 public sector, 00:02:50.160 --> 00:02:52.640 railways, healthcare, banks, malls, 00:02:52.640 --> 00:02:53.360 ministries, 00:02:53.360 --> 00:02:56.560 police, energy companies, ISPs, and there 00:02:56.560 --> 00:02:57.440 just seemed to be 00:02:57.440 --> 00:03:00.720 no end to the victims. Within few hours, 00:03:00.720 --> 00:03:02.720 it had spread to over 11 countries, 00:03:02.720 --> 00:03:04.319 and by the end of the first day of the 00:03:04.319 --> 00:03:06.159 attack, the ransomware had been 00:03:06.159 --> 00:03:08.480 encountered in 74 countries 00:03:08.480 --> 00:03:10.319 within thousands and thousands of 00:03:10.319 --> 00:03:12.159 organizations. 00:03:12.159 --> 00:03:14.879 And so it begged the question, how much 00:03:14.879 --> 00:03:16.640 damage will this really cause over the 00:03:16.640 --> 00:03:17.599 next few days 00:03:17.599 --> 00:03:20.159 or weeks or months if no solution 00:03:20.159 --> 00:03:23.040 presents itself? 00:03:23.440 --> 00:03:26.450 Your service has been temporarily disconnected. 00:03:26.850 --> 00:03:30.290 [Typing] 00:03:31.200 --> 00:03:33.280 [Music] 00:03:33.280 --> 00:03:36.239 Ransomware works in a very simple manner. 00:03:36.239 --> 00:03:38.080 It is a type of malware most commonly 00:03:38.080 --> 00:03:39.920 spread through phishing attacks, 00:03:39.920 --> 00:03:41.840 which are essentially emails used to 00:03:41.840 --> 00:03:44.000 trick a user into clicking a link that 00:03:44.000 --> 00:03:45.599 leads them to a website 00:03:45.599 --> 00:03:47.840 where they enter sensitive data, or to 00:03:47.840 --> 00:03:50.159 download attachments which if executed 00:03:50.159 --> 00:03:52.239 will infect the computer. 00:03:52.239 --> 00:03:54.400 Although initially suspected, WannaCry 00:03:54.400 --> 00:03:56.799 did not originate from a phishing attack, 00:03:56.799 --> 00:03:59.240 but we'll get to that later. 00:03:59.240 --> 00:04:01.280 Once a computer is infected, 00:04:01.280 --> 00:04:03.040 the ransomware runs an encryption 00:04:03.040 --> 00:04:05.280 process, and usually in less than a 00:04:05.280 --> 00:04:06.239 minute, 00:04:06.239 --> 00:04:08.799 some or all the files depending on what 00:04:08.799 --> 00:04:10.879 the ransomware is meant to affect in the 00:04:10.879 --> 00:04:12.400 user's computer 00:04:12.400 --> 00:04:14.239 is converted from plain text to 00:04:14.239 --> 00:04:15.840 ciphertext. 00:04:15.840 --> 00:04:18.239 Plain text is readable or comprehensible 00:04:18.239 --> 00:04:19.120 data, 00:04:19.120 --> 00:04:21.120 and ciphertext is unintelligible 00:04:21.120 --> 00:04:22.720 gibberish. 00:04:22.720 --> 00:04:24.639 In order to turn this back into plain 00:04:24.639 --> 00:04:27.199 text, the user will need what is known as 00:04:27.199 --> 00:04:28.800 a decryption key, 00:04:28.800 --> 00:04:30.880 which the attacker promises to provide 00:04:30.880 --> 00:04:34.560 if the user were to pay the ransom. 00:04:34.639 --> 00:04:36.880 What makes ransomware so dreadful is 00:04:36.880 --> 00:04:39.360 that once your files have been encrypted, 00:04:39.360 --> 00:04:41.040 you can't exactly decrypt it and 00:04:41.040 --> 00:04:42.960 retrieve your data. 00:04:42.960 --> 00:04:44.720 Well, you can, but with the current 00:04:44.720 --> 00:04:46.639 technology we have, to break common 00:04:46.639 --> 00:04:48.720 encryption algorithms used in ransomware 00:04:48.720 --> 00:04:49.600 attacks 00:04:49.600 --> 00:04:52.800 such as the RSA, it would take millions 00:04:52.800 --> 00:04:56.270 to billions to trillions of years. 00:04:56.270 --> 00:05:00.410 [Music] 00:05:01.465 --> 00:05:03.200 [Typing] 00:05:03.520 --> 00:05:05.440 This is what you'd see if you were to 00:05:05.440 --> 00:05:07.199 become infected with the WannaCry 00:05:07.199 --> 00:05:08.639 ransomware. 00:05:08.639 --> 00:05:10.160 In addition to this intimidating 00:05:10.160 --> 00:05:12.479 wallpaper, your documents, 00:05:12.479 --> 00:05:16.160 spreadsheets, images, videos, 00:05:16.160 --> 00:05:18.639 music, and most everyday productivity and 00:05:18.639 --> 00:05:21.039 multimedia files become encrypted, 00:05:21.039 --> 00:05:22.800 essentially being held hostage till the 00:05:22.800 --> 00:05:26.240 ransom payment has been made. 00:05:27.120 --> 00:05:29.199 The Wanna Decryptor 2.0 comes with a set 00:05:29.199 --> 00:05:30.240 of instructions 00:05:30.240 --> 00:05:31.919 and in 28 different languages for 00:05:31.919 --> 00:05:33.680 victims to follow in order to recover 00:05:33.680 --> 00:05:35.199 their files. 00:05:35.199 --> 00:05:37.759 The attackers demanded for $300 worth of 00:05:37.759 --> 00:05:38.639 bitcoin, 00:05:38.639 --> 00:05:40.560 and after three days it would be updated to 00:05:40.560 --> 00:05:42.479 $600. 00:05:42.479 --> 00:05:44.080 If the payment were to be made seven 00:05:44.080 --> 00:05:45.919 days after the infection, the files would 00:05:45.919 --> 00:05:47.680 be recoverable. 00:05:47.680 --> 00:05:49.840 However, despite this, they also go on to 00:05:49.840 --> 00:05:51.759 state that they will return the files 00:05:51.759 --> 00:05:54.800 for free to "Users who are so poor 00:05:54.800 --> 00:05:56.510 that they couldn't pay" 00:05:56.510 --> 00:05:58.720 after six months. The method of 00:05:58.720 --> 00:05:59.840 payment, 00:05:59.840 --> 00:06:00.950 bitcoin. 00:06:00.950 --> 00:06:04.160 [Music] 00:06:04.160 --> 00:06:06.400 The reason the attackers chose bitcoin 00:06:06.400 --> 00:06:07.840 was because it is what we know 00:06:07.840 --> 00:06:10.479 as a private cryptocurrency. This allows 00:06:10.479 --> 00:06:12.080 the holder of the currency to remain 00:06:12.080 --> 00:06:13.280 anonymous. 00:06:13.280 --> 00:06:14.639 Though the money could be traced to a 00:06:14.639 --> 00:06:16.560 cryptocurrency wallet, which is where the 00:06:16.560 --> 00:06:18.160 currency itself is stored, 00:06:18.160 --> 00:06:19.840 it would be exponentially difficult to 00:06:19.840 --> 00:06:21.360 find the owner of the wallet without 00:06:21.360 --> 00:06:24.319 extensive forensic analysis. 00:06:24.319 --> 00:06:26.560 This is the reason that bitcoin is used 00:06:26.560 --> 00:06:27.840 widely in the dark web 00:06:27.840 --> 00:06:30.639 to purchase guns, drugs, and other illegal 00:06:30.639 --> 00:06:32.260 goods and services that for obvious 00:06:32.260 --> 00:06:33.199 reasons, 00:06:33.199 --> 00:06:35.039 you would not be able to find on the 00:06:35.039 --> 00:06:36.359 surface web. 00:06:38.879 --> 00:06:42.517 [Typing] NOTE Paragraph 00:06:48.000 --> 00:06:50.080 The problem with WannaCry and what made it 00:06:50.080 --> 00:06:51.919 exponentially more dangerous than your 00:06:51.919 --> 00:06:53.280 average ransomware 00:06:53.280 --> 00:06:56.319 was its propagating capabilities. 00:06:56.319 --> 00:06:58.240 But to understand this fully, we need to 00:06:58.240 --> 00:06:59.840 go back in time a little bit 00:06:59.840 --> 00:07:04.000 to 2016. In August of 2016, the equation 00:07:04.000 --> 00:07:05.680 group, suspected to have ties with the 00:07:05.680 --> 00:07:07.520 National Security Agency's tailored 00:07:07.520 --> 00:07:08.800 operations unit, 00:07:08.800 --> 00:07:10.880 and described by Kaspersky as one of the 00:07:10.880 --> 00:07:12.880 most sophisticated cyberattack groups 00:07:12.880 --> 00:07:14.080 in the world, 00:07:14.080 --> 00:07:15.759 was said to be hacked by a group called 00:07:15.759 --> 00:07:17.680 the shadow brokers. 00:07:17.680 --> 00:07:19.919 In this hack, disks full of the NSA's 00:07:19.919 --> 00:07:21.630 secrets were stolen. 00:07:22.800 --> 00:07:25.039 This was bad because the NSA houses what 00:07:25.039 --> 00:07:27.520 we know as Nation State Attacks 00:07:27.520 --> 00:07:29.759 which are exploits or hacking tools that 00:07:29.759 --> 00:07:31.280 are used to carry out a hack for their 00:07:31.280 --> 00:07:32.479 home country 00:07:32.479 --> 00:07:35.199 against another country. The NSA would 00:07:35.199 --> 00:07:37.120 essentially recruit a skilled hacker and 00:07:37.120 --> 00:07:39.280 give them a license to hack 00:07:39.280 --> 00:07:41.199 which means if they did carry it out, it 00:07:41.199 --> 00:07:42.560 wouldn't be illegal 00:07:42.560 --> 00:07:44.800 at least in that country, and the hacker 00:07:44.800 --> 00:07:46.679 would not be charged. 00:07:48.639 --> 00:07:50.639 The danger here is that the Nation State 00:07:50.639 --> 00:07:52.400 Tools in itself are usually pretty 00:07:52.400 --> 00:07:53.440 effective, 00:07:53.440 --> 00:07:55.120 especially considering they are to be 00:07:55.120 --> 00:07:57.280 used as weapons against entire states 00:07:57.280 --> 00:07:58.500 and countries. 00:08:00.459 --> 00:08:03.599 [Music] 00:08:03.599 --> 00:08:05.440 The NSA is said to have discovered a 00:08:05.440 --> 00:08:07.199 multitude of other vulnerabilities in 00:08:07.199 --> 00:08:08.160 the Windows OS 00:08:08.160 --> 00:08:11.280 as early as 2013, but was speculated to 00:08:11.280 --> 00:08:13.280 have developed exploits secretly and 00:08:13.280 --> 00:08:14.560 stockpile them, 00:08:14.560 --> 00:08:16.560 rather than reporting it to Microsoft or 00:08:16.560 --> 00:08:18.240 the InfoSec community, 00:08:18.240 --> 00:08:20.000 so that they could weaponize it and 00:08:20.000 --> 00:08:21.919 utilize them in their nation state and 00:08:21.919 --> 00:08:23.690 other attacks. 00:08:25.440 --> 00:08:27.199 The shadow brokers would go on to 00:08:27.199 --> 00:08:28.720 auction off some of these tools that 00:08:28.720 --> 00:08:30.000 were developed, 00:08:30.000 --> 00:08:32.080 but due to skepticism online on whether 00:08:32.080 --> 00:08:34.080 the hackers really did have files as 00:08:34.080 --> 00:08:36.159 dangerous as they had claimed, 00:08:36.159 --> 00:08:37.919 this would essentially go on to become a 00:08:37.919 --> 00:08:40.719 catastrophic failure. 00:08:40.719 --> 00:08:42.399 We can talk quite a bit about the shadow 00:08:42.399 --> 00:08:44.800 brokers. The story is itself worth 00:08:44.800 --> 00:08:46.720 examining individually and maybe even on 00:08:46.720 --> 00:08:48.080 a separate video, 00:08:48.080 --> 00:08:49.760 but let's narrow our focus down to the 00:08:49.760 --> 00:08:51.839 leak that made WannaCry possible 00:08:51.839 --> 00:08:54.000 which at that point was the fifth leak 00:08:54.000 --> 00:08:55.760 by the group and was said to be the most 00:08:55.760 --> 00:08:58.640 damaging one yet. 00:08:59.360 --> 00:09:02.080 On April 14, 2017, the shadow brokers 00:09:02.080 --> 00:09:03.600 would post a tweet that linked to their 00:09:03.600 --> 00:09:05.120 Steem blockchain 00:09:05.120 --> 00:09:08.880 on a post titled lost in translation. 00:09:08.880 --> 00:09:10.399 This leak contained files from the 00:09:10.399 --> 00:09:12.160 initial failed auction which they now 00:09:12.160 --> 00:09:14.160 decided to release to the public 00:09:14.160 --> 00:09:18.080 for free. The description accompanying 00:09:18.080 --> 00:09:19.839 the leaked files doesn't really contain 00:09:19.839 --> 00:09:21.279 much worth noting. 00:09:21.279 --> 00:09:23.120 As always the shadow brokers would use 00:09:23.120 --> 00:09:25.040 broken, but still somewhat comprehensible 00:09:25.040 --> 00:09:26.399 English. 00:09:26.399 --> 00:09:28.480 However, this is widely speculated not to 00:09:28.480 --> 00:09:29.839 speak to their proficiency in the 00:09:29.839 --> 00:09:30.640 language, 00:09:30.640 --> 00:09:32.160 but rather an attempt to mislead 00:09:32.160 --> 00:09:33.920 analysts and prevent them from yielding 00:09:33.920 --> 00:09:36.240 any results regarding their identity 00:09:36.240 --> 00:09:39.519 characterized by how they type. 00:09:39.519 --> 00:09:41.200 The link, which has now been taken down, 00:09:41.200 --> 00:09:42.800 takes you to an archive filled with a 00:09:42.800 --> 00:09:44.640 number of Windows exploits developed by 00:09:44.640 --> 00:09:46.240 the NSA. 00:09:46.240 --> 00:09:48.160 It did contain many other valuable tools 00:09:48.160 --> 00:09:49.440 worth examining, 00:09:49.440 --> 00:09:51.279 but the ones relevant to our story and 00:09:51.279 --> 00:09:53.040 what made a regular ransomware so 00:09:53.040 --> 00:09:54.160 destructive 00:09:54.160 --> 00:09:56.880 were the payload, Doublepulsar and the 00:09:56.880 --> 00:09:58.560 now infamous exploit used in the 00:09:58.560 --> 00:09:59.839 WannaCry attack, 00:09:59.839 --> 00:10:01.329 Eternalblue. 00:10:01.329 --> 00:10:05.664 [Music] 00:10:08.112 --> 00:10:11.441 [Typing] 00:10:15.440 --> 00:10:18.800 Server Message Block version 1 or SMBv1 00:10:18.800 --> 00:10:20.720 is a network communication protocol 00:10:20.720 --> 00:10:23.519 which was developed in 1983. 00:10:23.519 --> 00:10:25.440 The function of this protocol would be 00:10:25.440 --> 00:10:27.200 to allow one Windows computer to 00:10:27.200 --> 00:10:28.720 communicate with another 00:10:28.720 --> 00:10:30.880 and share files and printers on a local 00:10:30.880 --> 00:10:32.399 network. 00:10:32.399 --> 00:10:34.880 However, SMB version 1 had a critical 00:10:34.880 --> 00:10:36.160 vulnerability 00:10:36.160 --> 00:10:39.040 which allowed for what is known as a 00:10:39.040 --> 00:10:41.760 Remote Arbitrary Code Execution 00:10:41.760 --> 00:10:43.440 in which an attacker would be able to 00:10:43.440 --> 00:10:45.440 execute whatever code that they'd like 00:10:45.440 --> 00:10:47.680 on their target or victim's computer 00:10:47.680 --> 00:10:48.800 over the Internet 00:10:48.800 --> 00:10:51.600 usually with malicious intent. The 00:10:51.600 --> 00:10:53.360 function of Eternalblue was to take 00:10:53.360 --> 00:10:55.839 advantage of this vulnerability. 00:10:55.839 --> 00:10:58.000 Essentially, and I'm going to try and strip 00:10:58.000 --> 00:10:59.519 it down to simplify it as much as 00:10:59.519 --> 00:11:00.800 possible, 00:11:00.800 --> 00:11:02.640 when the shadow brokers first leaked the 00:11:02.640 --> 00:11:03.920 NSA tools, 00:11:03.920 --> 00:11:05.920 hackers took this opportunity to install 00:11:05.920 --> 00:11:07.519 Doublepulsar 00:11:07.519 --> 00:11:09.200 which is a tool which opens what we 00:11:09.200 --> 00:11:10.880 commonly know in security 00:11:10.880 --> 00:11:14.000 as a backdoor. Backdoors allows hackers 00:11:14.000 --> 00:11:16.560 to create an entry point into the system 00:11:16.560 --> 00:11:18.560 or a network of systems and gain easy 00:11:18.560 --> 00:11:20.880 access later on. 00:11:20.880 --> 00:11:22.880 The initial infection of WannaCry is not 00:11:22.880 --> 00:11:23.920 known, 00:11:23.920 --> 00:11:25.680 but it is speculated that the attackers 00:11:25.680 --> 00:11:27.120 took advantage of the backdoor to 00:11:27.120 --> 00:11:28.880 deliver the payload. 00:11:28.880 --> 00:11:30.399 The payload in this case is the 00:11:30.399 --> 00:11:32.800 ransomware WannaCry. 00:11:32.800 --> 00:11:34.399 When a computer is infected with 00:11:34.399 --> 00:11:36.160 WannaCry, oddly 00:11:36.160 --> 00:11:37.440 it then tries to connect to the 00:11:37.440 --> 00:11:39.600 following unregistered domain 00:11:39.600 --> 00:11:41.519 which is basically a random string of 00:11:41.519 --> 00:11:43.360 numbers and letters. 00:11:43.360 --> 00:11:45.120 If it cannot establish a connection to 00:11:45.120 --> 00:11:48.000 this domain, then the real damage begins. 00:11:48.000 --> 00:11:50.880 It scans for port 445 on the network 00:11:50.880 --> 00:11:52.560 which is the port that is used to host 00:11:52.560 --> 00:11:54.079 SMB version 1, 00:11:54.079 --> 00:11:56.079 and if the port is deemed to be open, it 00:11:56.079 --> 00:11:57.600 would then proceed to spread to that 00:11:57.600 --> 00:11:59.280 computer. 00:11:59.680 --> 00:12:02.200 This is how it propagated so quickly. 00:12:03.120 --> 00:12:04.800 Whether the other users in the network 00:12:04.800 --> 00:12:06.560 actually downloaded or clicked on 00:12:06.560 --> 00:12:08.000 anything malicious, 00:12:08.000 --> 00:12:10.399 regardless, they would be infected, and in 00:12:10.399 --> 00:12:12.000 seconds all their data would be 00:12:12.000 --> 00:12:13.140 encrypted. 00:12:14.399 --> 00:12:17.360 So the damage came in two parts, the 00:12:17.360 --> 00:12:19.120 ransomware that encrypts the data 00:12:19.120 --> 00:12:20.959 and the worm-like component that is used 00:12:20.959 --> 00:12:22.480 to spread the ransomware to any 00:12:22.480 --> 00:12:23.279 connected, 00:12:23.279 --> 00:12:25.600 vulnerable devices in the network as a 00:12:25.600 --> 00:12:28.880 result of Eternalblue and Doublepulsar. 00:12:28.880 --> 00:12:31.360 The attack only affected Windows systems, 00:12:31.360 --> 00:12:33.360 mainly targeting Windows XP, 00:12:33.360 --> 00:12:36.320 Vista, Windows 7, Windows 8, and Windows 00:12:36.320 --> 00:12:37.519 10. 00:12:37.519 --> 00:12:39.519 However, a month prior to the leak by the 00:12:39.519 --> 00:12:42.480 shadow brokers on March 14, 2017, 00:12:42.480 --> 00:12:44.079 Microsoft was made aware of this 00:12:44.079 --> 00:12:45.920 vulnerability after it was publicly 00:12:45.920 --> 00:12:46.800 reported 00:12:46.800 --> 00:12:50.480 almost five years after its discovery. 00:12:50.480 --> 00:12:52.320 Microsoft then released a critical patch 00:12:52.320 --> 00:12:54.070 to fix this vulnerability, 00:12:54.070 --> 00:12:57.040 MS17-010. 00:12:57.040 --> 00:12:59.600 However, despite the release of the patch, 00:12:59.600 --> 00:13:01.519 a significant number of organizations 00:13:01.519 --> 00:13:03.360 never updated their systems, 00:13:03.360 --> 00:13:05.680 and unfortunately there were still major 00:13:05.680 --> 00:13:08.000 organizations running Windows XP 00:13:08.000 --> 00:13:11.680 or Server 2003. These devices were at end 00:13:11.680 --> 00:13:12.959 of support 00:13:12.959 --> 00:13:14.800 which means that even if updates were 00:13:14.800 --> 00:13:16.639 out, they would not receive them 00:13:16.639 --> 00:13:18.309 and be completely vulnerable to the 00:13:18.309 --> 00:13:19.710 exploit. 00:13:20.800 --> 00:13:22.160 If you want to know more about the 00:13:22.160 --> 00:13:23.760 vulnerability that the Eternalblue 00:13:23.760 --> 00:13:24.720 exploited, 00:13:24.720 --> 00:13:26.160 it is now logged in the national 00:13:26.160 --> 00:13:27.760 vulnerability database 00:13:27.760 --> 00:13:32.447 as CVE-2017-0144 00:13:32.447 --> 00:13:36.056 [Music] 00:13:38.048 --> 00:13:40.889 [Typing] 00:13:47.920 --> 00:13:50.560 Marcus Hutchins, also known online by his 00:13:50.560 --> 00:13:52.320 alias MalwareTech, 00:13:52.320 --> 00:13:54.320 was a 23 year old British security 00:13:54.320 --> 00:13:56.160 researcher at Kryptos Logic 00:13:56.160 --> 00:13:59.519 in LA. After returning from lunch with a 00:13:59.519 --> 00:14:01.839 friend on the afternoon of the attack, 00:14:01.839 --> 00:14:03.600 he found himself scouring messaging 00:14:03.600 --> 00:14:04.880 boards where he came across 00:14:04.880 --> 00:14:07.519 news of a ransomware rapidly taking down 00:14:07.519 --> 00:14:09.680 systems in the National Health Service 00:14:09.680 --> 00:14:13.519 or NHS all over the UK. 00:14:13.519 --> 00:14:14.959 Hutchins, who found it odd that the 00:14:14.959 --> 00:14:17.040 ransomware was consistently affecting so 00:14:17.040 --> 00:14:18.399 many devices, 00:14:18.399 --> 00:14:20.320 concluded that the attack was probably a 00:14:20.320 --> 00:14:21.760 computer worm and not just 00:14:21.760 --> 00:14:25.120 a simple ransomware. He quickly requested 00:14:25.120 --> 00:14:27.040 one of his friends to pass him a sample 00:14:27.040 --> 00:14:28.160 of the malware 00:14:28.160 --> 00:14:30.000 so that he could examine it and reverse 00:14:30.000 --> 00:14:32.000 engineer it to analyze exactly how it 00:14:32.000 --> 00:14:33.279 worked. 00:14:33.279 --> 00:14:34.880 Once he had gotten his hands on the 00:14:34.880 --> 00:14:36.320 malware sample, 00:14:36.320 --> 00:14:38.079 he had run it using a virtual 00:14:38.079 --> 00:14:40.160 environment with fake files 00:14:40.160 --> 00:14:41.680 and found out that it was trying to 00:14:41.680 --> 00:14:44.480 connect to an unregistered domain, 00:14:44.480 --> 00:14:48.079 which we discussed earlier in Chapter 4. 00:14:48.079 --> 00:14:49.839 Hutchins would go on to register this 00:14:49.839 --> 00:14:53.708 domain for only $10.69, 00:14:53.708 --> 00:14:55.120 which unbeknownst to him, 00:14:55.120 --> 00:14:56.839 would actually halt the wannacry 00:14:56.839 --> 00:14:58.560 infection. 00:14:58.560 --> 00:15:00.240 He would later admit in a tweet that 00:15:00.240 --> 00:15:02.560 same day that the domain registration 00:15:02.560 --> 00:15:04.079 leading to a pause in the rapid 00:15:04.079 --> 00:15:05.120 infection 00:15:05.120 --> 00:15:08.399 was indeed an accident dubbing Marcus 00:15:08.399 --> 00:15:09.120 Hutchins 00:15:09.120 --> 00:15:12.621 as the accidental hero. 00:15:12.621 --> 00:15:17.371 [Music] 00:15:18.360 --> 00:15:23.350 [Music] 00:15:23.440 --> 00:15:25.680 To Hutchins, taking control of 00:15:25.680 --> 00:15:27.680 unregistered domains was just a part of 00:15:27.680 --> 00:15:28.880 his workflow 00:15:28.880 --> 00:15:30.480 when it came to stopping botnets and 00:15:30.480 --> 00:15:32.320 tracking malware. 00:15:32.320 --> 00:15:33.839 This was so that he could get further 00:15:33.839 --> 00:15:35.839 insight into how the malware or botnets 00:15:35.839 --> 00:15:37.440 were spreading. 00:15:37.440 --> 00:15:38.959 For those of you unaware of what a 00:15:38.959 --> 00:15:41.199 botnet is, it is essentially a group of 00:15:41.199 --> 00:15:42.800 computers that have been hijacked by 00:15:42.800 --> 00:15:44.240 malicious actors 00:15:44.240 --> 00:15:46.160 or hackers in order to be used in their 00:15:46.160 --> 00:15:47.440 attacks to drive 00:15:47.440 --> 00:15:50.560 excess network traffic or steal data. 00:15:50.560 --> 00:15:52.399 One computer that has been hijacked is 00:15:52.399 --> 00:15:54.560 called a bot and a network of them 00:15:54.560 --> 00:15:57.680 is called a botnet, however, 00:15:57.680 --> 00:16:00.399 since, as we discussed earlier, the attack 00:16:00.399 --> 00:16:02.320 only executes if it's unable to reach 00:16:02.320 --> 00:16:04.639 the domains that it checks for. 00:16:04.639 --> 00:16:06.839 Think of it as a simple if then 00:16:06.839 --> 00:16:08.160 statement. 00:16:08.160 --> 00:16:09.920 If the infection cannot connect to x 00:16:09.920 --> 00:16:12.639 domain, then proceed with the infection. 00:16:12.639 --> 00:16:16.560 If it can reach x domain, stop the attack. 00:16:16.560 --> 00:16:18.320 And so the malware being able to connect 00:16:18.320 --> 00:16:20.160 to the domain was known as the kill 00:16:20.160 --> 00:16:21.199 switch, 00:16:21.199 --> 00:16:23.199 the big red button that stops the attack 00:16:23.199 --> 00:16:25.839 from spreading any further. 00:16:25.839 --> 00:16:28.240 But why would the attackers implement a 00:16:28.240 --> 00:16:30.399 kill switch at all? 00:16:30.399 --> 00:16:32.240 The first theory is that the creators of 00:16:32.240 --> 00:16:34.160 WannaCry wanted a way to stop the attack 00:16:34.160 --> 00:16:36.480 if it ever got out of hand or had any 00:16:36.480 --> 00:16:38.560 unintentional effects. 00:16:38.560 --> 00:16:40.399 The second and the most likely theory 00:16:40.399 --> 00:16:42.320 proposed by Hutchins and other security 00:16:42.320 --> 00:16:43.519 researchers 00:16:43.519 --> 00:16:45.360 was that the kill switch was present in 00:16:45.360 --> 00:16:46.800 order to prevent researchers from 00:16:46.800 --> 00:16:49.279 looking into the behavior of WannaCry 00:16:49.279 --> 00:16:51.120 if it was being executed within what is 00:16:51.120 --> 00:16:52.320 known in security 00:16:52.320 --> 00:16:55.759 as a sandbox. A sandbox is usually a 00:16:55.759 --> 00:16:57.519 virtual computer that is used to run 00:16:57.519 --> 00:16:58.800 malware. 00:16:58.800 --> 00:17:00.320 It is a contained environment with 00:17:00.320 --> 00:17:02.000 measures that have been taken to not 00:17:02.000 --> 00:17:04.559 infect any important files or spread to 00:17:04.559 --> 00:17:06.480 other networks, 00:17:06.480 --> 00:17:08.240 much like what I used in Chapter 2 to 00:17:08.240 --> 00:17:10.109 demonstrate the WannaCry ransomware. 00:17:12.160 --> 00:17:14.240 Researchers use these sandboxes to run 00:17:14.240 --> 00:17:16.240 malware and then use tools to determine 00:17:16.240 --> 00:17:18.480 the behavior of the attack. 00:17:18.480 --> 00:17:20.240 This is what Hutchins did with fake 00:17:20.240 --> 00:17:22.640 files as well. 00:17:22.640 --> 00:17:24.559 So the intent behind this kill switch 00:17:24.559 --> 00:17:26.240 was to destroy the ransomware if it 00:17:26.240 --> 00:17:28.960 existed within a sandbox environment, 00:17:28.960 --> 00:17:30.720 again, since they didn't want researchers 00:17:30.720 --> 00:17:32.480 to be able to analyze exactly how it 00:17:32.480 --> 00:17:34.000 worked. 00:17:34.000 --> 00:17:35.919 However, since the attackers used a 00:17:35.919 --> 00:17:37.280 static domain, 00:17:37.280 --> 00:17:38.960 a domain name that did not change for 00:17:38.960 --> 00:17:41.039 each infection, instead of using 00:17:41.039 --> 00:17:43.280 dynamically generated domain names 00:17:43.280 --> 00:17:45.039 like other renditions of this concept 00:17:45.039 --> 00:17:46.480 would usually do, 00:17:46.480 --> 00:17:48.400 the WannaCry infections around the world 00:17:48.400 --> 00:17:50.240 believed that it was being analyzed in a 00:17:50.240 --> 00:17:51.760 sandbox environment 00:17:51.760 --> 00:17:54.160 and essentially killed itself since 00:17:54.160 --> 00:17:56.080 every single infection was trying to reach 00:17:56.080 --> 00:17:58.880 one single hard-coded domain, and now 00:17:58.880 --> 00:18:00.720 they could after Hutchins had purchased 00:18:00.720 --> 00:18:03.039 it and put it online. 00:18:03.039 --> 00:18:05.039 If it had been a randomly generated 00:18:05.039 --> 00:18:06.160 domain name, 00:18:06.160 --> 00:18:07.520 then the infection would only have 00:18:07.520 --> 00:18:09.520 removed itself from Hutchins's sandbox 00:18:09.520 --> 00:18:10.880 environment 00:18:10.880 --> 00:18:12.400 because the domain he registered would 00:18:12.400 --> 00:18:14.000 be unique to him and would not 00:18:14.000 --> 00:18:17.200 affect anyone else. This 00:18:17.200 --> 00:18:20.160 seems to be an amateur mistake. So 00:18:20.160 --> 00:18:21.840 amateur in fact, that the researchers 00:18:21.840 --> 00:18:23.760 have speculated that maybe the intent of 00:18:23.760 --> 00:18:24.799 the attackers 00:18:24.799 --> 00:18:27.679 was not monetary gain, but rather a more 00:18:27.679 --> 00:18:29.039 political intention 00:18:29.039 --> 00:18:31.600 such as to bring shame to the NSA. 00:18:31.600 --> 00:18:32.480 However, 00:18:32.480 --> 00:18:34.160 to this date, there is nothing that 00:18:34.160 --> 00:18:36.000 confirms nor denies the motive 00:18:36.000 --> 00:18:37.620 of the WannaCry attack. 00:18:37.620 --> 00:18:43.692 [Music] 00:18:45.846 --> 00:18:50.720 [Music] 00:18:50.720 --> 00:18:53.360 The rapid infection had seemed to stop, 00:18:53.360 --> 00:18:55.360 but for Hutchins or MalwareTech and his 00:18:55.360 --> 00:18:58.640 team, the nightmare had only just begun. 00:18:58.640 --> 00:19:00.240 Less than an hour from when he had 00:19:00.240 --> 00:19:03.120 activated the domain, it was under attack. 00:19:03.120 --> 00:19:04.880 The motive of the attackers were to use 00:19:04.880 --> 00:19:07.280 the Mirai botnet to host a distributed 00:19:07.280 --> 00:19:08.960 denial of service attack, 00:19:08.960 --> 00:19:11.440 also known as DDoS, to shut down the 00:19:11.440 --> 00:19:13.360 domain so that it would be unreachable 00:19:13.360 --> 00:19:16.160 once again and all the halted infections 00:19:16.160 --> 00:19:18.000 would resume. 00:19:18.000 --> 00:19:20.000 A DDoS attack is usually performed to 00:19:20.000 --> 00:19:21.280 flood a domain with 00:19:21.280 --> 00:19:23.120 junk traffic 'till it can't handle 00:19:23.120 --> 00:19:25.840 anymore and is driven offline. 00:19:25.840 --> 00:19:27.679 The Mirai botnet that the attackers were 00:19:27.679 --> 00:19:29.679 employing was previously used in one of 00:19:29.679 --> 00:19:31.760 the largest ever DDoS attacks 00:19:31.760 --> 00:19:33.600 and was comprised of hundreds and 00:19:33.600 --> 00:19:35.760 thousands of devices. 00:19:35.760 --> 00:19:37.520 The haunting realization that they were 00:19:37.520 --> 00:19:39.360 the wall between a flood of infections 00:19:39.360 --> 00:19:41.120 that was currently being blocked 00:19:41.120 --> 00:19:43.039 slowly dawned on Hutchins and the other 00:19:43.039 --> 00:19:46.080 researchers working on the case. 00:19:46.080 --> 00:19:47.760 They eventually dealt with the issue by 00:19:47.760 --> 00:19:50.000 taking the site to a cached version 00:19:50.000 --> 00:19:51.760 which was capable of handling a much 00:19:51.760 --> 00:19:55.200 higher traffic load than a live site. 00:19:55.200 --> 00:19:57.280 Two days after the domain went live, the 00:19:57.280 --> 00:19:59.200 data showed that two million infections 00:19:59.200 --> 00:20:00.480 had been halted 00:20:00.480 --> 00:20:02.159 showing us what the extent of the damage 00:20:02.159 --> 00:20:03.760 could have been if it was not for the 00:20:03.760 --> 00:20:06.310 discovery of the kill switch. 00:20:19.785 --> 00:20:25.360 [Music] 00:20:25.360 --> 00:20:28.320 Marcus Hutchins's story does not stop here. 00:20:28.320 --> 00:20:30.070 He would go on to be named as a 00:20:30.070 --> 00:20:31.760 cybercrime hero, 00:20:31.760 --> 00:20:34.159 a title which he didn't enjoy as it 00:20:34.159 --> 00:20:36.880 would bring to him unwanted attention, 00:20:36.880 --> 00:20:38.320 people trying to piece together his 00:20:38.320 --> 00:20:40.480 address, media camping outside of his 00:20:40.480 --> 00:20:41.360 house, 00:20:41.360 --> 00:20:43.440 and in addition to all of this, he was 00:20:43.440 --> 00:20:45.039 still under the pressure of the domain 00:20:45.039 --> 00:20:46.840 going offline any minute and wreaking 00:20:46.840 --> 00:20:48.400 havoc. 00:20:48.400 --> 00:20:50.400 However, he was able to get through these 00:20:50.400 --> 00:20:52.960 weary days and sleepless nights 00:20:52.960 --> 00:20:57.039 only to be thrown back into chaos. 00:20:57.200 --> 00:20:59.440 Three months after the WannaCry attack, 00:20:59.440 --> 00:21:01.600 in August of 2017, 00:21:01.600 --> 00:21:03.919 Marcus Hutchins, after partying in Vegas 00:21:03.919 --> 00:21:05.280 for a week and a half 00:21:05.280 --> 00:21:08.240 during DEFCON, a hacker convention, was 00:21:08.240 --> 00:21:10.320 arrested in the airport by the FBI on 00:21:10.320 --> 00:21:12.080 his way back home. 00:21:12.080 --> 00:21:13.760 It seemed that Hutchins in his teenage 00:21:13.760 --> 00:21:15.360 years had developed a malware named 00:21:15.360 --> 00:21:16.080 Kronos 00:21:16.080 --> 00:21:18.720 that would steal banking credentials. He 00:21:18.720 --> 00:21:20.240 would go on to sell this malware to 00:21:20.240 --> 00:21:21.919 multiple individuals with the help of 00:21:21.919 --> 00:21:23.440 someone he met online 00:21:23.440 --> 00:21:27.360 named Vinny K. Kronos is still an 00:21:27.360 --> 00:21:30.880 ongoing threat to banks around the world. 00:21:30.880 --> 00:21:32.559 Hutchins initially battled the charges 00:21:32.559 --> 00:21:34.320 with a non-guilty plea, 00:21:34.320 --> 00:21:36.400 but after a long and exhausting ordeal 00:21:36.400 --> 00:21:38.000 that lasted for years, 00:21:38.000 --> 00:21:40.880 in April 2019, he took a plea deal that 00:21:40.880 --> 00:21:42.080 would essentially dismiss 00:21:42.080 --> 00:21:45.120 all but two counts set against him, 00:21:45.120 --> 00:21:47.679 conspiracy to defraud the united states 00:21:47.679 --> 00:21:49.280 and actively marketing the kronos 00:21:49.280 --> 00:21:50.799 malware. 00:21:50.799 --> 00:21:52.720 He faced the possibility of a maximum 00:21:52.720 --> 00:21:54.960 prison sentence of ten years, 00:21:54.960 --> 00:21:56.640 but because of his contribution towards 00:21:56.640 --> 00:21:58.880 WannaCry and as the community had 00:21:58.880 --> 00:22:00.480 constantly pointed out 00:22:00.480 --> 00:22:02.240 his active involvement in defending the 00:22:02.240 --> 00:22:04.240 world against cyber attacks, 00:22:04.240 --> 00:22:07.520 the judge ruled in his favor. He was then 00:22:07.520 --> 00:22:08.159 released 00:22:08.159 --> 00:22:10.656 with zero jail time and is now a free 00:22:10.656 --> 00:22:11.424 man. 00:22:16.247 --> 00:22:19.512 [Typing] 00:22:22.775 --> 00:22:26.559 [Music] 00:22:26.559 --> 00:22:28.799 As stated before, the WannaCry attack 00:22:28.799 --> 00:22:31.200 impacted over 150 countries 00:22:31.200 --> 00:22:33.919 and approximately 230,000 computers 00:22:33.919 --> 00:22:35.200 globally. 00:22:35.200 --> 00:22:37.520 Russia was the most severely infected 00:22:37.520 --> 00:22:40.400 with over half the affected computers. 00:22:40.400 --> 00:22:43.280 India, Ukraine, and Taiwan also suffered 00:22:43.280 --> 00:22:44.960 significant disruption. 00:22:48.559 --> 00:22:50.559 The most popular victim to emerge out of 00:22:50.559 --> 00:22:52.159 the attacks were the UK's National 00:22:52.159 --> 00:22:53.280 Health Service 00:22:53.280 --> 00:22:57.200 or the NHS. In the NHS, over 70,000 00:22:57.200 --> 00:22:59.039 devices such as computers, 00:22:59.039 --> 00:23:02.400 MRI scanners, devices used to test blood, 00:23:02.400 --> 00:23:04.720 theater equipment, and over 1200 pieces 00:23:04.720 --> 00:23:09.840 of diagnostic equipment were affected. 00:23:10.159 --> 00:23:12.400 Approximately, the attack cost the NHS 00:23:12.400 --> 00:23:14.480 over 92 million euros, 00:23:14.480 --> 00:23:16.080 and globally, the cost amounted to 00:23:16.080 --> 00:23:17.919 somewhere between four and eight billion 00:23:17.919 --> 00:23:19.840 dollars. 00:23:19.840 --> 00:23:21.200 You'd think that the attackers who 00:23:21.200 --> 00:23:22.720 launched WannaCry would have made a 00:23:22.720 --> 00:23:24.400 decent amount considering how many 00:23:24.400 --> 00:23:25.200 countries 00:23:25.200 --> 00:23:28.480 and devices were affected, however, as of 00:23:28.480 --> 00:23:30.400 June 14, 2017, 00:23:30.400 --> 00:23:32.640 when the attacks had begun to subside, 00:23:32.640 --> 00:23:38.880 they had only made $130,634.77. 00:23:38.880 --> 00:23:41.120 Victims were urged not to pay the ransom 00:23:41.120 --> 00:23:42.720 since not only did it encourage the 00:23:42.720 --> 00:23:43.520 hackers, 00:23:43.520 --> 00:23:45.279 but it also did not guarantee the return 00:23:45.279 --> 00:23:47.520 of their data due to skepticism of 00:23:47.520 --> 00:23:48.880 whether the attackers could actually 00:23:48.880 --> 00:23:50.320 place the paid ransom 00:23:50.320 --> 00:23:52.880 to the correct victim. This was clearly 00:23:52.880 --> 00:23:54.400 evident from the fact that a large 00:23:54.400 --> 00:23:55.360 proportion, 00:23:55.360 --> 00:23:57.279 almost all of the affected victims who 00:23:57.279 --> 00:23:58.400 had paid the ransom 00:23:58.400 --> 00:24:01.355 had still not been returned their data. 00:24:01.355 --> 00:24:07.870 [Music] 00:24:08.824 --> 00:24:13.679 [Music] 00:24:13.679 --> 00:24:15.360 Although initially the prime victims of 00:24:15.360 --> 00:24:17.360 WannaCry were said to be Windows XP 00:24:17.360 --> 00:24:20.080 clients, over 98% of the victims were 00:24:20.080 --> 00:24:21.919 actually running unpatched versions of 00:24:21.919 --> 00:24:23.120 Windows 7, 00:24:23.120 --> 00:24:25.760 and less than 0.1% of the victims 00:24:25.760 --> 00:24:28.240 were using Windows XP. 00:24:28.240 --> 00:24:29.919 In the case of Russia, they believed 00:24:29.919 --> 00:24:31.760 updates did more to break their devices 00:24:31.760 --> 00:24:34.240 rather than fix them, 00:24:34.240 --> 00:24:35.919 partly due to the fact that a majority 00:24:35.919 --> 00:24:37.679 of people use cracked or pirated 00:24:37.679 --> 00:24:38.960 versions of Windows 00:24:38.960 --> 00:24:40.400 which means they wouldn't have received 00:24:40.400 --> 00:24:41.760 the updates which were released by 00:24:41.760 --> 00:24:45.120 Microsoft months prior to the attack. 00:24:45.120 --> 00:24:46.559 Microsoft eventually released the 00:24:46.559 --> 00:24:48.320 updates for systems that were at end of 00:24:48.320 --> 00:24:49.200 support 00:24:49.200 --> 00:24:51.120 including Windows XP and other older 00:24:51.120 --> 00:24:53.679 versions of Windows. 00:24:53.679 --> 00:24:55.520 To this day, if the domain that Marcus 00:24:55.520 --> 00:24:57.440 Hutchins acquired were to go down, 00:24:57.440 --> 00:24:59.279 the millions of infections that it has 00:24:59.279 --> 00:25:01.120 at bay would be released, 00:25:01.120 --> 00:25:02.960 but possibly ineffective if the 00:25:02.960 --> 00:25:04.640 computers had already applied the patch 00:25:04.640 --> 00:25:07.600 that microsoft released. 00:25:07.600 --> 00:25:09.840 Eternalblue is still in the wild and 00:25:09.840 --> 00:25:11.440 variants of WannaCry have since then 00:25:11.440 --> 00:25:13.279 surfaced like Uiwix 00:25:13.279 --> 00:25:15.200 which did not come with a kill switch 00:25:15.200 --> 00:25:16.880 and addressed the bitcoin payment issue 00:25:16.880 --> 00:25:18.480 by assigning a new address for each 00:25:18.480 --> 00:25:20.320 victim to collect payment 00:25:20.320 --> 00:25:21.919 therefore easily allowing to track the 00:25:21.919 --> 00:25:23.919 payment back to the victim. 00:25:23.919 --> 00:25:25.840 However, since it did not have an 00:25:25.840 --> 00:25:27.760 automatic worm-like functionality that 00:25:27.760 --> 00:25:29.279 WannaCry exhibited 00:25:29.279 --> 00:25:32.159 it did not pose much of a threat. The 00:25:32.159 --> 00:25:34.880 impact of WannaCry is still seen today. 00:25:34.880 --> 00:25:36.720 Trend Micro's data clearly indicates that 00:25:36.720 --> 00:25:38.559 WannaCry was the most detected malware 00:25:38.559 --> 00:25:40.159 family in 2020 00:25:40.159 --> 00:25:42.240 thanks to its vulnerable nature. And 00:25:42.240 --> 00:25:44.159 F-Secure reports that the most seen type 00:25:44.159 --> 00:25:46.400 of exploit is against the SMB version 1 00:25:46.400 --> 00:25:47.360 vulnerability 00:25:47.360 --> 00:25:49.600 using Eternalblue. The fact that 00:25:49.600 --> 00:25:51.039 attackers still continue to try and 00:25:51.039 --> 00:25:52.080 exploit this 00:25:52.080 --> 00:25:54.080 must mean that there are organizations 00:25:54.080 --> 00:25:55.919 out there who have not patched against 00:25:55.919 --> 00:25:57.650 this vulnerability. 00:25:57.650 --> 00:25:59.982 [Music] 00:26:02.631 --> 00:26:06.061 [Typing] 00:26:09.580 --> 00:26:15.520 [Music] 00:26:15.520 --> 00:26:17.840 Four years after the attack, there is 00:26:17.840 --> 00:26:19.600 still no confirmed identity of the 00:26:19.600 --> 00:26:21.760 creators of the WannaCry. 00:26:21.760 --> 00:26:23.760 There have been accusations towards the 00:26:23.760 --> 00:26:24.880 Lazarus Group 00:26:24.880 --> 00:26:27.440 who has strong links to North Korea. 00:26:27.440 --> 00:26:28.159 However, 00:26:28.159 --> 00:26:31.679 this is nothing more than hearsay. So 00:26:31.679 --> 00:26:33.520 who is to blame for the catastrophic 00:26:33.520 --> 00:26:35.520 damage of WannaCry? 00:26:35.520 --> 00:26:37.360 Is it the NSHA who should not have 00:26:37.360 --> 00:26:39.279 stockpiled exploits without alerting the 00:26:39.279 --> 00:26:40.640 necessary entities about the 00:26:40.640 --> 00:26:42.400 vulnerabilities? 00:26:42.400 --> 00:26:43.919 Is it the shadow brokers who took 00:26:43.919 --> 00:26:46.320 advantage of this, stole, and released it 00:26:46.320 --> 00:26:48.000 into the wild? 00:26:48.000 --> 00:26:50.400 Is it the developers of WannaCry? Or is 00:26:50.400 --> 00:26:52.320 it the fault of microsoft who did not 00:26:52.320 --> 00:26:53.760 identify this vulnerability 00:26:53.760 --> 00:26:56.640 sooner? While all of this might be true 00:26:56.640 --> 00:26:58.080 to some extent, 00:26:58.080 --> 00:26:59.919 at the end of the day, the actions these 00:26:59.919 --> 00:27:01.919 organizations take are largely out of 00:27:01.919 --> 00:27:03.600 the control of the public 00:27:03.600 --> 00:27:05.760 and business owners who are usually the 00:27:05.760 --> 00:27:07.840 victims of the attack. 00:27:07.840 --> 00:27:10.240 Regardless of what we claim, the solution 00:27:10.240 --> 00:27:11.760 is very simple. 00:27:11.760 --> 00:27:13.360 Make sure we follow the guidelines to 00:27:13.360 --> 00:27:15.440 have our data secured. 00:27:15.440 --> 00:27:17.120 The most crucial of it is to have a 00:27:17.120 --> 00:27:18.960 consistent schedule for updating our 00:27:18.960 --> 00:27:20.240 devices, 00:27:20.240 --> 00:27:23.279 and to obviously not use outdated 00:27:23.279 --> 00:27:24.720 operating systems that put 00:27:24.720 --> 00:27:26.960 employee and customer data and their 00:27:26.960 --> 00:27:29.360 privacy at huge risks. 00:27:29.360 --> 00:27:31.039 When it comes to ransomware, the most 00:27:31.039 --> 00:27:32.880 crucial form of defense is frequent 00:27:32.880 --> 00:27:35.200 backup. The more frequent it is, 00:27:35.200 --> 00:27:37.760 the better. Less than 50% of ransomware 00:27:37.760 --> 00:27:39.520 payments actually result in the data 00:27:39.520 --> 00:27:41.120 being returned to the victims, 00:27:41.120 --> 00:27:42.960 and so needless to say, payment should 00:27:42.960 --> 00:27:44.399 not be an option 00:27:44.399 --> 00:27:46.159 lest your goal is to lose money and your 00:27:46.159 --> 00:27:47.760 data as well. 00:27:47.760 --> 00:27:49.520 The biggest mistake that organizations 00:27:49.520 --> 00:27:51.760 tend to make is refusing to believe that 00:27:51.760 --> 00:27:53.520 they would be a target. 00:27:53.520 --> 00:27:55.360 According to a study by Cloudwords in 00:27:55.360 --> 00:27:56.640 2021, 00:27:56.640 --> 00:27:58.559 every 11 seconds a company is hit by 00:27:58.559 --> 00:28:00.640 ransomware, and a large proportion of 00:28:00.640 --> 00:28:02.240 organizations are small 00:28:02.240 --> 00:28:03.919 to medium-sized businesses that never 00:28:03.919 --> 00:28:06.080 see it coming as they're often found to 00:28:06.080 --> 00:28:07.600 have less than effective security 00:28:07.600 --> 00:28:08.960 strategies in place 00:28:08.960 --> 00:28:10.480 making them ideal targets for such 00:28:10.480 --> 00:28:12.080 attacks. 00:28:12.080 --> 00:28:13.440 Digital transformation during the 00:28:13.440 --> 00:28:15.360 Coronavirus pandemic has started to move 00:28:15.360 --> 00:28:16.960 businesses to the cloud, 00:28:16.960 --> 00:28:18.799 and so cyber criminals have now shifted 00:28:18.799 --> 00:28:20.720 their focus to the cloud as well 00:28:20.720 --> 00:28:22.320 giving them an entirely new attack 00:28:22.320 --> 00:28:24.000 surface to work with. 00:28:24.000 --> 00:28:26.480 The cost of ransomware is said to top 20 00:28:26.480 --> 00:28:29.039 billion dollars by the end of 2021 00:28:29.039 --> 00:28:32.159 and that is ransomware alone. By 2025, 00:28:32.159 --> 00:28:33.919 cybersecurity ventures estimates that 00:28:33.919 --> 00:28:35.840 cybercrime will cost businesses 00:28:35.840 --> 00:28:39.279 10.5 trillion dollars annually 00:28:39.279 --> 00:28:41.279 which would amount to just 2 trillion 00:28:41.279 --> 00:28:43.039 short of China's economy, 00:28:43.039 --> 00:28:46.000 the second biggest economy in the world. 00:28:46.000 --> 00:28:48.320 We are headed towards bigger and more 00:28:48.320 --> 00:28:50.640 destructive attacks than WannaCry, 00:28:50.640 --> 00:28:53.440 and our most reliable defense is our 00:28:53.440 --> 00:28:54.240 awareness 00:28:54.240 --> 00:28:55.960 and our action to better protect 00:28:55.960 --> 00:28:59.480 ourselves. Thank you for watching. 00:28:59.480 --> 00:29:03.850 [Music] 00:29:05.810 --> 00:29:30.810 [Music] 00:29:30.810 --> 00:29:46.770 [Music] 00:29:46.770 --> 00:29:51.279 [Music]