[Music]
A small note before we start,
as much as this video is meant to be a
storytelling experience,
I have also intended it to be
educational,
and so, I have coupled the story along
with how some of these attacks and
technologies work.
This is my first documentary style video,
and so I appreciate any and all feedback
in the comments below.
I really hope you enjoy, and hopefully,
learn a few new things.
Right now, a crippling cyberattack has
businesses around the world
on high alert. The ransomware known as
WannaCry-
We want to move on to the other developing
story this morning, the global cyberattack-
The National Security Agency
developed this software and it's now
being used by criminals
around the world to demand ransom.
Security experts say this is one
of the worst and most
widespread pieces of malware they've
ever seen-
[Music]
[Typing]
In May of 2017, a worldwide cyberattack
by the name of WannaCry
shot for WannaCryptor, impacted over 150
countries,
and hit around 230,000 computers
globally.
Needless to say it became known as one
of the biggest ransomware attacks in
history.
Let's start at the very beginning. On the
morning of the 12th of May, 2017,
according to Akamai, the content delivery
network,
this was the timeline. Reportedly the
first case identified originated from a
Southeast Asian ISP which was detected
at 7:44 am UTC.
Over the next hour, there were cases
seen from Latin America,
then the Continental Europe and UK, then
Brazil and Argentinian ISPs until at 12:39 pm
UTC, 74%
of all ISPs in Asia were affected. And by
3:28 pm UTC,
the ransomware had taken hold of 65%
of Latin American ISPs.
WannaCry was spreading and at an
incredible rate.
Prior to this, such a quick and
widespread ransomware was unheard of.
A lot of organizations, unable to recover
their losses,
were forced to permanently shut down.
Some had to put a pause on their
networks and services, and reported huge
losses,
some in millions of dollars. The attack
did not discriminate. Small to
medium-sized businesses,
large enterprises, the private sector, the
public sector,
railways, healthcare, banks, malls,
ministries,
police, energy companies, ISPs, and there
just seemed to be
no end to the victims. Within few hours,
it had spread to over 11 countries,
and by the end of the first day of the
attack, the ransomware had been
encountered in 74 countries
within thousands and thousands of
organizations.
And so it begged the question, how much
damage will this really cause over the
next few days
or weeks or months if no solution
presents itself?
Your service has been temporarily disconnected.
[Typing]
[Music]
Ransomware works in a very simple manner.
It is a type of malware most commonly
spread through phishing attacks,
which are essentially emails used to
trick a user into clicking a link that
leads them to a website
where they enter sensitive data, or to
download attachments which if executed
will infect the computer.
Although initially suspected, WannaCry
did not originate from a phishing attack,
but we'll get to that later.
Once a computer is infected,
the ransomware runs an encryption
process, and usually in less than a
minute,
some or all the files depending on what
the ransomware is meant to affect in the
user's computer
is converted from plain text to
ciphertext.
Plain text is readable or comprehensible
data,
and ciphertext is unintelligible
gibberish.
In order to turn this back into plain
text, the user will need what is known as
a decryption key,
which the attacker promises to provide
if the user were to pay the ransom.
What makes ransomware so dreadful is
that once your files have been encrypted,
you can't exactly decrypt it and
retrieve your data.
Well, you can, but with the current
technology we have, to break common
encryption algorithms used in ransomware
attacks
such as the RSA, it would take millions
to billions to trillions of years.
[Music]
[Typing]
This is what you'd see if you were to
become infected with the WannaCry
ransomware.
In addition to this intimidating
wallpaper, your documents,
spreadsheets, images, videos,
music, and most everyday productivity and
multimedia files become encrypted,
essentially being held hostage till the
ransom payment has been made.
The Wanna Decryptor 2.0 comes with a set
of instructions
and in 28 different languages for
victims to follow in order to recover
their files.
The attackers demanded for $300 worth of
bitcoin,
and after three days it would be updated to
$600.
If the payment were to be made seven
days after the infection, the files would
be recoverable.
However, despite this, they also go on to
state that they will return the files
for free to "Users who are so poor
that they couldn't pay"
after six months. The method of
payment,
bitcoin.
[Music]
The reason the attackers chose bitcoin
was because it is what we know
as a private cryptocurrency. This allows
the holder of the currency to remain
anonymous.
Though the money could be traced to a
cryptocurrency wallet, which is where the
currency itself is stored,
it would be exponentially difficult to
find the owner of the wallet without
extensive forensic analysis.
This is the reason that bitcoin is used
widely in the dark web
to purchase guns, drugs, and other illegal
goods and services that for obvious
reasons,
you would not be able to find on the
surface web.
[Typing]
The problem with WannaCry and what made it
exponentially more dangerous than your
average ransomware
was its propagating capabilities.
But to understand this fully, we need to
go back in time a little bit
to 2016. In August of 2016, the equation
group, suspected to have ties with the
National Security Agency's tailored
operations unit,
and described by Kaspersky as one of the
most sophisticated cyberattack groups
in the world,
was said to be hacked by a group called
the shadow brokers.
In this hack, disks full of the NSA's
secrets were stolen.
This was bad because the NSA houses what
we know as Nation State Attacks
which are exploits or hacking tools that
are used to carry out a hack for their
home country
against another country. The NSA would
essentially recruit a skilled hacker and
give them a license to hack
which means if they did carry it out, it
wouldn't be illegal
at least in that country, and the hacker
would not be charged.
The danger here is that the Nation State
Tools in itself are usually pretty
effective,
especially considering they are to be
used as weapons against entire states
and countries.
[Music]
The NSA is said to have discovered a
multitude of other vulnerabilities in
the Windows OS
as early as 2013, but was speculated to
have developed exploits secretly and
stockpile them,
rather than reporting it to Microsoft or
the InfoSec community,
so that they could weaponize it and
utilize them in their nation state and
other attacks.
The shadow brokers would go on to
auction off some of these tools that
were developed,
but due to skepticism online on whether
the hackers really did have files as
dangerous as they had claimed,
this would essentially go on to become a
catastrophic failure.
We can talk quite a bit about the shadow
brokers. The story is itself worth
examining individually and maybe even on
a separate video,
but let's narrow our focus down to the
leak that made WannaCry possible
which at that point was the fifth leak
by the group and was said to be the most
damaging one yet.
On April 14, 2017, the shadow brokers
would post a tweet that linked to their
Steem blockchain
on a post titled lost in translation.
This leak contained files from the
initial failed auction which they now
decided to release to the public
for free. The description accompanying
the leaked files doesn't really contain
much worth noting.
As always the shadow brokers would use
broken, but still somewhat comprehensible
English.
However, this is widely speculated not to
speak to their proficiency in the
language,
but rather an attempt to mislead
analysts and prevent them from yielding
any results regarding their identity
characterized by how they type.
The link, which has now been taken down,
takes you to an archive filled with a
number of Windows exploits developed by
the NSA.
It did contain many other valuable tools
worth examining,
but the ones relevant to our story and
what made a regular ransomware so
destructive
were the payload, Doublepulsar and the
now infamous exploit used in the
WannaCry attack,
Eternalblue.
[Music]
[Typing]
Server Message Block version 1 or SMBv1
is a network communication protocol
which was developed in 1983.
The function of this protocol would be
to allow one Windows computer to
communicate with another
and share files and printers on a local
network.
However, SMB version 1 had a critical
vulnerability
which allowed for what is known as a
Remote Arbitrary Code Execution
in which an attacker would be able to
execute whatever code that they'd like
on their target or victim's computer
over the Internet
usually with malicious intent. The
function of Eternalblue was to take
advantage of this vulnerability.
Essentially, and I'm going to try and strip
it down to simplify it as much as
possible,
when the shadow brokers first leaked the
NSA tools,
hackers took this opportunity to install
Doublepulsar
which is a tool which opens what we
commonly know in security
as a backdoor. Backdoors allows hackers
to create an entry point into the system
or a network of systems and gain easy
access later on.
The initial infection of WannaCry is not
known,
but it is speculated that the attackers
took advantage of the backdoor to
deliver the payload.
The payload in this case is the
ransomware WannaCry.
When a computer is infected with
WannaCry, oddly
it then tries to connect to the
following unregistered domain
which is basically a random string of
numbers and letters.
If it cannot establish a connection to
this domain, then the real damage begins.
It scans for port 445 on the network
which is the port that is used to host
SMB version 1,
and if the port is deemed to be open, it
would then proceed to spread to that
computer.
This is how it propagated so quickly.
Whether the other users in the network
actually downloaded or clicked on
anything malicious,
regardless, they would be infected, and in
seconds all their data would be
encrypted.
So the damage came in two parts, the
ransomware that encrypts the data
and the worm-like component that is used
to spread the ransomware to any
connected,
vulnerable devices in the network as a
result of Eternalblue and Doublepulsar.
The attack only affected Windows systems,
mainly targeting Windows XP,
Vista, Windows 7, Windows 8, and Windows
10.
However, a month prior to the leak by the
shadow brokers on March 14, 2017,
Microsoft was made aware of this
vulnerability after it was publicly
reported
almost five years after its discovery.
Microsoft then released a critical patch
to fix this vulnerability,
MS17-010.
However, despite the release of the patch,
a significant number of organizations
never updated their systems,
and unfortunately there were still major
organizations running Windows XP
or Server 2003. These devices were at end
of support
which means that even if updates were
out, they would not receive them
and be completely vulnerable to the
exploit.
If you want to know more about the
vulnerability that the Eternalblue
exploited,
it is now logged in the national
vulnerability database
as CVE-2017-0144
[Music]
[Typing]
Marcus Hutchins, also known online by his
alias MalwareTech,
was a 23 year old British security
researcher at Kryptos Logic
in LA. After returning from lunch with a
friend on the afternoon of the attack,
he found himself scouring messaging
boards where he came across
news of a ransomware rapidly taking down
systems in the National Health Service
or NHS all over the UK.
Hutchins, who found it odd that the
ransomware was consistently affecting so
many devices,
concluded that the attack was probably a
computer worm and not just
a simple ransomware. He quickly requested
one of his friends to pass him a sample
of the malware
so that he could examine it and reverse
engineer it to analyze exactly how it
worked.
Once he had gotten his hands on the
malware sample,
he had run it using a virtual
environment with fake files
and found out that it was trying to
connect to an unregistered domain,
which we discussed earlier in Chapter 4.
Hutchins would go on to register this
domain for only $10.69,
which unbeknownst to him,
would actually halt the WannaCry
infection.
He would later admit in a tweet that
same day that the domain registration
leading to a pause in the rapid
infection
was indeed an accident dubbing Marcus
Hutchins
as the accidental hero.
[Music]
[Music]
To Hutchins, taking control of
unregistered domains was just a part of
his workflow
when it came to stopping botnets and
tracking malware.
This was so that he could get further
insight into how the malware or botnets
were spreading.
For those of you unaware of what a
botnet is, it is essentially a group of
computers that have been hijacked by
malicious actors
or hackers in order to be used in their
attacks to drive
excess network traffic or steal data.
One computer that has been hijacked is
called a bot and a network of them
is called a botnet, however,
since, as we discussed earlier, the attack
only executes if it's unable to reach
the domains that it checks for.
Think of it as a simple if then
statement.
If the infection cannot connect to x
domain, then proceed with the infection.
If it can reach x domain, stop the attack.
And so the malware being able to connect
to the domain was known as the kill
switch,
the big red button that stops the attack
from spreading any further.
But why would the attackers implement a
kill switch at all?
The first theory is that the creators of
WannaCry wanted a way to stop the attack
if it ever got out of hand or had any
unintentional effects.
The second and the most likely theory
proposed by Hutchins and other security
researchers
was that the kill switch was present in
order to prevent researchers from
looking into the behavior of WannaCry
if it was being executed within what is
known in security
as a sandbox. A sandbox is usually a
virtual computer that is used to run
malware.
It is a contained environment with
measures that have been taken to not
infect any important files or spread to
other networks,
much like what I used in Chapter 2 to
demonstrate the WannaCry ransomware.
Researchers use these sandboxes to run
malware and then use tools to determine
the behavior of the attack.
This is what Hutchins did with fake
files as well.
So the intent behind this kill switch
was to destroy the ransomware if it
existed within a sandbox environment,
again, since they didn't want researchers
to be able to analyze exactly how it
worked.
However, since the attackers used a
static domain,
a domain name that did not change for
each infection, instead of using
dynamically generated domain names
like other renditions of this concept
would usually do,
the WannaCry infections around the world
believed that it was being analyzed in a
sandbox environment
and essentially killed itself since
every single infection was trying to reach
one single hard-coded domain, and now
they could after Hutchins had purchased
it and put it online.
If it had been a randomly generated
domain name,
then the infection would only have
removed itself from Hutchins's sandbox
environment
because the domain he registered would
be unique to him and would not
affect anyone else. This
seems to be an amateur mistake. So
amateur in fact, that the researchers
have speculated that maybe the intent of
the attackers
was not monetary gain, but rather a more
political intention
such as to bring shame to the NSA.
However,
to this date, there is nothing that
confirms nor denies the motive
of the WannaCry attack.
[Music]
[Music]
The rapid infection had seemed to stop,
but for Hutchins or MalwareTech and his
team, the nightmare had only just begun.
Less than an hour from when he had
activated the domain, it was under attack.
The motive of the attackers were to use
the Mirai botnet to host a distributed
denial of service attack,
also known as DDoS, to shut down the
domain so that it would be unreachable
once again and all the halted infections
would resume.
A DDoS attack is usually performed to
flood a domain with
junk traffic 'till it can't handle
anymore and is driven offline.
The Mirai botnet that the attackers were
employing was previously used in one of
the largest ever DDoS attacks
and was comprised of hundreds and
thousands of devices.
The haunting realization that they were
the wall between a flood of infections
that was currently being blocked
slowly dawned on Hutchins and the other
researchers working on the case.
They eventually dealt with the issue by
taking the site to a cached version
which was capable of handling a much
higher traffic load than a live site.
Two days after the domain went live, the
data showed that two million infections
had been halted
showing us what the extent of the damage
could have been if it was not for the
discovery of the kill switch.
[Music]
Marcus Hutchins's story does not stop here.
He would go on to be named as a
cybercrime hero,
a title which he didn't enjoy as it
would bring to him unwanted attention,
people trying to piece together his
address, media camping outside of his
house,
and in addition to all of this, he was
still under the pressure of the domain
going offline any minute and wreaking
havoc.
However, he was able to get through these
weary days and sleepless nights
only to be thrown back into chaos.
Three months after the WannaCry attack,
in August of 2017,
Marcus Hutchins, after partying in Vegas
for a week and a half
during DEFCON, a hacker convention, was
arrested in the airport by the FBI on
his way back home.
It seemed that Hutchins in his teenage
years had developed a malware named
Kronos
that would steal banking credentials. He
would go on to sell this malware to
multiple individuals with the help of
someone he met online
named Vinny K. Kronos is still an
ongoing threat to banks around the world.
Hutchins initially battled the charges
with a non-guilty plea,
but after a long and exhausting ordeal
that lasted for years,
in April 2019, he took a plea deal that
would essentially dismiss
all but two counts set against him,
conspiracy to defraud the united states
and actively marketing the kronos
malware.
He faced the possibility of a maximum
prison sentence of ten years,
but because of his contribution towards
WannaCry and as the community had
constantly pointed out
his active involvement in defending the
world against cyber attacks,
the judge ruled in his favor. He was then
released
with zero jail time and is now a free
man.
[Typing]
[Music]
As stated before, the WannaCry attack
impacted over 150 countries
and approximately 230,000 computers
globally.
Russia was the most severely infected
with over half the affected computers.
India, Ukraine, and Taiwan also suffered
significant disruption.
The most popular victim to emerge out of
the attacks were the UK's National
Health Service
or the NHS. In the NHS, over 70,000
devices such as computers,
MRI scanners, devices used to test blood,
theater equipment, and over 1200 pieces
of diagnostic equipment were affected.
Approximately, the attack cost the NHS
over 92 million euros,
and globally, the cost amounted to
somewhere between four and eight billion
dollars.
You'd think that the attackers who
launched WannaCry would have made a
decent amount considering how many
countries
and devices were affected, however, as of
June 14, 2017,
when the attacks had begun to subside,
they had only made $130,634.77.
Victims were urged not to pay the ransom
since not only did it encourage the
hackers,
but it also did not guarantee the return
of their data due to skepticism of
whether the attackers could actually
place the paid ransom
to the correct victim. This was clearly
evident from the fact that a large
proportion,
almost all of the affected victims who
had paid the ransom
had still not been returned their data.
[Music]
[Music]
Although initially the prime victims of
WannaCry were said to be Windows XP
clients, over 98% of the victims were
actually running unpatched versions of
Windows 7,
and less than 0.1% of the victims
were using Windows XP.
In the case of Russia, they believed
updates did more to break their devices
rather than fix them,
partly due to the fact that a majority
of people use cracked or pirated
versions of Windows
which means they wouldn't have received
the updates which were released by
Microsoft months prior to the attack.
Microsoft eventually released the
updates for systems that were at end of
support
including Windows XP and other older
versions of Windows.
To this day, if the domain that Marcus
Hutchins acquired were to go down,
the millions of infections that it has
at bay would be released,
but possibly ineffective if the
computers had already applied the patch
that Microsoft released.
Eternalblue is still in the wild and
variants of WannaCry have since then
surfaced like Uiwix
which did not come with a kill switch
and addressed the bitcoin payment issue
by assigning a new address for each
victim to collect payment
therefore easily allowing to track the
payment back to the victim.
However, since it did not have an
automatic worm-like functionality that
WannaCry exhibited
it did not pose much of a threat. The
impact of WannaCry is still seen today.
Trend Micro's data clearly indicates that
WannaCry was the most detected malware
family in 2020
thanks to its vulnerable nature. And
F-Secure reports that the most seen type
of exploit is against the SMB version 1
vulnerability
using Eternalblue. The fact that
attackers still continue to try and
exploit this
must mean that there are organizations
out there who have not patched against
this vulnerability.
[Music]
[Typing]
[Music]
Four years after the attack, there is
still no confirmed identity of the
creators of the WannaCry.
There have been accusations towards the
Lazarus Group
who has strong links to North Korea.
However,
this is nothing more than hearsay. So
who is to blame for the catastrophic
damage of WannaCry?
Is it the NSHA who should not have
stockpiled exploits without alerting the
necessary entities about the
vulnerabilities?
Is it the shadow brokers who took
advantage of this, stole, and released it
into the wild?
Is it the developers of WannaCry? Or is
it the fault of Microsoft who did not
identify this vulnerability
sooner? While all of this might be true
to some extent,
at the end of the day, the actions these
organizations take are largely out of
the control of the public
and business owners who are usually the
victims of the attack.
Regardless of what we claim, the solution
is very simple.
Make sure we follow the guidelines to
have our data secured.
The most crucial of it is to have a
consistent schedule for updating our
devices,
and to obviously not use outdated
operating systems that put
employee and customer data and their
privacy at huge risks.
When it comes to ransomware, the most
crucial form of defense is frequent
backup. The more frequent it is,
the better. Less than 50% of ransomware
payments actually result in the data
being returned to the victims,
and so needless to say, payment should
not be an option
lest your goal is to lose money and your
data as well.
The biggest mistake that organizations
tend to make is refusing to believe that
they would be a target.
According to a study by Cloudwords in
2021,
every 11 seconds a company is hit by
ransomware, and a large proportion of
organizations are small
to medium-sized businesses that never
see it coming as they're often found to
have less than effective security
strategies in place
making them ideal targets for such
attacks.
Digital transformation during the
Coronavirus pandemic has started to move
businesses to the cloud,
and so cyber criminals have now shifted
their focus to the cloud as well
giving them an entirely new attack
surface to work with.
The cost of ransomware is said to top 20
billion dollars by the end of 2021
and that is ransomware alone. By 2025,
cybersecurity ventures estimates that
cybercrime will cost businesses
10.5 trillion dollars annually
which would amount to just 2 trillion
short of China's economy,
the second biggest economy in the world.
We are headed towards bigger and more
destructive attacks than WannaCry,
and our most reliable defense is our
awareness
and our action to better protect
ourselves. Thank you for watching.
[Music]
[Music]
[Music]
[Music]