0:00:00.000,0:00:09.150 [Music] 0:00:10.960,0:00:13.679 A small note before we start, 0:00:13.679,0:00:15.599 as much as this video is meant to be a 0:00:15.599,0:00:17.440 storytelling experience, 0:00:17.440,0:00:18.960 I have also intended it to be 0:00:18.960,0:00:20.640 educational, 0:00:20.640,0:00:22.480 and so, I have coupled the story along 0:00:22.480,0:00:23.840 with how some of these attacks and 0:00:23.840,0:00:26.000 technologies work. 0:00:26.000,0:00:28.400 This is my first documentary style video, 0:00:28.400,0:00:30.800 and so I appreciate any and all feedback 0:00:30.800,0:00:33.120 in the comments below. 0:00:33.120,0:00:35.680 I really hope you enjoy, and hopefully, 0:00:35.680,0:00:38.640 learn a few new things. 0:00:40.800,0:00:43.440 Right now, a crippling cyberattack has 0:00:43.440,0:00:45.039 businesses around the world 0:00:45.039,0:00:47.760 on high alert. The ransomware known as 0:00:47.760,0:00:48.719 WannaCry- 0:00:48.719,0:00:50.399 We want to move on to the other developing 0:00:50.399,0:00:52.333 story this morning, the global cyberattack- 0:00:52.333,0:00:54.239 The National Security Agency 0:00:54.239,0:00:56.559 developed this software and it's now 0:00:56.559,0:00:58.010 being used by criminals 0:00:58.010,0:01:00.051 around the world to demand ransom. 0:01:00.051,0:01:01.760 Security experts say this is one 0:01:01.760,0:01:03.280 of the worst and most 0:01:03.280,0:01:05.439 widespread pieces of malware they've 0:01:05.439,0:01:06.870 ever seen- 0:01:06.870,0:01:13.861 [Music] 0:01:15.607,0:01:19.247 [Typing] 0:01:20.080,0:01:23.040 In May of 2017, a worldwide cyberattack 0:01:23.040,0:01:24.799 by the name of WannaCry 0:01:24.799,0:01:27.840 shot for WannaCryptor, impacted over 150 0:01:27.840,0:01:28.720 countries, 0:01:28.720,0:01:31.360 and hit around 230,000 computers 0:01:31.360,0:01:32.720 globally. 0:01:32.720,0:01:34.560 Needless to say it became known as one 0:01:34.560,0:01:36.640 of the biggest ransomware attacks in 0:01:36.640,0:01:38.159 history. 0:01:38.159,0:01:40.799 Let's start at the very beginning. On the 0:01:40.799,0:01:43.119 morning of the 12th of May, 2017, 0:01:43.119,0:01:45.360 according to Akamai, the content delivery 0:01:45.360,0:01:46.240 network, 0:01:46.240,0:01:48.720 this was the timeline. Reportedly the 0:01:48.720,0:01:51.200 first case identified originated from a 0:01:51.200,0:01:53.600 Southeast Asian ISP which was detected 0:01:53.600,0:01:56.411 at 7:44 am UTC. 0:01:56.901,0:01:58.399 Over the next hour, there were cases 0:01:58.399,0:02:00.240 seen from Latin America, 0:02:00.240,0:02:02.960 then the Continental Europe and UK, then 0:02:02.960,0:02:06.840 Brazil and Argentinian ISPs until at 12:39 pm 0:02:06.840,0:02:09.280 UTC, 74% 0:02:09.280,0:02:12.720 of all ISPs in Asia were affected. And by 0:02:12.720,0:02:14.800 3:28 pm UTC, 0:02:14.800,0:02:17.670 the ransomware had taken hold of 65% 0:02:17.670,0:02:20.640 of Latin American ISPs. 0:02:20.640,0:02:22.879 WannaCry was spreading and at an 0:02:22.879,0:02:24.640 incredible rate. 0:02:24.640,0:02:26.160 Prior to this, such a quick and 0:02:26.160,0:02:28.640 widespread ransomware was unheard of. 0:02:28.640,0:02:31.040 A lot of organizations, unable to recover 0:02:31.040,0:02:31.840 their losses, 0:02:31.840,0:02:34.640 were forced to permanently shut down. 0:02:34.640,0:02:36.160 Some had to put a pause on their 0:02:36.160,0:02:38.319 networks and services, and reported huge 0:02:38.319,0:02:39.360 losses, 0:02:39.360,0:02:42.480 some in millions of dollars. The attack 0:02:42.480,0:02:44.720 did not discriminate. Small to 0:02:44.720,0:02:46.400 medium-sized businesses, 0:02:46.400,0:02:48.800 large enterprises, the private sector, the 0:02:48.800,0:02:50.160 public sector, 0:02:50.160,0:02:52.640 railways, healthcare, banks, malls, 0:02:52.640,0:02:53.360 ministries, 0:02:53.360,0:02:56.560 police, energy companies, ISPs, and there 0:02:56.560,0:02:57.440 just seemed to be 0:02:57.440,0:03:00.720 no end to the victims. Within few hours, 0:03:00.720,0:03:02.720 it had spread to over 11 countries, 0:03:02.720,0:03:04.319 and by the end of the first day of the 0:03:04.319,0:03:06.159 attack, the ransomware had been 0:03:06.159,0:03:08.480 encountered in 74 countries 0:03:08.480,0:03:10.319 within thousands and thousands of 0:03:10.319,0:03:12.159 organizations. 0:03:12.159,0:03:14.879 And so it begged the question, how much 0:03:14.879,0:03:16.640 damage will this really cause over the 0:03:16.640,0:03:17.599 next few days 0:03:17.599,0:03:20.159 or weeks or months if no solution 0:03:20.159,0:03:23.040 presents itself? 0:03:23.440,0:03:26.450 Your service has been temporarily disconnected. 0:03:26.850,0:03:30.290 [Typing] 0:03:31.200,0:03:33.280 [Music] 0:03:33.280,0:03:36.239 Ransomware works in a very simple manner. 0:03:36.239,0:03:38.080 It is a type of malware most commonly 0:03:38.080,0:03:39.920 spread through phishing attacks, 0:03:39.920,0:03:41.840 which are essentially emails used to 0:03:41.840,0:03:44.000 trick a user into clicking a link that 0:03:44.000,0:03:45.599 leads them to a website 0:03:45.599,0:03:47.840 where they enter sensitive data, or to 0:03:47.840,0:03:50.159 download attachments which if executed 0:03:50.159,0:03:52.239 will infect the computer. 0:03:52.239,0:03:54.400 Although initially suspected, WannaCry 0:03:54.400,0:03:56.799 did not originate from a phishing attack, 0:03:56.799,0:03:59.240 but we'll get to that later. 0:03:59.240,0:04:01.280 Once a computer is infected, 0:04:01.280,0:04:03.040 the ransomware runs an encryption 0:04:03.040,0:04:05.280 process, and usually in less than a 0:04:05.280,0:04:06.239 minute, 0:04:06.239,0:04:08.799 some or all the files depending on what 0:04:08.799,0:04:10.879 the ransomware is meant to affect in the 0:04:10.879,0:04:12.400 user's computer 0:04:12.400,0:04:14.239 is converted from plain text to 0:04:14.239,0:04:15.840 ciphertext. 0:04:15.840,0:04:18.239 Plain text is readable or comprehensible 0:04:18.239,0:04:19.120 data, 0:04:19.120,0:04:21.120 and ciphertext is unintelligible 0:04:21.120,0:04:22.720 gibberish. 0:04:22.720,0:04:24.639 In order to turn this back into plain 0:04:24.639,0:04:27.199 text, the user will need what is known as 0:04:27.199,0:04:28.800 a decryption key, 0:04:28.800,0:04:30.880 which the attacker promises to provide 0:04:30.880,0:04:34.560 if the user were to pay the ransom. 0:04:34.639,0:04:36.880 What makes ransomware so dreadful is 0:04:36.880,0:04:39.360 that once your files have been encrypted, 0:04:39.360,0:04:41.040 you can't exactly decrypt it and 0:04:41.040,0:04:42.960 retrieve your data. 0:04:42.960,0:04:44.720 Well, you can, but with the current 0:04:44.720,0:04:46.639 technology we have, to break common 0:04:46.639,0:04:48.720 encryption algorithms used in ransomware 0:04:48.720,0:04:49.600 attacks 0:04:49.600,0:04:52.800 such as the RSA, it would take millions 0:04:52.800,0:04:56.270 to billions to trillions of years. 0:04:56.270,0:05:00.410 [Music] 0:05:01.465,0:05:03.200 [Typing] 0:05:03.520,0:05:05.440 This is what you'd see if you were to 0:05:05.440,0:05:07.199 become infected with the WannaCry 0:05:07.199,0:05:08.639 ransomware. 0:05:08.639,0:05:10.160 In addition to this intimidating 0:05:10.160,0:05:12.479 wallpaper, your documents, 0:05:12.479,0:05:16.160 spreadsheets, images, videos, 0:05:16.160,0:05:18.639 music, and most everyday productivity and 0:05:18.639,0:05:21.039 multimedia files become encrypted, 0:05:21.039,0:05:22.800 essentially being held hostage till the 0:05:22.800,0:05:26.240 ransom payment has been made. 0:05:27.120,0:05:29.199 The Wanna Decryptor 2.0 comes with a set 0:05:29.199,0:05:30.240 of instructions 0:05:30.240,0:05:31.919 and in 28 different languages for 0:05:31.919,0:05:33.680 victims to follow in order to recover 0:05:33.680,0:05:35.199 their files. 0:05:35.199,0:05:37.759 The attackers demanded for $300 worth of 0:05:37.759,0:05:38.639 bitcoin, 0:05:38.639,0:05:40.560 and after three days it would be updated to 0:05:40.560,0:05:42.479 $600. 0:05:42.479,0:05:44.080 If the payment were to be made seven 0:05:44.080,0:05:45.919 days after the infection, the files would 0:05:45.919,0:05:47.680 be recoverable. 0:05:47.680,0:05:49.840 However, despite this, they also go on to 0:05:49.840,0:05:51.759 state that they will return the files 0:05:51.759,0:05:54.800 for free to "Users who are so poor 0:05:54.800,0:05:56.510 that they couldn't pay" 0:05:56.510,0:05:58.720 after six months. The method of 0:05:58.720,0:05:59.840 payment, 0:05:59.840,0:06:00.950 bitcoin. 0:06:00.950,0:06:04.160 [Music] 0:06:04.160,0:06:06.400 The reason the attackers chose bitcoin 0:06:06.400,0:06:07.840 was because it is what we know 0:06:07.840,0:06:10.479 as a private cryptocurrency. This allows 0:06:10.479,0:06:12.080 the holder of the currency to remain 0:06:12.080,0:06:13.280 anonymous. 0:06:13.280,0:06:14.639 Though the money could be traced to a 0:06:14.639,0:06:16.560 cryptocurrency wallet, which is where the 0:06:16.560,0:06:18.160 currency itself is stored, 0:06:18.160,0:06:19.840 it would be exponentially difficult to 0:06:19.840,0:06:21.360 find the owner of the wallet without 0:06:21.360,0:06:24.319 extensive forensic analysis. 0:06:24.319,0:06:26.560 This is the reason that bitcoin is used 0:06:26.560,0:06:27.840 widely in the dark web 0:06:27.840,0:06:30.639 to purchase guns, drugs, and other illegal 0:06:30.639,0:06:32.260 goods and services that for obvious 0:06:32.260,0:06:33.199 reasons, 0:06:33.199,0:06:35.039 you would not be able to find on the 0:06:35.039,0:06:36.359 surface web. 0:06:38.879,0:06:42.517 [Typing] 0:06:48.000,0:06:50.080 The problem with WannaCry and what made it 0:06:50.080,0:06:51.919 exponentially more dangerous than your 0:06:51.919,0:06:53.280 average ransomware 0:06:53.280,0:06:56.319 was its propagating capabilities. 0:06:56.319,0:06:58.240 But to understand this fully, we need to 0:06:58.240,0:06:59.840 go back in time a little bit 0:06:59.840,0:07:04.000 to 2016. In August of 2016, the equation 0:07:04.000,0:07:05.680 group, suspected to have ties with the 0:07:05.680,0:07:07.520 National Security Agency's tailored 0:07:07.520,0:07:08.800 operations unit, 0:07:08.800,0:07:10.880 and described by Kaspersky as one of the 0:07:10.880,0:07:12.880 most sophisticated cyberattack groups 0:07:12.880,0:07:14.080 in the world, 0:07:14.080,0:07:15.759 was said to be hacked by a group called 0:07:15.759,0:07:17.680 the shadow brokers. 0:07:17.680,0:07:19.919 In this hack, disks full of the NSA's 0:07:19.919,0:07:21.630 secrets were stolen. 0:07:22.800,0:07:25.039 This was bad because the NSA houses what 0:07:25.039,0:07:27.520 we know as Nation State Attacks 0:07:27.520,0:07:29.759 which are exploits or hacking tools that 0:07:29.759,0:07:31.280 are used to carry out a hack for their 0:07:31.280,0:07:32.479 home country 0:07:32.479,0:07:35.199 against another country. The NSA would 0:07:35.199,0:07:37.120 essentially recruit a skilled hacker and 0:07:37.120,0:07:39.280 give them a license to hack 0:07:39.280,0:07:41.199 which means if they did carry it out, it 0:07:41.199,0:07:42.560 wouldn't be illegal 0:07:42.560,0:07:44.800 at least in that country, and the hacker 0:07:44.800,0:07:46.679 would not be charged. 0:07:48.639,0:07:50.639 The danger here is that the Nation State 0:07:50.639,0:07:52.400 Tools in itself are usually pretty 0:07:52.400,0:07:53.440 effective, 0:07:53.440,0:07:55.120 especially considering they are to be 0:07:55.120,0:07:57.280 used as weapons against entire states 0:07:57.280,0:07:58.500 and countries. 0:08:00.459,0:08:03.599 [Music] 0:08:03.599,0:08:05.440 The NSA is said to have discovered a 0:08:05.440,0:08:07.199 multitude of other vulnerabilities in 0:08:07.199,0:08:08.160 the Windows OS 0:08:08.160,0:08:11.280 as early as 2013, but was speculated to 0:08:11.280,0:08:13.280 have developed exploits secretly and 0:08:13.280,0:08:14.560 stockpile them, 0:08:14.560,0:08:16.560 rather than reporting it to Microsoft or 0:08:16.560,0:08:18.240 the InfoSec community, 0:08:18.240,0:08:20.000 so that they could weaponize it and 0:08:20.000,0:08:21.919 utilize them in their nation state and 0:08:21.919,0:08:23.690 other attacks. 0:08:25.440,0:08:27.199 The shadow brokers would go on to 0:08:27.199,0:08:28.720 auction off some of these tools that 0:08:28.720,0:08:30.000 were developed, 0:08:30.000,0:08:32.080 but due to skepticism online on whether 0:08:32.080,0:08:34.080 the hackers really did have files as 0:08:34.080,0:08:36.159 dangerous as they had claimed, 0:08:36.159,0:08:37.919 this would essentially go on to become a 0:08:37.919,0:08:40.719 catastrophic failure. 0:08:40.719,0:08:42.399 We can talk quite a bit about the shadow 0:08:42.399,0:08:44.800 brokers. The story is itself worth 0:08:44.800,0:08:46.720 examining individually and maybe even on 0:08:46.720,0:08:48.080 a separate video, 0:08:48.080,0:08:49.760 but let's narrow our focus down to the 0:08:49.760,0:08:51.839 leak that made WannaCry possible 0:08:51.839,0:08:54.000 which at that point was the fifth leak 0:08:54.000,0:08:55.760 by the group and was said to be the most 0:08:55.760,0:08:58.640 damaging one yet. 0:08:59.360,0:09:02.080 On April 14, 2017, the shadow brokers 0:09:02.080,0:09:03.600 would post a tweet that linked to their 0:09:03.600,0:09:05.120 Steem blockchain 0:09:05.120,0:09:08.880 on a post titled lost in translation. 0:09:08.880,0:09:10.399 This leak contained files from the 0:09:10.399,0:09:12.160 initial failed auction which they now 0:09:12.160,0:09:14.160 decided to release to the public 0:09:14.160,0:09:18.080 for free. The description accompanying 0:09:18.080,0:09:19.839 the leaked files doesn't really contain 0:09:19.839,0:09:21.279 much worth noting. 0:09:21.279,0:09:23.120 As always the shadow brokers would use 0:09:23.120,0:09:25.040 broken, but still somewhat comprehensible 0:09:25.040,0:09:26.399 English. 0:09:26.399,0:09:28.480 However, this is widely speculated not to 0:09:28.480,0:09:29.839 speak to their proficiency in the 0:09:29.839,0:09:30.640 language, 0:09:30.640,0:09:32.160 but rather an attempt to mislead 0:09:32.160,0:09:33.920 analysts and prevent them from yielding 0:09:33.920,0:09:36.240 any results regarding their identity 0:09:36.240,0:09:39.519 characterized by how they type. 0:09:39.519,0:09:41.200 The link, which has now been taken down, 0:09:41.200,0:09:42.800 takes you to an archive filled with a 0:09:42.800,0:09:44.640 number of Windows exploits developed by 0:09:44.640,0:09:46.240 the NSA. 0:09:46.240,0:09:48.160 It did contain many other valuable tools 0:09:48.160,0:09:49.440 worth examining, 0:09:49.440,0:09:51.279 but the ones relevant to our story and 0:09:51.279,0:09:53.040 what made a regular ransomware so 0:09:53.040,0:09:54.160 destructive 0:09:54.160,0:09:56.880 were the payload, Doublepulsar and the 0:09:56.880,0:09:58.560 now infamous exploit used in the 0:09:58.560,0:09:59.839 WannaCry attack, 0:09:59.839,0:10:01.329 Eternalblue. 0:10:01.329,0:10:05.664 [Music] 0:10:08.112,0:10:11.441 [Typing] 0:10:15.440,0:10:18.800 Server Message Block version 1 or SMBv1 0:10:18.800,0:10:20.720 is a network communication protocol 0:10:20.720,0:10:23.519 which was developed in 1983. 0:10:23.519,0:10:25.440 The function of this protocol would be 0:10:25.440,0:10:27.200 to allow one Windows computer to 0:10:27.200,0:10:28.720 communicate with another 0:10:28.720,0:10:30.880 and share files and printers on a local 0:10:30.880,0:10:32.399 network. 0:10:32.399,0:10:34.880 However, SMB version 1 had a critical 0:10:34.880,0:10:36.160 vulnerability 0:10:36.160,0:10:39.040 which allowed for what is known as a 0:10:39.040,0:10:41.760 Remote Arbitrary Code Execution 0:10:41.760,0:10:43.440 in which an attacker would be able to 0:10:43.440,0:10:45.440 execute whatever code that they'd like 0:10:45.440,0:10:47.680 on their target or victim's computer 0:10:47.680,0:10:48.800 over the Internet 0:10:48.800,0:10:51.600 usually with malicious intent. The 0:10:51.600,0:10:53.360 function of Eternalblue was to take 0:10:53.360,0:10:55.839 advantage of this vulnerability. 0:10:55.839,0:10:58.000 Essentially, and I'm going to try and strip 0:10:58.000,0:10:59.519 it down to simplify it as much as 0:10:59.519,0:11:00.800 possible, 0:11:00.800,0:11:02.640 when the shadow brokers first leaked the 0:11:02.640,0:11:03.920 NSA tools, 0:11:03.920,0:11:05.920 hackers took this opportunity to install 0:11:05.920,0:11:07.519 Doublepulsar 0:11:07.519,0:11:09.200 which is a tool which opens what we 0:11:09.200,0:11:10.880 commonly know in security 0:11:10.880,0:11:14.000 as a backdoor. Backdoors allows hackers 0:11:14.000,0:11:16.560 to create an entry point into the system 0:11:16.560,0:11:18.560 or a network of systems and gain easy 0:11:18.560,0:11:20.880 access later on. 0:11:20.880,0:11:22.880 The initial infection of WannaCry is not 0:11:22.880,0:11:23.920 known, 0:11:23.920,0:11:25.680 but it is speculated that the attackers 0:11:25.680,0:11:27.120 took advantage of the backdoor to 0:11:27.120,0:11:28.880 deliver the payload. 0:11:28.880,0:11:30.399 The payload in this case is the 0:11:30.399,0:11:32.800 ransomware WannaCry. 0:11:32.800,0:11:34.399 When a computer is infected with 0:11:34.399,0:11:36.160 WannaCry, oddly 0:11:36.160,0:11:37.440 it then tries to connect to the 0:11:37.440,0:11:39.600 following unregistered domain 0:11:39.600,0:11:41.519 which is basically a random string of 0:11:41.519,0:11:43.360 numbers and letters. 0:11:43.360,0:11:45.120 If it cannot establish a connection to 0:11:45.120,0:11:48.000 this domain, then the real damage begins. 0:11:48.000,0:11:50.880 It scans for port 445 on the network 0:11:50.880,0:11:52.560 which is the port that is used to host 0:11:52.560,0:11:54.079 SMB version 1, 0:11:54.079,0:11:56.079 and if the port is deemed to be open, it 0:11:56.079,0:11:57.600 would then proceed to spread to that 0:11:57.600,0:11:59.280 computer. 0:11:59.680,0:12:02.200 This is how it propagated so quickly. 0:12:03.120,0:12:04.800 Whether the other users in the network 0:12:04.800,0:12:06.560 actually downloaded or clicked on 0:12:06.560,0:12:08.000 anything malicious, 0:12:08.000,0:12:10.399 regardless, they would be infected, and in 0:12:10.399,0:12:12.000 seconds all their data would be 0:12:12.000,0:12:13.140 encrypted. 0:12:14.399,0:12:17.360 So the damage came in two parts, the 0:12:17.360,0:12:19.120 ransomware that encrypts the data 0:12:19.120,0:12:20.959 and the worm-like component that is used 0:12:20.959,0:12:22.480 to spread the ransomware to any 0:12:22.480,0:12:23.279 connected, 0:12:23.279,0:12:25.600 vulnerable devices in the network as a 0:12:25.600,0:12:28.880 result of Eternalblue and Doublepulsar. 0:12:28.880,0:12:31.360 The attack only affected Windows systems, 0:12:31.360,0:12:33.360 mainly targeting Windows XP, 0:12:33.360,0:12:36.320 Vista, Windows 7, Windows 8, and Windows 0:12:36.320,0:12:37.519 10. 0:12:37.519,0:12:39.519 However, a month prior to the leak by the 0:12:39.519,0:12:42.480 shadow brokers on March 14, 2017, 0:12:42.480,0:12:44.079 Microsoft was made aware of this 0:12:44.079,0:12:45.920 vulnerability after it was publicly 0:12:45.920,0:12:46.800 reported 0:12:46.800,0:12:50.480 almost five years after its discovery. 0:12:50.480,0:12:52.320 Microsoft then released a critical patch 0:12:52.320,0:12:54.070 to fix this vulnerability, 0:12:54.070,0:12:57.040 MS17-010. 0:12:57.040,0:12:59.600 However, despite the release of the patch, 0:12:59.600,0:13:01.519 a significant number of organizations 0:13:01.519,0:13:03.360 never updated their systems, 0:13:03.360,0:13:05.680 and unfortunately there were still major 0:13:05.680,0:13:08.000 organizations running Windows XP 0:13:08.000,0:13:11.680 or Server 2003. These devices were at end 0:13:11.680,0:13:12.959 of support 0:13:12.959,0:13:14.800 which means that even if updates were 0:13:14.800,0:13:16.639 out, they would not receive them 0:13:16.639,0:13:18.309 and be completely vulnerable to the 0:13:18.309,0:13:19.710 exploit. 0:13:20.800,0:13:22.160 If you want to know more about the 0:13:22.160,0:13:23.760 vulnerability that the Eternalblue 0:13:23.760,0:13:24.720 exploited, 0:13:24.720,0:13:26.160 it is now logged in the national 0:13:26.160,0:13:27.760 vulnerability database 0:13:27.760,0:13:32.447 as CVE-2017-0144 0:13:32.447,0:13:36.056 [Music] 0:13:38.048,0:13:40.889 [Typing] 0:13:47.920,0:13:50.560 Marcus Hutchins, also known online by his 0:13:50.560,0:13:52.320 alias MalwareTech, 0:13:52.320,0:13:54.320 was a 23 year old British security 0:13:54.320,0:13:56.160 researcher at Kryptos Logic 0:13:56.160,0:13:59.519 in LA. After returning from lunch with a 0:13:59.519,0:14:01.839 friend on the afternoon of the attack, 0:14:01.839,0:14:03.600 he found himself scouring messaging 0:14:03.600,0:14:04.880 boards where he came across 0:14:04.880,0:14:07.519 news of a ransomware rapidly taking down 0:14:07.519,0:14:09.680 systems in the National Health Service 0:14:09.680,0:14:13.519 or NHS all over the UK. 0:14:13.519,0:14:14.959 Hutchins, who found it odd that the 0:14:14.959,0:14:17.040 ransomware was consistently affecting so 0:14:17.040,0:14:18.399 many devices, 0:14:18.399,0:14:20.320 concluded that the attack was probably a 0:14:20.320,0:14:21.760 computer worm and not just 0:14:21.760,0:14:25.120 a simple ransomware. He quickly requested 0:14:25.120,0:14:27.040 one of his friends to pass him a sample 0:14:27.040,0:14:28.160 of the malware 0:14:28.160,0:14:30.000 so that he could examine it and reverse 0:14:30.000,0:14:32.000 engineer it to analyze exactly how it 0:14:32.000,0:14:33.279 worked. 0:14:33.279,0:14:34.880 Once he had gotten his hands on the 0:14:34.880,0:14:36.320 malware sample, 0:14:36.320,0:14:38.079 he had run it using a virtual 0:14:38.079,0:14:40.160 environment with fake files 0:14:40.160,0:14:41.680 and found out that it was trying to 0:14:41.680,0:14:44.480 connect to an unregistered domain, 0:14:44.480,0:14:48.079 which we discussed earlier in Chapter 4. 0:14:48.079,0:14:49.839 Hutchins would go on to register this 0:14:49.839,0:14:53.708 domain for only $10.69, 0:14:53.708,0:14:55.120 which unbeknownst to him, 0:14:55.120,0:14:56.839 would actually halt the WannaCry 0:14:56.839,0:14:58.560 infection. 0:14:58.560,0:15:00.240 He would later admit in a tweet that 0:15:00.240,0:15:02.560 same day that the domain registration 0:15:02.560,0:15:04.079 leading to a pause in the rapid 0:15:04.079,0:15:05.120 infection 0:15:05.120,0:15:08.399 was indeed an accident dubbing Marcus 0:15:08.399,0:15:09.120 Hutchins 0:15:09.120,0:15:12.621 as the accidental hero. 0:15:12.621,0:15:17.371 [Music] 0:15:18.360,0:15:23.350 [Music] 0:15:23.440,0:15:25.680 To Hutchins, taking control of 0:15:25.680,0:15:27.680 unregistered domains was just a part of 0:15:27.680,0:15:28.880 his workflow 0:15:28.880,0:15:30.480 when it came to stopping botnets and 0:15:30.480,0:15:32.320 tracking malware. 0:15:32.320,0:15:33.839 This was so that he could get further 0:15:33.839,0:15:35.839 insight into how the malware or botnets 0:15:35.839,0:15:37.440 were spreading. 0:15:37.440,0:15:38.959 For those of you unaware of what a 0:15:38.959,0:15:41.199 botnet is, it is essentially a group of 0:15:41.199,0:15:42.800 computers that have been hijacked by 0:15:42.800,0:15:44.240 malicious actors 0:15:44.240,0:15:46.160 or hackers in order to be used in their 0:15:46.160,0:15:47.440 attacks to drive 0:15:47.440,0:15:50.560 excess network traffic or steal data. 0:15:50.560,0:15:52.399 One computer that has been hijacked is 0:15:52.399,0:15:54.560 called a bot and a network of them 0:15:54.560,0:15:57.680 is called a botnet, however, 0:15:57.680,0:16:00.399 since, as we discussed earlier, the attack 0:16:00.399,0:16:02.320 only executes if it's unable to reach 0:16:02.320,0:16:04.639 the domains that it checks for. 0:16:04.639,0:16:06.839 Think of it as a simple if then 0:16:06.839,0:16:08.160 statement. 0:16:08.160,0:16:09.920 If the infection cannot connect to x 0:16:09.920,0:16:12.639 domain, then proceed with the infection. 0:16:12.639,0:16:16.560 If it can reach x domain, stop the attack. 0:16:16.560,0:16:18.320 And so the malware being able to connect 0:16:18.320,0:16:20.160 to the domain was known as the kill 0:16:20.160,0:16:21.199 switch, 0:16:21.199,0:16:23.199 the big red button that stops the attack 0:16:23.199,0:16:25.839 from spreading any further. 0:16:25.839,0:16:28.240 But why would the attackers implement a 0:16:28.240,0:16:30.399 kill switch at all? 0:16:30.399,0:16:32.240 The first theory is that the creators of 0:16:32.240,0:16:34.160 WannaCry wanted a way to stop the attack 0:16:34.160,0:16:36.480 if it ever got out of hand or had any 0:16:36.480,0:16:38.560 unintentional effects. 0:16:38.560,0:16:40.399 The second and the most likely theory 0:16:40.399,0:16:42.320 proposed by Hutchins and other security 0:16:42.320,0:16:43.519 researchers 0:16:43.519,0:16:45.360 was that the kill switch was present in 0:16:45.360,0:16:46.800 order to prevent researchers from 0:16:46.800,0:16:49.279 looking into the behavior of WannaCry 0:16:49.279,0:16:51.120 if it was being executed within what is 0:16:51.120,0:16:52.320 known in security 0:16:52.320,0:16:55.759 as a sandbox. A sandbox is usually a 0:16:55.759,0:16:57.519 virtual computer that is used to run 0:16:57.519,0:16:58.800 malware. 0:16:58.800,0:17:00.320 It is a contained environment with 0:17:00.320,0:17:02.000 measures that have been taken to not 0:17:02.000,0:17:04.559 infect any important files or spread to 0:17:04.559,0:17:06.480 other networks, 0:17:06.480,0:17:08.240 much like what I used in Chapter 2 to 0:17:08.240,0:17:10.109 demonstrate the WannaCry ransomware. 0:17:12.160,0:17:14.240 Researchers use these sandboxes to run 0:17:14.240,0:17:16.240 malware and then use tools to determine 0:17:16.240,0:17:18.480 the behavior of the attack. 0:17:18.480,0:17:20.240 This is what Hutchins did with fake 0:17:20.240,0:17:22.640 files as well. 0:17:22.640,0:17:24.559 So the intent behind this kill switch 0:17:24.559,0:17:26.240 was to destroy the ransomware if it 0:17:26.240,0:17:28.960 existed within a sandbox environment, 0:17:28.960,0:17:30.720 again, since they didn't want researchers 0:17:30.720,0:17:32.480 to be able to analyze exactly how it 0:17:32.480,0:17:34.000 worked. 0:17:34.000,0:17:35.919 However, since the attackers used a 0:17:35.919,0:17:37.280 static domain, 0:17:37.280,0:17:38.960 a domain name that did not change for 0:17:38.960,0:17:41.039 each infection, instead of using 0:17:41.039,0:17:43.280 dynamically generated domain names 0:17:43.280,0:17:45.039 like other renditions of this concept 0:17:45.039,0:17:46.480 would usually do, 0:17:46.480,0:17:48.400 the WannaCry infections around the world 0:17:48.400,0:17:50.240 believed that it was being analyzed in a 0:17:50.240,0:17:51.760 sandbox environment 0:17:51.760,0:17:54.160 and essentially killed itself since 0:17:54.160,0:17:56.080 every single infection was trying to reach 0:17:56.080,0:17:58.880 one single hard-coded domain, and now 0:17:58.880,0:18:00.720 they could after Hutchins had purchased 0:18:00.720,0:18:03.039 it and put it online. 0:18:03.039,0:18:05.039 If it had been a randomly generated 0:18:05.039,0:18:06.160 domain name, 0:18:06.160,0:18:07.520 then the infection would only have 0:18:07.520,0:18:09.520 removed itself from Hutchins's sandbox 0:18:09.520,0:18:10.880 environment 0:18:10.880,0:18:12.400 because the domain he registered would 0:18:12.400,0:18:14.000 be unique to him and would not 0:18:14.000,0:18:17.200 affect anyone else. This 0:18:17.200,0:18:20.160 seems to be an amateur mistake. So 0:18:20.160,0:18:21.840 amateur in fact, that the researchers 0:18:21.840,0:18:23.760 have speculated that maybe the intent of 0:18:23.760,0:18:24.799 the attackers 0:18:24.799,0:18:27.679 was not monetary gain, but rather a more 0:18:27.679,0:18:29.039 political intention 0:18:29.039,0:18:31.600 such as to bring shame to the NSA. 0:18:31.600,0:18:32.480 However, 0:18:32.480,0:18:34.160 to this date, there is nothing that 0:18:34.160,0:18:36.000 confirms nor denies the motive 0:18:36.000,0:18:37.620 of the WannaCry attack. 0:18:37.620,0:18:43.692 [Music] 0:18:45.846,0:18:50.720 [Music] 0:18:50.720,0:18:53.360 The rapid infection had seemed to stop, 0:18:53.360,0:18:55.360 but for Hutchins or MalwareTech and his 0:18:55.360,0:18:58.640 team, the nightmare had only just begun. 0:18:58.640,0:19:00.240 Less than an hour from when he had 0:19:00.240,0:19:03.120 activated the domain, it was under attack. 0:19:03.120,0:19:04.880 The motive of the attackers were to use 0:19:04.880,0:19:07.280 the Mirai botnet to host a distributed 0:19:07.280,0:19:08.960 denial of service attack, 0:19:08.960,0:19:11.440 also known as DDoS, to shut down the 0:19:11.440,0:19:13.360 domain so that it would be unreachable 0:19:13.360,0:19:16.160 once again and all the halted infections 0:19:16.160,0:19:18.000 would resume. 0:19:18.000,0:19:20.000 A DDoS attack is usually performed to 0:19:20.000,0:19:21.280 flood a domain with 0:19:21.280,0:19:23.120 junk traffic 'till it can't handle 0:19:23.120,0:19:25.840 anymore and is driven offline. 0:19:25.840,0:19:27.679 The Mirai botnet that the attackers were 0:19:27.679,0:19:29.679 employing was previously used in one of 0:19:29.679,0:19:31.760 the largest ever DDoS attacks 0:19:31.760,0:19:33.600 and was comprised of hundreds and 0:19:33.600,0:19:35.760 thousands of devices. 0:19:35.760,0:19:37.520 The haunting realization that they were 0:19:37.520,0:19:39.360 the wall between a flood of infections 0:19:39.360,0:19:41.120 that was currently being blocked 0:19:41.120,0:19:43.039 slowly dawned on Hutchins and the other 0:19:43.039,0:19:46.080 researchers working on the case. 0:19:46.080,0:19:47.760 They eventually dealt with the issue by 0:19:47.760,0:19:50.000 taking the site to a cached version 0:19:50.000,0:19:51.760 which was capable of handling a much 0:19:51.760,0:19:55.200 higher traffic load than a live site. 0:19:55.200,0:19:57.280 Two days after the domain went live, the 0:19:57.280,0:19:59.200 data showed that two million infections 0:19:59.200,0:20:00.480 had been halted 0:20:00.480,0:20:02.159 showing us what the extent of the damage 0:20:02.159,0:20:03.760 could have been if it was not for the 0:20:03.760,0:20:06.310 discovery of the kill switch. 0:20:19.785,0:20:25.360 [Music] 0:20:25.360,0:20:28.320 Marcus Hutchins's story does not stop here. 0:20:28.320,0:20:30.070 He would go on to be named as a 0:20:30.070,0:20:31.760 cybercrime hero, 0:20:31.760,0:20:34.159 a title which he didn't enjoy as it 0:20:34.159,0:20:36.880 would bring to him unwanted attention, 0:20:36.880,0:20:38.320 people trying to piece together his 0:20:38.320,0:20:40.480 address, media camping outside of his 0:20:40.480,0:20:41.360 house, 0:20:41.360,0:20:43.440 and in addition to all of this, he was 0:20:43.440,0:20:45.039 still under the pressure of the domain 0:20:45.039,0:20:46.840 going offline any minute and wreaking 0:20:46.840,0:20:48.400 havoc. 0:20:48.400,0:20:50.400 However, he was able to get through these 0:20:50.400,0:20:52.960 weary days and sleepless nights 0:20:52.960,0:20:57.039 only to be thrown back into chaos. 0:20:57.200,0:20:59.440 Three months after the WannaCry attack, 0:20:59.440,0:21:01.600 in August of 2017, 0:21:01.600,0:21:03.919 Marcus Hutchins, after partying in Vegas 0:21:03.919,0:21:05.280 for a week and a half 0:21:05.280,0:21:08.240 during DEFCON, a hacker convention, was 0:21:08.240,0:21:10.320 arrested in the airport by the FBI on 0:21:10.320,0:21:12.080 his way back home. 0:21:12.080,0:21:13.760 It seemed that Hutchins in his teenage 0:21:13.760,0:21:15.360 years had developed a malware named 0:21:15.360,0:21:16.080 Kronos 0:21:16.080,0:21:18.720 that would steal banking credentials. He 0:21:18.720,0:21:20.240 would go on to sell this malware to 0:21:20.240,0:21:21.919 multiple individuals with the help of 0:21:21.919,0:21:23.440 someone he met online 0:21:23.440,0:21:27.360 named Vinny K. Kronos is still an 0:21:27.360,0:21:30.880 ongoing threat to banks around the world. 0:21:30.880,0:21:32.559 Hutchins initially battled the charges 0:21:32.559,0:21:34.320 with a non-guilty plea, 0:21:34.320,0:21:36.400 but after a long and exhausting ordeal 0:21:36.400,0:21:38.000 that lasted for years, 0:21:38.000,0:21:40.880 in April 2019, he took a plea deal that 0:21:40.880,0:21:42.080 would essentially dismiss 0:21:42.080,0:21:45.120 all but two counts set against him, 0:21:45.120,0:21:47.679 conspiracy to defraud the united states 0:21:47.679,0:21:49.280 and actively marketing the kronos 0:21:49.280,0:21:50.799 malware. 0:21:50.799,0:21:52.720 He faced the possibility of a maximum 0:21:52.720,0:21:54.960 prison sentence of ten years, 0:21:54.960,0:21:56.640 but because of his contribution towards 0:21:56.640,0:21:58.880 WannaCry and as the community had 0:21:58.880,0:22:00.480 constantly pointed out 0:22:00.480,0:22:02.240 his active involvement in defending the 0:22:02.240,0:22:04.240 world against cyber attacks, 0:22:04.240,0:22:07.520 the judge ruled in his favor. He was then 0:22:07.520,0:22:08.159 released 0:22:08.159,0:22:10.656 with zero jail time and is now a free 0:22:10.656,0:22:11.424 man. 0:22:16.247,0:22:19.512 [Typing] 0:22:22.775,0:22:26.559 [Music] 0:22:26.559,0:22:28.799 As stated before, the WannaCry attack 0:22:28.799,0:22:31.200 impacted over 150 countries 0:22:31.200,0:22:33.919 and approximately 230,000 computers 0:22:33.919,0:22:35.200 globally. 0:22:35.200,0:22:37.520 Russia was the most severely infected 0:22:37.520,0:22:40.400 with over half the affected computers. 0:22:40.400,0:22:43.280 India, Ukraine, and Taiwan also suffered 0:22:43.280,0:22:44.960 significant disruption. 0:22:48.559,0:22:50.559 The most popular victim to emerge out of 0:22:50.559,0:22:52.159 the attacks were the UK's National 0:22:52.159,0:22:53.280 Health Service 0:22:53.280,0:22:57.200 or the NHS. In the NHS, over 70,000 0:22:57.200,0:22:59.039 devices such as computers, 0:22:59.039,0:23:02.400 MRI scanners, devices used to test blood, 0:23:02.400,0:23:04.720 theater equipment, and over 1200 pieces 0:23:04.720,0:23:09.840 of diagnostic equipment were affected. 0:23:10.159,0:23:12.400 Approximately, the attack cost the NHS 0:23:12.400,0:23:14.480 over 92 million euros, 0:23:14.480,0:23:16.080 and globally, the cost amounted to 0:23:16.080,0:23:17.919 somewhere between four and eight billion 0:23:17.919,0:23:19.840 dollars. 0:23:19.840,0:23:21.200 You'd think that the attackers who 0:23:21.200,0:23:22.720 launched WannaCry would have made a 0:23:22.720,0:23:24.400 decent amount considering how many 0:23:24.400,0:23:25.200 countries 0:23:25.200,0:23:28.480 and devices were affected, however, as of 0:23:28.480,0:23:30.400 June 14, 2017, 0:23:30.400,0:23:32.640 when the attacks had begun to subside, 0:23:32.640,0:23:38.880 they had only made $130,634.77. 0:23:38.880,0:23:41.120 Victims were urged not to pay the ransom 0:23:41.120,0:23:42.720 since not only did it encourage the 0:23:42.720,0:23:43.520 hackers, 0:23:43.520,0:23:45.279 but it also did not guarantee the return 0:23:45.279,0:23:47.520 of their data due to skepticism of 0:23:47.520,0:23:48.880 whether the attackers could actually 0:23:48.880,0:23:50.320 place the paid ransom 0:23:50.320,0:23:52.880 to the correct victim. This was clearly 0:23:52.880,0:23:54.400 evident from the fact that a large 0:23:54.400,0:23:55.360 proportion, 0:23:55.360,0:23:57.279 almost all of the affected victims who 0:23:57.279,0:23:58.400 had paid the ransom 0:23:58.400,0:24:01.355 had still not been returned their data. 0:24:01.355,0:24:07.870 [Music] 0:24:08.824,0:24:13.679 [Music] 0:24:13.679,0:24:15.360 Although initially the prime victims of 0:24:15.360,0:24:17.360 WannaCry were said to be Windows XP 0:24:17.360,0:24:20.080 clients, over 98% of the victims were 0:24:20.080,0:24:21.919 actually running unpatched versions of 0:24:21.919,0:24:23.120 Windows 7, 0:24:23.120,0:24:25.760 and less than 0.1% of the victims 0:24:25.760,0:24:28.240 were using Windows XP. 0:24:28.240,0:24:29.919 In the case of Russia, they believed 0:24:29.919,0:24:31.760 updates did more to break their devices 0:24:31.760,0:24:34.240 rather than fix them, 0:24:34.240,0:24:35.919 partly due to the fact that a majority 0:24:35.919,0:24:37.679 of people use cracked or pirated 0:24:37.679,0:24:38.960 versions of Windows 0:24:38.960,0:24:40.400 which means they wouldn't have received 0:24:40.400,0:24:41.760 the updates which were released by 0:24:41.760,0:24:45.120 Microsoft months prior to the attack. 0:24:45.120,0:24:46.559 Microsoft eventually released the 0:24:46.559,0:24:48.320 updates for systems that were at end of 0:24:48.320,0:24:49.200 support 0:24:49.200,0:24:51.120 including Windows XP and other older 0:24:51.120,0:24:53.679 versions of Windows. 0:24:53.679,0:24:55.520 To this day, if the domain that Marcus 0:24:55.520,0:24:57.440 Hutchins acquired were to go down, 0:24:57.440,0:24:59.279 the millions of infections that it has 0:24:59.279,0:25:01.120 at bay would be released, 0:25:01.120,0:25:02.960 but possibly ineffective if the 0:25:02.960,0:25:04.640 computers had already applied the patch 0:25:04.640,0:25:07.600 that Microsoft released. 0:25:07.600,0:25:09.840 Eternalblue is still in the wild and 0:25:09.840,0:25:11.440 variants of WannaCry have since then 0:25:11.440,0:25:13.279 surfaced like Uiwix 0:25:13.279,0:25:15.200 which did not come with a kill switch 0:25:15.200,0:25:16.880 and addressed the bitcoin payment issue 0:25:16.880,0:25:18.480 by assigning a new address for each 0:25:18.480,0:25:20.320 victim to collect payment 0:25:20.320,0:25:21.919 therefore easily allowing to track the 0:25:21.919,0:25:23.919 payment back to the victim. 0:25:23.919,0:25:25.840 However, since it did not have an 0:25:25.840,0:25:27.760 automatic worm-like functionality that 0:25:27.760,0:25:29.279 WannaCry exhibited 0:25:29.279,0:25:32.159 it did not pose much of a threat. The 0:25:32.159,0:25:34.880 impact of WannaCry is still seen today. 0:25:34.880,0:25:36.720 Trend Micro's data clearly indicates that 0:25:36.720,0:25:38.559 WannaCry was the most detected malware 0:25:38.559,0:25:40.159 family in 2020 0:25:40.159,0:25:42.240 thanks to its vulnerable nature. And 0:25:42.240,0:25:44.159 F-Secure reports that the most seen type 0:25:44.159,0:25:46.400 of exploit is against the SMB version 1 0:25:46.400,0:25:47.360 vulnerability 0:25:47.360,0:25:49.600 using Eternalblue. The fact that 0:25:49.600,0:25:51.039 attackers still continue to try and 0:25:51.039,0:25:52.080 exploit this 0:25:52.080,0:25:54.080 must mean that there are organizations 0:25:54.080,0:25:55.919 out there who have not patched against 0:25:55.919,0:25:57.650 this vulnerability. 0:25:57.650,0:25:59.982 [Music] 0:26:02.631,0:26:06.061 [Typing] 0:26:09.580,0:26:15.520 [Music] 0:26:15.520,0:26:17.840 Four years after the attack, there is 0:26:17.840,0:26:19.600 still no confirmed identity of the 0:26:19.600,0:26:21.760 creators of the WannaCry. 0:26:21.760,0:26:23.760 There have been accusations towards the 0:26:23.760,0:26:24.880 Lazarus Group 0:26:24.880,0:26:27.440 who has strong links to North Korea. 0:26:27.440,0:26:28.159 However, 0:26:28.159,0:26:31.679 this is nothing more than hearsay. So 0:26:31.679,0:26:33.520 who is to blame for the catastrophic 0:26:33.520,0:26:35.520 damage of WannaCry? 0:26:35.520,0:26:37.360 Is it the NSHA who should not have 0:26:37.360,0:26:39.279 stockpiled exploits without alerting the 0:26:39.279,0:26:40.640 necessary entities about the 0:26:40.640,0:26:42.400 vulnerabilities? 0:26:42.400,0:26:43.919 Is it the shadow brokers who took 0:26:43.919,0:26:46.320 advantage of this, stole, and released it 0:26:46.320,0:26:48.000 into the wild? 0:26:48.000,0:26:50.400 Is it the developers of WannaCry? Or is 0:26:50.400,0:26:52.320 it the fault of Microsoft who did not 0:26:52.320,0:26:53.760 identify this vulnerability 0:26:53.760,0:26:56.640 sooner? While all of this might be true 0:26:56.640,0:26:58.080 to some extent, 0:26:58.080,0:26:59.919 at the end of the day, the actions these 0:26:59.919,0:27:01.919 organizations take are largely out of 0:27:01.919,0:27:03.600 the control of the public 0:27:03.600,0:27:05.760 and business owners who are usually the 0:27:05.760,0:27:07.840 victims of the attack. 0:27:07.840,0:27:10.240 Regardless of what we claim, the solution 0:27:10.240,0:27:11.760 is very simple. 0:27:11.760,0:27:13.360 Make sure we follow the guidelines to 0:27:13.360,0:27:15.440 have our data secured. 0:27:15.440,0:27:17.120 The most crucial of it is to have a 0:27:17.120,0:27:18.960 consistent schedule for updating our 0:27:18.960,0:27:20.240 devices, 0:27:20.240,0:27:23.279 and to obviously not use outdated 0:27:23.279,0:27:24.720 operating systems that put 0:27:24.720,0:27:26.960 employee and customer data and their 0:27:26.960,0:27:29.360 privacy at huge risks. 0:27:29.360,0:27:31.039 When it comes to ransomware, the most 0:27:31.039,0:27:32.880 crucial form of defense is frequent 0:27:32.880,0:27:35.200 backup. The more frequent it is, 0:27:35.200,0:27:37.760 the better. Less than 50% of ransomware 0:27:37.760,0:27:39.520 payments actually result in the data 0:27:39.520,0:27:41.120 being returned to the victims, 0:27:41.120,0:27:42.960 and so needless to say, payment should 0:27:42.960,0:27:44.399 not be an option 0:27:44.399,0:27:46.159 lest your goal is to lose money and your 0:27:46.159,0:27:47.760 data as well. 0:27:47.760,0:27:49.520 The biggest mistake that organizations 0:27:49.520,0:27:51.760 tend to make is refusing to believe that 0:27:51.760,0:27:53.520 they would be a target. 0:27:53.520,0:27:55.360 According to a study by Cloudwords in 0:27:55.360,0:27:56.640 2021, 0:27:56.640,0:27:58.559 every 11 seconds a company is hit by 0:27:58.559,0:28:00.640 ransomware, and a large proportion of 0:28:00.640,0:28:02.240 organizations are small 0:28:02.240,0:28:03.919 to medium-sized businesses that never 0:28:03.919,0:28:06.080 see it coming as they're often found to 0:28:06.080,0:28:07.600 have less than effective security 0:28:07.600,0:28:08.960 strategies in place 0:28:08.960,0:28:10.480 making them ideal targets for such 0:28:10.480,0:28:12.080 attacks. 0:28:12.080,0:28:13.440 Digital transformation during the 0:28:13.440,0:28:15.360 Coronavirus pandemic has started to move 0:28:15.360,0:28:16.960 businesses to the cloud, 0:28:16.960,0:28:18.799 and so cyber criminals have now shifted 0:28:18.799,0:28:20.720 their focus to the cloud as well 0:28:20.720,0:28:22.320 giving them an entirely new attack 0:28:22.320,0:28:24.000 surface to work with. 0:28:24.000,0:28:26.480 The cost of ransomware is said to top 20 0:28:26.480,0:28:29.039 billion dollars by the end of 2021 0:28:29.039,0:28:32.159 and that is ransomware alone. By 2025, 0:28:32.159,0:28:33.919 cybersecurity ventures estimates that 0:28:33.919,0:28:35.840 cybercrime will cost businesses 0:28:35.840,0:28:39.279 10.5 trillion dollars annually 0:28:39.279,0:28:41.279 which would amount to just 2 trillion 0:28:41.279,0:28:43.039 short of China's economy, 0:28:43.039,0:28:46.000 the second biggest economy in the world. 0:28:46.000,0:28:48.320 We are headed towards bigger and more 0:28:48.320,0:28:50.640 destructive attacks than WannaCry, 0:28:50.640,0:28:53.440 and our most reliable defense is our 0:28:53.440,0:28:54.240 awareness 0:28:54.240,0:28:55.960 and our action to better protect 0:28:55.960,0:28:59.480 ourselves. Thank you for watching. 0:28:59.480,0:29:03.850 [Music] 0:29:05.810,0:29:30.810 [Music] 0:29:30.810,0:29:46.770 [Music] 0:29:46.770,0:29:51.279 [Music]