WANNACRY: The World's Largest Ransomware Attack (Documentary)

Rollback to version 3

0:00 - 0:09

[Music]
0:11 - 0:14

A small note before we start,
0:14 - 0:16

as much as this video is meant to be a
0:16 - 0:17

storytelling experience,
0:17 - 0:19

I have also intended it to be
0:19 - 0:21

educational,
0:21 - 0:22

and so, I have coupled the story along
0:22 - 0:24

with how some of these attacks and
0:24 - 0:26

technologies work.
0:26 - 0:28

This is my first documentary style video,
0:28 - 0:31

and so I appreciate any and all feedback
0:31 - 0:33

in the comments below.
0:33 - 0:36

I really hope you enjoy, and hopefully,
0:36 - 0:39

learn a few new things.
0:41 - 0:43

Right now, a crippling cyberattack has
0:43 - 0:45

businesses around the world
0:45 - 0:48

on high alert. The ransomware known as
0:48 - 0:49

WannaCry-
0:49 - 0:50

We want to move on to the other developing
0:50 - 0:52

story this morning, the global cyberattack-
0:52 - 0:54

The national security agency
0:54 - 0:57

developed this software and it's now
0:57 - 0:58

being used by criminals
0:58 - 1:00

around the world to demand ransom.
1:00 - 1:02

Security experts say this is one
1:02 - 1:03

of the worst and most
1:03 - 1:05

widespread pieces of malware they've
1:05 - 1:07

ever seen-
1:07 - 1:14

[Music]
1:16 - 1:19

[Typing]
1:20 - 1:23

In May of 2017, a worldwide cyberattack
1:23 - 1:25

by the name of WannaCry
1:25 - 1:28

shot for WannaCryptor, impacted over 150
1:28 - 1:29

countries,
1:29 - 1:31

and hit around 230,000 computers
1:31 - 1:33

globally.
1:33 - 1:35

Needless to say it became known as one
1:35 - 1:37

of the biggest ransomware attacks in
1:37 - 1:38

history.
1:38 - 1:41

Let's start at the very beginning. On the
1:41 - 1:43

morning of the 12th of May, 2017,
1:43 - 1:45

according to Akamai, the content delivery
1:45 - 1:46

network,
1:46 - 1:49

this was the timeline. Reportedly the
1:49 - 1:51

first case identified originated from a
1:51 - 1:54

Southeast Asian ISP which was detected
1:54 - 1:56

at 7:44 am UTC.
1:57 - 1:58

Over the next hour, there were cases
1:58 - 2:00

seen from Latin America,
2:00 - 2:03

then the Continental Europe and UK, then
2:03 - 2:07

Brazil and Argentinian ISPs until at 12:39 pm
2:07 - 2:09

UTC, 74%
2:09 - 2:13

of all ISPs in Asia were affected. And by
2:13 - 2:15

3:28 pm UTC,
2:15 - 2:18

the ransomware had taken hold of 65%
2:18 - 2:21

of Latin American ISPs.
2:21 - 2:23

WannaCry was spreading and at an
2:23 - 2:25

incredible rate.
2:25 - 2:26

Prior to this, such a quick and
2:26 - 2:29

widespread ransomware was unheard of.
2:29 - 2:31

A lot of organizations unable to recover
2:31 - 2:32

their losses
2:32 - 2:35

were forced to permanently shut down.
2:35 - 2:36

some had to put a pause on their
2:36 - 2:38

networks and services and reported huge
2:38 - 2:39

losses
2:39 - 2:42

some in millions of dollars the attack
2:42 - 2:45

did not discriminate small to
2:45 - 2:46

medium-sized businesses
2:46 - 2:49

large enterprises the private sector the
2:49 - 2:50

public sector
2:50 - 2:53

railways healthcare banks malls
2:53 - 2:53

ministries
2:53 - 2:57

police energy companies isps and there
2:57 - 2:57

just seemed to be
2:57 - 3:01

no end to the victims within few hours
3:01 - 3:03

it had spread to over 11 countries
3:03 - 3:04

and by the end of the first day of the
3:04 - 3:06

attack the ransomware had been
3:06 - 3:08

encountered in 74 countries
3:08 - 3:10

within thousands and thousands of
3:10 - 3:12

organizations
3:12 - 3:15

and so it begged the question how much
3:15 - 3:17

damage will this really cause over the
3:17 - 3:18

next few days
3:18 - 3:20

or weeks or months if no solution
3:20 - 3:23

presents itself
3:23 - 3:27

your surface has been temporarily
3:31 - 3:33

disconnected
3:33 - 3:36

ransomware works in a very simple manner
3:36 - 3:38

it is the type of malware most commonly
3:38 - 3:40

spread through phishing attacks
3:40 - 3:42

which are essentially emails used to
3:42 - 3:44

trick a user into clicking a link that
3:44 - 3:46

leads them to a website
3:46 - 3:48

where they enter sensitive data or to
3:48 - 3:50

download attachments which if executed
3:50 - 3:52

will infect the computer
3:52 - 3:54

although initially suspected wannacry
3:54 - 3:57

did not originate from a phishing attack
3:57 - 4:00

but we'll get to that once later
4:00 - 4:01

computer is infected
4:01 - 4:03

the ransomware runs an encryption
4:03 - 4:05

process and usually in less than a
4:05 - 4:06

minute
4:06 - 4:09

some or all the files depending on what
4:09 - 4:11

the ransomware is meant to affect in the
4:11 - 4:12

user's computer
4:12 - 4:14

is converted from plain text to
4:14 - 4:16

ciphertext
4:16 - 4:18

plain text is readable or comprehensible
4:18 - 4:19

data
4:19 - 4:21

and ciphertext is unintelligible
4:21 - 4:23

gibberish
4:23 - 4:25

in order to turn this back into plain
4:25 - 4:27

text the user will need what is known as
4:27 - 4:29

a decryption key
4:29 - 4:31

which the attacker promises to provide
4:31 - 4:35

if the user were to pay the ransom
4:35 - 4:37

what makes ransomware so dreadful is
4:37 - 4:39

that once your files have been encrypted
4:39 - 4:41

you can't exactly decrypt it and
4:41 - 4:43

retrieve your data
4:43 - 4:45

well you can but with the current
4:45 - 4:47

technology we have to break common
4:47 - 4:49

encryption algorithms used in ransomware
4:49 - 4:50

attacks
4:50 - 4:53

such as the rsa it would take millions
4:53 - 4:57

to billions to trillions of years
4:57 - 5:00

[Music]
5:04 - 5:05

this is what you'd see if you were to
5:05 - 5:07

become infected with the wannacry
5:07 - 5:09

ransomware
5:09 - 5:10

in addition to this intimidating
5:10 - 5:12

wallpaper your documents
5:12 - 5:16

spreadsheets images videos
5:16 - 5:19

music and most everyday productivity and
5:19 - 5:21

multimedia files become encrypted
5:21 - 5:23

essentially being held hostage till the
5:23 - 5:26

ransom payment has been made
5:27 - 5:29

the wanted crypto 2.0 comes with a set
5:29 - 5:30

of instructions
5:30 - 5:32

and in 28 different languages for
5:32 - 5:34

victims to follow in order to recover
5:34 - 5:35

their files
5:35 - 5:38

the attackers demanded for 300 worth of
5:38 - 5:39

bitcoin
5:39 - 5:41

and after three days would be updated to
5:41 - 5:42

six hundred dollars
5:42 - 5:44

if the payment were to be made seven
5:44 - 5:46

days after the infection the files would
5:46 - 5:48

be recoverable
5:48 - 5:50

however despite this they also go on to
5:50 - 5:52

state that they will return the files
5:52 - 5:55

for free to quote users who are so poor
5:55 - 5:56

that they couldn't pay
5:56 - 5:59

end quote after six months the method of
5:59 - 6:00

payment
6:00 - 6:02

bitcoin
6:04 - 6:06

the reason that attackers chose bitcoin
6:06 - 6:08

was because it is what we know
6:08 - 6:10

as a private cryptocurrency this allows
6:10 - 6:12

the holder of the currency to remain
6:12 - 6:13

anonymous
6:13 - 6:15

though the money could be traced to a
6:15 - 6:17

cryptocurrency wallet which is where the
6:17 - 6:18

currency itself is stored
6:18 - 6:20

it would be exponentially difficult to
6:20 - 6:21

find the owner of the wallet without
6:21 - 6:24

extensive forensic analysis
6:24 - 6:27

this is the reason that bitcoin is used
6:27 - 6:28

widely in the dark web
6:28 - 6:31

to purchase guns drugs and other illegal
6:31 - 6:32

goods and services that for obvious
6:32 - 6:33

reasons
6:33 - 6:35

you would not be able to find on the
6:35 - 6:48

surface web
6:48 - 6:50

problem with wannacry and what made it
6:50 - 6:52

exponentially more dangerous than your
6:52 - 6:53

average ransomware
6:53 - 6:56

was its propagating capabilities
6:56 - 6:58

but to understand this fully we need to
6:58 - 7:00

go back in time a little bit
7:00 - 7:04

to 2016. in august of 2016 the equation
7:04 - 7:06

group suspected to have ties with the
7:06 - 7:08

national security agency's tailored
7:08 - 7:09

operations unit
7:09 - 7:11

and described by kaspersky as one of the
7:11 - 7:13

most sophisticated cyber attack groups
7:13 - 7:14

in the world
7:14 - 7:16

was said to be hacked by a group called
7:16 - 7:18

the shadow brokers
7:18 - 7:20

in this hack disks full of the nsa
7:20 - 7:23

secrets were stolen
7:23 - 7:25

this was bad because the nsa houses what
7:25 - 7:28

we know as nation state attacks
7:28 - 7:30

which are exploits or hacking tools that
7:30 - 7:31

are used to carry out a hack for their
7:31 - 7:32

home country
7:32 - 7:35

against another country the nsa would
7:35 - 7:37

essentially recruit a skilled hacker and
7:37 - 7:39

give them a license to hack
7:39 - 7:41

which means if they did carry it out it
7:41 - 7:43

wouldn't be illegal
7:43 - 7:45

at least in that country and the hacker
7:45 - 7:48

would not be charged
7:49 - 7:51

the danger here is that the nation-state
7:51 - 7:52

tools in itself are usually pretty
7:52 - 7:53

effective
7:53 - 7:55

especially considering they are to be
7:55 - 7:57

used as weapons against entire states
7:57 - 8:00

and countries
8:04 - 8:05

the nsa is said to have discovered a
8:05 - 8:07

multitude of other vulnerabilities in
8:07 - 8:08

the windows os
8:08 - 8:11

as early as 2013 but was speculated to
8:11 - 8:13

have developed exploits secretly and
8:13 - 8:15

stockpile them
8:15 - 8:17

rather than reporting it to microsoft or
8:17 - 8:18

the infosec community
8:18 - 8:20

so that they could weaponize it and
8:20 - 8:22

utilize them in their nation state and
8:22 - 8:25

other attacks
8:25 - 8:27

the shadow brokers would go on to
8:27 - 8:29

auction off some of these tools that
8:29 - 8:30

were developed
8:30 - 8:32

but due to skepticism online on whether
8:32 - 8:34

the hackers really did have files as
8:34 - 8:36

dangerous as they had claimed
8:36 - 8:38

this would essentially go on to become a
8:38 - 8:41

catastrophic failure
8:41 - 8:42

we can talk quite a bit about the shadow
8:42 - 8:45

brokers the story is itself worth
8:45 - 8:47

examining individually and maybe even on
8:47 - 8:48

a separate video
8:48 - 8:50

but let's narrow our focus down to the
8:50 - 8:52

leak that made wannacry possible
8:52 - 8:54

which at that point was the fifth leak
8:54 - 8:56

by the group and was said to be the most
8:56 - 8:59

damaging one yet
8:59 - 9:02

on april 14 2017 the shadow brokers
9:02 - 9:04

would post a tweet that linked to their
9:04 - 9:05

steam blockchain
9:05 - 9:09

on a post titled lost in translation
9:09 - 9:10

this leak contained files from the
9:10 - 9:12

initial failed auction which they now
9:12 - 9:14

decided to release to the public
9:14 - 9:18

for free the description accompanying
9:18 - 9:20

the leaked files doesn't really contain
9:20 - 9:21

much worth noting
9:21 - 9:23

as always the shadow brokers would use
9:23 - 9:25

broken but still somewhat comprehensible
9:25 - 9:26

english
9:26 - 9:28

however this is widely speculated not to
9:28 - 9:30

speak to their proficiency in the
9:30 - 9:31

language
9:31 - 9:32

but rather an attempt to mislead
9:32 - 9:34

analysts and prevent them from yielding
9:34 - 9:36

any results regarding their identity
9:36 - 9:40

characterized by how they type
9:40 - 9:41

the link which has now been taken down
9:41 - 9:43

takes you to an archive filled with a
9:43 - 9:45

number of windows exploits developed by
9:45 - 9:46

the nsa
9:46 - 9:48

it did contain many other valuable tools
9:48 - 9:49

worth examining
9:49 - 9:51

but the ones relevant to our story and
9:51 - 9:53

what made a regular ransomware so
9:53 - 9:54

destructive
9:54 - 9:57

were the payload double pulsar and the
9:57 - 9:59

now infamous exploit used in the
9:59 - 10:00

wannacry attack
10:00 - 10:06

eternal blue
10:13 - 10:15

[Music]
10:15 - 10:19

server message block version 1 or smb v1
10:19 - 10:21

is a network communication protocol
10:21 - 10:24

which was developed in 1983.
10:24 - 10:25

the function of this protocol would be
10:25 - 10:27

to allow one windows computer to
10:27 - 10:29

communicate with another
10:29 - 10:31

and share files and printers on a local
10:31 - 10:32

network
10:32 - 10:35

however smb version 1 had a critical
10:35 - 10:36

vulnerability
10:36 - 10:39

which allowed for what is known as a
10:39 - 10:42

remote arbitrary code execution
10:42 - 10:43

in which an attacker would be able to
10:43 - 10:45

execute whatever code that they'd like
10:45 - 10:48

on their target or victim's computer
10:48 - 10:49

over the internet
10:49 - 10:52

usually with malicious intent the
10:52 - 10:53

function of eternal blue was to take
10:53 - 10:56

advantage of this vulnerability
10:56 - 10:58

essentially i'm going to try and strip
10:58 - 11:00

it down to simplify it as much as
11:00 - 11:01

possible
11:01 - 11:03

when the shadow brokers first leaked the
11:03 - 11:04

nsa tools
11:04 - 11:06

hackers took this opportunity to install
11:06 - 11:08

double pulsar
11:08 - 11:09

which is a tool which opens what we
11:09 - 11:11

commonly know in security
11:11 - 11:14

as a back door backdoors allows hackers
11:14 - 11:17

to create an entry point into the system
11:17 - 11:19

or a network of systems and gain easy
11:19 - 11:21

access later on
11:21 - 11:23

the initial infection of wannacry is not
11:23 - 11:24

known
11:24 - 11:26

but it is speculated that the attackers
11:26 - 11:27

took advantage of the back door to
11:27 - 11:29

deliver the payload
11:29 - 11:30

the payload in this case is the
11:30 - 11:33

ransomware wannacry
11:33 - 11:34

when a computer is infected with
11:34 - 11:36

wannacry oddly
11:36 - 11:37

it then tries to connect to the
11:37 - 11:40

following unregistered domain
11:40 - 11:42

which is basically a random string of
11:42 - 11:43

numbers and letters
11:43 - 11:45

if it cannot establish a connection to
11:45 - 11:48

this domain then the real damage begins
11:48 - 11:51

it scans for port 445 on the network
11:51 - 11:53

which is the port that is used to host
11:53 - 11:54

smb version 1
11:54 - 11:56

and if the port is deemed to be open it
11:56 - 11:58

would then proceed to spread to that
11:58 - 12:00

computer
12:00 - 12:02

this is how it propagated so quickly
12:02 - 12:03

[Music]
12:03 - 12:05

whether the other users in the network
12:05 - 12:07

actually downloaded or clicked on
12:07 - 12:08

anything malicious
12:08 - 12:10

regardless they would be infected and in
12:10 - 12:12

seconds all their data would be
12:12 - 12:13

encrypted
12:13 - 12:14

[Music]
12:14 - 12:17

so the damage came in two parts the
12:17 - 12:19

ransomware that encrypts the data
12:19 - 12:21

and the worm-like component that is used
12:21 - 12:22

to spread the ransomware to any
12:22 - 12:23

connected
12:23 - 12:26

vulnerable devices in the network as a
12:26 - 12:29

result of eternal blue and double pulsar
12:29 - 12:31

the attack only affected windows systems
12:31 - 12:33

mainly targeting windows xp
12:33 - 12:36

vista windows 7 windows 8 and windows
12:36 - 12:38

10.
12:38 - 12:40

however a month prior to the leak by the
12:40 - 12:42

shadow brokers on march 14 2017
12:42 - 12:44

microsoft was made aware of this
12:44 - 12:46

vulnerability after it was publicly
12:46 - 12:47

reported
12:47 - 12:50

almost five years after its discovery
12:50 - 12:52

microsoft then released a critical patch
12:52 - 12:54

to fix this vulnerability
12:54 - 12:55

[Music]
12:55 - 12:57

ms-17010
12:57 - 13:00

however despite the release of the patch
13:00 - 13:02

a significant number of organizations
13:02 - 13:03

never updated their systems
13:03 - 13:06

and unfortunately there were still major
13:06 - 13:08

organizations running windows xp
13:08 - 13:12

or server 2003 these devices were at end
13:12 - 13:13

of support
13:13 - 13:15

which means that even if updates were
13:15 - 13:17

out they would not receive them
13:17 - 13:19

and be completely vulnerable to the
13:19 - 13:21

exploit
13:21 - 13:22

if you want to know more about the
13:22 - 13:24

vulnerability that the eternalblue
13:24 - 13:25

exploited
13:25 - 13:26

it is now logged in the national
13:26 - 13:28

vulnerability database
13:28 - 13:34

as cve 20170144
13:34 - 13:38

[Music]
13:48 - 13:51

marcus hutchins also known online by his
13:51 - 13:52

alias malwa attack
13:52 - 13:54

was a 23 year old british security
13:54 - 13:56

researcher at kryptos logic
13:56 - 14:00

in la after returning from lunch with a
14:00 - 14:02

friend on the afternoon of the attack
14:02 - 14:04

he found himself scouring messaging
14:04 - 14:05

boards where he came across
14:05 - 14:08

news of a ransomware rapidly taking down
14:08 - 14:10

systems in the national health service
14:10 - 14:14

or nhs all over the uk
14:14 - 14:15

hutchins who found it odd that the
14:15 - 14:17

ransomware was consistently affecting so
14:17 - 14:18

many devices
14:18 - 14:20

concluded that the attack was probably a
14:20 - 14:22

computer worm and not just
14:22 - 14:25

a simple ransomware he quickly requested
14:25 - 14:27

one of his friends to pass him a sample
14:27 - 14:28

of the malware
14:28 - 14:30

so that he could examine it and reverse
14:30 - 14:32

engineer it to analyze exactly how it
14:32 - 14:33

worked
14:33 - 14:35

once he had gotten his hands on the
14:35 - 14:36

malware sample
14:36 - 14:38

he had run it using a virtual
14:38 - 14:40

environment with fake files
14:40 - 14:42

and found out that it was trying to
14:42 - 14:44

connect to an unregistered domain
14:44 - 14:48

which we discussed earlier in chapter 4.
14:48 - 14:50

hutchins would go on to register this
14:50 - 14:52

domain for only 10
14:52 - 14:55

and 69 cents which unbeknownst to him
14:55 - 14:57

would actually halt the wannacry
14:57 - 14:59

infection
14:59 - 15:00

he would later admit in a tweet that
15:00 - 15:03

same day that the domain registration
15:03 - 15:04

leading to a pause in the rapid
15:04 - 15:05

infection
15:05 - 15:08

was indeed an accident dubbing marcus
15:08 - 15:09

hutchins
15:09 - 15:14

as the accidental hero
15:23 - 15:26

to hachins taking control of
15:26 - 15:28

unregistered domains was just a part of
15:28 - 15:29

his workflow
15:29 - 15:30

when it came to stopping botnets and
15:30 - 15:32

tracking malware
15:32 - 15:34

this was so that he could get further
15:34 - 15:36

insight into how the malware or botnets
15:36 - 15:37

were spreading
15:37 - 15:39

for those of you unaware of what a
15:39 - 15:41

botnet is it is essentially a group of
15:41 - 15:43

computers that have been hijacked by
15:43 - 15:44

malicious actors
15:44 - 15:46

or hackers in order to be used in their
15:46 - 15:47

attacks to drive
15:47 - 15:51

excess network traffic or steel data
15:51 - 15:52

one computer that has been hijacked is
15:52 - 15:55

called a bot and a network of them
15:55 - 15:58

is called a botnet however
15:58 - 16:00

since as we discussed earlier the attack
16:00 - 16:02

only executes if it's unable to reach
16:02 - 16:05

the domains that it checks for
16:05 - 16:07

think of it as a simple if then
16:07 - 16:08

statement
16:08 - 16:10

if the infection cannot connect to x
16:10 - 16:13

domain then proceed with the infection
16:13 - 16:17

if it can reach x domain stop the attack
16:17 - 16:18

and so the malware being able to connect
16:18 - 16:20

to the domain was known as the kill
16:20 - 16:21

switch
16:21 - 16:23

the big red button that stops the attack
16:23 - 16:26

from spreading any further
16:26 - 16:28

but why would the attackers implement a
16:28 - 16:30

kill switch at all
16:30 - 16:32

the first theory is that the creators of
16:32 - 16:34

wannacry wanted a way to stop the attack
16:34 - 16:36

if it ever got out of hand or had any
16:36 - 16:39

unintentional effects
16:39 - 16:40

the second and the most likely theory
16:40 - 16:42

proposed by hutchins and other security
16:42 - 16:44

researchers
16:44 - 16:45

was that the kill switch was present in
16:45 - 16:47

order to prevent researchers from
16:47 - 16:49

looking into the behavior of monocry
16:49 - 16:51

if it was being executed within what is
16:51 - 16:52

known in security
16:52 - 16:56

as a sandbox a sandbox is usually a
16:56 - 16:58

virtual computer that is used to run
16:58 - 16:59

malware
16:59 - 17:00

it is a contained environment with
17:00 - 17:02

measures that have been taken to not
17:02 - 17:05

infect any important files or spread to
17:05 - 17:06

other networks
17:06 - 17:08

much like what i used in chapter 2 to
17:08 - 17:10

demonstrate the wannacry ransomware
17:10 - 17:12

[Music]
17:12 - 17:14

researchers used these sandboxes to run
17:14 - 17:16

malware and then use tools to determine
17:16 - 17:18

the behavior of the attack
17:18 - 17:20

this is what hutchins did with fake
17:20 - 17:23

files as well
17:23 - 17:25

so the intent behind this kill switch
17:25 - 17:26

was to destroy the ransomware if it
17:26 - 17:29

existed within a sandbox environment
17:29 - 17:31

again since they didn't want researchers
17:31 - 17:32

to be able to analyze exactly how it
17:32 - 17:34

worked
17:34 - 17:36

however since the attackers used a
17:36 - 17:37

static domain
17:37 - 17:39

a domain name that did not change for
17:39 - 17:41

each infection instead of using
17:41 - 17:43

dynamically generated domain names
17:43 - 17:45

like other renditions of this concept
17:45 - 17:46

would usually do
17:46 - 17:48

the wannacry infections around the world
17:48 - 17:50

believed that it was being analyzed in a
17:50 - 17:52

sandbox environment
17:52 - 17:54

and essentially killed itself since
17:54 - 17:56

every single infection was trying to
17:56 - 17:56

reach
17:56 - 17:59

one single hard-coded domain and now
17:59 - 18:01

they could after hutchins had purchased
18:01 - 18:03

it and put it online
18:03 - 18:05

if it had been a randomly generated
18:05 - 18:06

domain name
18:06 - 18:08

then the infection would only have
18:08 - 18:10

removed itself from hutchins's sandbox
18:10 - 18:11

environment
18:11 - 18:12

because the domain he registered would
18:12 - 18:14

be unique to him and would not
18:14 - 18:17

affect anyone else this
18:17 - 18:20

seems to be an amateur mistake so
18:20 - 18:22

amateur in fact that the researchers
18:22 - 18:24

have speculated that maybe the intent of
18:24 - 18:25

the attackers
18:25 - 18:28

was not monetary gain but rather a more
18:28 - 18:29

political intention
18:29 - 18:32

such as to bring shame to the nsa
18:32 - 18:32

however
18:32 - 18:34

to this date there is nothing that
18:34 - 18:36

confirms nor denies the motive
18:36 - 18:44

of the wannacry attack
18:51 - 18:53

the rapid infection had seemed to stop
18:53 - 18:55

but for hutchins or malwater and his
18:55 - 18:59

team the nightmare had only just begun
18:59 - 19:00

less than an hour from when he had
19:00 - 19:03

activated the domain it was under attack
19:03 - 19:05

the motive of the attackers were to use
19:05 - 19:07

the mirai botnet to host a distributed
19:07 - 19:09

denial of service attack
19:09 - 19:11

also known as ddos to shut down the
19:11 - 19:13

domain so that it would be unreachable
19:13 - 19:16

once again and all the halted infections
19:16 - 19:18

would resume
19:18 - 19:20

a ddos attack is usually performed to
19:20 - 19:21

flood a domain with
19:21 - 19:23

junk traffic till it can't handle
19:23 - 19:26

anymore and is driven offline
19:26 - 19:28

the mirai botnet that the attackers were
19:28 - 19:30

employing was previously used in one of
19:30 - 19:32

the largest ever ddos attacks
19:32 - 19:34

and was comprised of hundreds and
19:34 - 19:36

thousands of devices
19:36 - 19:38

the haunting realization that they were
19:38 - 19:39

the wall between a flood of infections
19:39 - 19:41

that was currently being blocked
19:41 - 19:43

slowly dawned on hutchins and the other
19:43 - 19:46

researchers working on the case
19:46 - 19:48

they eventually dealt with the issue by
19:48 - 19:50

taking the site to a cached version
19:50 - 19:52

which was capable of handling a much
19:52 - 19:55

higher traffic load than a live site
19:55 - 19:57

two days after the domain went live the
19:57 - 19:59

data showed that two million infections
19:59 - 20:00

had been halted
20:00 - 20:02

showing us what the extent of the damage
20:02 - 20:04

could have been if it was not for the
20:04 - 20:08

discovery of the kill switch
20:25 - 20:28

marcus hutchins story does not stop here
20:28 - 20:30

he would go on to be named as a cyber
20:30 - 20:32

crime hero
20:32 - 20:34

a title which he didn't enjoy as it
20:34 - 20:37

would bring to him unwanted attention
20:37 - 20:38

people trying to piece together his
20:38 - 20:40

address media camping outside of his
20:40 - 20:41

house
20:41 - 20:43

and in addition to all of this he was
20:43 - 20:45

still under the pressure of the domain
20:45 - 20:47

going offline any minute and wreaking
20:47 - 20:48

havoc
20:48 - 20:50

however he was able to get through these
20:50 - 20:53

weary days and sleepless nights
20:53 - 20:57

only to be thrown back into chaos
20:57 - 20:59

three months after the wannacry attack
20:59 - 21:02

in august of 2017
21:02 - 21:04

marcus hutchins after partying in vegas
21:04 - 21:05

for a week and a half
21:05 - 21:08

during defcon a hacker convention was
21:08 - 21:10

arrested in the airport by the fbi on
21:10 - 21:12

his way back home
21:12 - 21:14

it seemed that hutchins in his teenage
21:14 - 21:15

years had developed a malware named
21:15 - 21:16

kronos
21:16 - 21:19

that would steal banking credentials he
21:19 - 21:20

would go on to sell this malware to
21:20 - 21:22

multiple individuals with the help of
21:22 - 21:23

someone he met online
21:23 - 21:27

named vinnie k kronos is still an
21:27 - 21:31

ongoing threat to banks around the world
21:31 - 21:33

hutchins initially battled the charges
21:33 - 21:34

with a non-guilty plea
21:34 - 21:36

but after a long and exhausting ordeal
21:36 - 21:38

that lasted for years
21:38 - 21:41

in april 2019 he took a plea deal that
21:41 - 21:42

would essentially dismiss
21:42 - 21:45

all but two counts set against him
21:45 - 21:48

conspiracy to defraud the united states
21:48 - 21:49

and actively marketing the kronos
21:49 - 21:51

malware
21:51 - 21:53

he faced the possibility of a maximum
21:53 - 21:55

prison sentence of ten years
21:55 - 21:57

but because of his contribution towards
21:57 - 21:59

wannacry and as the community had
21:59 - 22:00

constantly pointed out
22:00 - 22:02

his active involvement in defending the
22:02 - 22:04

world against cyber attacks
22:04 - 22:08

the judge ruled in his favor he was then
22:08 - 22:08

released
22:08 - 22:11

with zero jail time and is now a free
22:11 - 22:14

man
22:27 - 22:29

as stated before wannacry attack
22:29 - 22:31

impacted over 150 countries
22:31 - 22:34

and approximately 230 000 computers
22:34 - 22:35

globally
22:35 - 22:38

russia was the most severely infected
22:38 - 22:40

with over half the affected computers
22:40 - 22:43

india ukraine and taiwan also suffered
22:43 - 22:46

significant disruption
22:49 - 22:51

the most popular victim to emerge out of
22:51 - 22:52

the attacks were the uk's national
22:52 - 22:53

health service
22:53 - 22:57

or the nhs in the nhs over 70 000
22:57 - 22:59

devices such as computers
22:59 - 23:02

mri scanners devices used to test blood
23:02 - 23:05

theater equipment and over 1200 pieces
23:05 - 23:10

of diagnostic equipment were affected
23:10 - 23:12

approximately the attack cost the nhs
23:12 - 23:14

over 92 million euros
23:14 - 23:16

and globally the cost amounted to
23:16 - 23:18

somewhere between four and eight billion
23:18 - 23:20

dollars
23:20 - 23:21

you'd think that the attackers who
23:21 - 23:23

launched wannacry would have made a
23:23 - 23:24

decent amount considering how many
23:24 - 23:25

countries
23:25 - 23:28

and devices were affected however as of
23:28 - 23:30

june 14 2017
23:30 - 23:33

when the attacks had begun to subside
23:33 - 23:35

they had only made a hundred and thirty
23:35 - 23:35

thousand
23:35 - 23:37

six hundred and thirty four dollars and
23:37 - 23:39

seventy seven cents
23:39 - 23:41

victims were urged not to pay the ransom
23:41 - 23:43

since not only did it encourage the
23:43 - 23:44

hackers
23:44 - 23:45

but it also did not guarantee the return
23:45 - 23:48

of their data due to skepticism of
23:48 - 23:49

whether the attackers could actually
23:49 - 23:50

place the paid ransom
23:50 - 23:53

to the correct victim this was clearly
23:53 - 23:54

evident from the fact that a large
23:54 - 23:55

proportion
23:55 - 23:57

almost all of the affected victims who
23:57 - 23:58

had paid the ransom
23:58 - 24:04

had still not been returned their data
24:04 - 24:09

[Music]
24:14 - 24:15

although initially the prime victims of
24:15 - 24:17

wannacry were said to be windows xp
24:17 - 24:20

clients over 98 of the victims were
24:20 - 24:22

actually running unpatched versions of
24:22 - 24:23

windows 7
24:23 - 24:26

and less than 0.1 percent of the victims
24:26 - 24:28

were using windows xp
24:28 - 24:30

in the case of russia they believed
24:30 - 24:32

updates did more to break their devices
24:32 - 24:34

rather than fix them
24:34 - 24:36

partly due to the fact that a majority
24:36 - 24:38

of people use cracked or pirated
24:38 - 24:39

versions of windows
24:39 - 24:40

which means they wouldn't have received
24:40 - 24:42

the updates which were released by
24:42 - 24:45

microsoft months prior to the attack
24:45 - 24:47

microsoft eventually released the
24:47 - 24:48

updates for systems that were at end of
24:48 - 24:49

support
24:49 - 24:51

including windows xp and other older
24:51 - 24:54

versions of windows
24:54 - 24:56

to this day if the domain that marcus
24:56 - 24:57

hutchins acquired were to go down
24:57 - 24:59

the millions of infections that it has
24:59 - 25:01

at bay would be released
25:01 - 25:03

but possibly ineffective if the
25:03 - 25:05

computers had already applied the patch
25:05 - 25:08

that microsoft released
25:08 - 25:10

eternal blue is still in the wild and
25:10 - 25:11

variants of wannacry have since then
25:11 - 25:13

surfaced like ui wix
25:13 - 25:15

which did not come with a kill switch
25:15 - 25:17

and addressed the bitcoin payment issue
25:17 - 25:18

by assigning a new address for each
25:18 - 25:20

victim to collect payment
25:20 - 25:22

therefore easily allowing to track the
25:22 - 25:24

payment back to the victim
25:24 - 25:26

however since it did not have an
25:26 - 25:28

automatic worm-like functionality that
25:28 - 25:29

wannacry exhibited
25:29 - 25:32

it did not pose much of a threat the
25:32 - 25:35

impact of wannacry is still seen today
25:35 - 25:37

trend micros data clearly indicates that
25:37 - 25:39

wannacry was the most detected malware
25:39 - 25:40

family in 2020
25:40 - 25:42

thanks to its vulnerable nature and
25:42 - 25:44

f-secure reports that the most seen type
25:44 - 25:46

of exploit is against the smb version 1
25:46 - 25:47

vulnerability
25:47 - 25:50

using eternal blue the fact that
25:50 - 25:51

attackers still continue to try and
25:51 - 25:52

exploit this
25:52 - 25:54

must mean that there are organizations
25:54 - 25:56

out there who have not patched against
25:56 - 26:12

this vulnerability
26:16 - 26:18

four years after the attack there is
26:18 - 26:20

still no confirmed identity of the
26:20 - 26:22

creators of the wannacry
26:22 - 26:24

there have been accusations towards the
26:24 - 26:25

lazarus group
26:25 - 26:27

who has strong links to north korea
26:27 - 26:28

however
26:28 - 26:32

this is nothing more than hearsay so
26:32 - 26:34

who is to blame for the catastrophic
26:34 - 26:36

damage of wannacry
26:36 - 26:37

is it the nsa who should not have
26:37 - 26:39

stockpiled exploits without alerting the
26:39 - 26:41

necessary entities about the
26:41 - 26:42

vulnerabilities
26:42 - 26:44

is it the shadow brokers who took
26:44 - 26:46

advantage of this stole and released it
26:46 - 26:48

into the wild
26:48 - 26:50

is it the developers of wannacry or is
26:50 - 26:52

it the fault of microsoft who did not
26:52 - 26:54

identify this vulnerability
26:54 - 26:57

sooner while all of this might be true
26:57 - 26:58

to some extent
26:58 - 27:00

at the end of the day the actions these
27:00 - 27:02

organizations take are largely out of
27:02 - 27:04

the control of the public
27:04 - 27:06

and business owners who are usually the
27:06 - 27:08

victims of the attack
27:08 - 27:10

regardless of what we claim the solution
27:10 - 27:12

is very simple
27:12 - 27:13

make sure we follow the guidelines to
27:13 - 27:15

have our data secured
27:15 - 27:17

the most crucial of it is to have a
27:17 - 27:19

consistent schedule for updating our
27:19 - 27:20

devices
27:20 - 27:23

and to obviously not use outdated
27:23 - 27:25

operating systems that put
27:25 - 27:27

employee and customer data and their
27:27 - 27:29

privacy at huge risks
27:29 - 27:31

when it comes to ransomware the most
27:31 - 27:33

crucial form of defense is frequent
27:33 - 27:35

backup the more frequent it is
27:35 - 27:38

the better less than 50 of ransomware
27:38 - 27:40

payments actually result in the data
27:40 - 27:41

being returned to the victims
27:41 - 27:43

and so needless to say payment should
27:43 - 27:44

not be an option
27:44 - 27:46

lest your goal is to lose money and your
27:46 - 27:48

data as well
27:48 - 27:50

the biggest mistake that organizations
27:50 - 27:52

tend to make is refusing to believe that
27:52 - 27:54

they would be a target
27:54 - 27:55

according to a study by cloudwords in
27:55 - 27:57

2021
27:57 - 27:59

every 11 seconds a company is hit by
27:59 - 28:01

ransomware and a large proportion of
28:01 - 28:02

organizations are small
28:02 - 28:04

to medium-sized businesses that never
28:04 - 28:06

see it coming as they're often found to
28:06 - 28:08

have less than effective security
28:08 - 28:09

strategies in place
28:09 - 28:10

making them ideal targets for such
28:10 - 28:12

attacks
28:12 - 28:13

digital transformation during the
28:13 - 28:15

coronavirus pandemic has started to move
28:15 - 28:17

businesses to the cloud
28:17 - 28:19

and so cyber criminals have now shifted
28:19 - 28:21

their focus to the cloud as well
28:21 - 28:22

giving them an entirely new attack
28:22 - 28:24

surface to work with
28:24 - 28:26

the cost of ransomware is said to top 20
28:26 - 28:29

billion dollars by the end of 2021
28:29 - 28:32

and that is ransomware alone by 2025
28:32 - 28:34

cyber security ventures estimates that
28:34 - 28:36

cyber crime will cost businesses
28:36 - 28:39

10.5 trillion dollars annually
28:39 - 28:41

which would amount to just 2 trillion
28:41 - 28:43

short of china's economy
28:43 - 28:46

the second biggest economy in the world
28:46 - 28:46

we
28:46 - 28:48

are headed towards bigger and more
28:48 - 28:51

destructive attacks than wannacry
28:51 - 28:53

and our most reliable defense is our
28:53 - 28:54

awareness
28:54 - 28:57

and our action to better protect
28:57 - 29:14

ourselves thank you for watching
29:16 - 29:19

[Music]
29:25 - 29:28

me
29:31 - 29:33

[Applause]
29:33 - 29:44

[Music]
29:47 - 29:51

[Music]
29:51 - 29:53

you

Title:: WANNACRY: The World's Largest Ransomware Attack (Documentary)
Description:: more » « less
Video Language:: English
Duration:: 29:52

	OEVIDEOS edited English subtitles for WANNACRY: The World's Largest Ransomware Attack (Documentary)
	OEVIDEOS edited English subtitles for WANNACRY: The World's Largest Ransomware Attack (Documentary)
	OEVIDEOS edited English subtitles for WANNACRY: The World's Largest Ransomware Attack (Documentary)
	OEVIDEOS edited English subtitles for WANNACRY: The World's Largest Ransomware Attack (Documentary)
	OEVIDEOS edited English subtitles for WANNACRY: The World's Largest Ransomware Attack (Documentary)
	OEVIDEOS edited English subtitles for WANNACRY: The World's Largest Ransomware Attack (Documentary)
	OEVIDEOS edited English subtitles for WANNACRY: The World's Largest Ransomware Attack (Documentary)
	OEVIDEOS edited English subtitles for WANNACRY: The World's Largest Ransomware Attack (Documentary)

Show all

English subtitles

Revisions Compare revisions

Revision 9 Edited

OEVIDEOS
Revision 8 Edited

OEVIDEOS
Revision 7 Edited

OEVIDEOS
Revision 6 Edited

OEVIDEOS
Revision 5 Edited

OEVIDEOS
Revision 4 Edited

OEVIDEOS
Revision 3 Edited

OEVIDEOS
Revision 2 Edited

OEVIDEOS
Revision 1 Uploaded

OEVIDEOS

	Revision Number	Author	Created
	9	OEVIDEOS
	8	OEVIDEOS
	7	OEVIDEOS
	6	OEVIDEOS
	5	OEVIDEOS
	4	OEVIDEOS
	3	OEVIDEOS
	2	OEVIDEOS
	1	OEVIDEOS

WANNACRY: The World's Largest Ransomware Attack (Documentary)

Revisions Compare revisions

Our website uses cookies

Operating cookies (Required)