WANNACRY: The World's Largest Ransomware Attack (Documentary)

Rollback to version 8

0:00 - 0:09

[Music]
0:11 - 0:14

A small note before we start,
0:14 - 0:16

as much as this video is meant to be a
0:16 - 0:17

storytelling experience,
0:17 - 0:19

I have also intended it to be
0:19 - 0:21

educational,
0:21 - 0:22

and so, I have coupled the story along
0:22 - 0:24

with how some of these attacks and
0:24 - 0:26

technologies work.
0:26 - 0:28

This is my first documentary style video,
0:28 - 0:31

and so I appreciate any and all feedback
0:31 - 0:33

in the comments below.
0:33 - 0:36

I really hope you enjoy, and hopefully,
0:36 - 0:39

learn a few new things.
0:41 - 0:43

Right now, a crippling cyberattack has
0:43 - 0:45

businesses around the world
0:45 - 0:48

on high alert. The ransomware known as
0:48 - 0:49

WannaCry-
0:49 - 0:50

We want to move on to the other developing
0:50 - 0:52

story this morning, the global cyberattack-
0:52 - 0:54

The national security agency
0:54 - 0:57

developed this software and it's now
0:57 - 0:58

being used by criminals
0:58 - 1:00

around the world to demand ransom.
1:00 - 1:02

Security experts say this is one
1:02 - 1:03

of the worst and most
1:03 - 1:05

widespread pieces of malware they've
1:05 - 1:07

ever seen-
1:07 - 1:14

[Music]
1:16 - 1:19

[Typing]
1:20 - 1:23

In May of 2017, a worldwide cyberattack
1:23 - 1:25

by the name of WannaCry
1:25 - 1:28

shot for WannaCryptor, impacted over 150
1:28 - 1:29

countries,
1:29 - 1:31

and hit around 230,000 computers
1:31 - 1:33

globally.
1:33 - 1:35

Needless to say it became known as one
1:35 - 1:37

of the biggest ransomware attacks in
1:37 - 1:38

history.
1:38 - 1:41

Let's start at the very beginning. On the
1:41 - 1:43

morning of the 12th of May, 2017,
1:43 - 1:45

according to Akamai, the content delivery
1:45 - 1:46

network,
1:46 - 1:49

this was the timeline. Reportedly the
1:49 - 1:51

first case identified originated from a
1:51 - 1:54

Southeast Asian ISP which was detected
1:54 - 1:56

at 7:44 am UTC.
1:57 - 1:58

Over the next hour, there were cases
1:58 - 2:00

seen from Latin America,
2:00 - 2:03

then the Continental Europe and UK, then
2:03 - 2:07

Brazil and Argentinian ISPs until at 12:39 pm
2:07 - 2:09

UTC, 74%
2:09 - 2:13

of all ISPs in Asia were affected. And by
2:13 - 2:15

3:28 pm UTC,
2:15 - 2:18

the ransomware had taken hold of 65%
2:18 - 2:21

of Latin American ISPs.
2:21 - 2:23

WannaCry was spreading and at an
2:23 - 2:25

incredible rate.
2:25 - 2:26

Prior to this, such a quick and
2:26 - 2:29

widespread ransomware was unheard of.
2:29 - 2:31

A lot of organizations, unable to recover
2:31 - 2:32

their losses,
2:32 - 2:35

were forced to permanently shut down.
2:35 - 2:36

Some had to put a pause on their
2:36 - 2:38

networks and services, and reported huge
2:38 - 2:39

losses,
2:39 - 2:42

some in millions of dollars. The attack
2:42 - 2:45

did not discriminate. Small to
2:45 - 2:46

medium-sized businesses,
2:46 - 2:49

large enterprises, the private sector, the
2:49 - 2:50

public sector,
2:50 - 2:53

railways, healthcare, banks, malls,
2:53 - 2:53

ministries,
2:53 - 2:57

police, energy companies, ISPs, and there
2:57 - 2:57

just seemed to be
2:57 - 3:01

no end to the victims. Within few hours,
3:01 - 3:03

it had spread to over 11 countries,
3:03 - 3:04

and by the end of the first day of the
3:04 - 3:06

attack, the ransomware had been
3:06 - 3:08

encountered in 74 countries
3:08 - 3:10

within thousands and thousands of
3:10 - 3:12

organizations.
3:12 - 3:15

And so it begged the question, how much
3:15 - 3:17

damage will this really cause over the
3:17 - 3:18

next few days
3:18 - 3:20

or weeks or months if no solution
3:20 - 3:23

presents itself?
3:23 - 3:26

Your service has been temporarily disconnected.
3:27 - 3:30

[Typing]
3:31 - 3:33

[Music]
3:33 - 3:36

Ransomware works in a very simple manner.
3:36 - 3:38

It is a type of malware most commonly
3:38 - 3:40

spread through phishing attacks,
3:40 - 3:42

which are essentially emails used to
3:42 - 3:44

trick a user into clicking a link that
3:44 - 3:46

leads them to a website
3:46 - 3:48

where they enter sensitive data, or to
3:48 - 3:50

download attachments which if executed
3:50 - 3:52

will infect the computer.
3:52 - 3:54

Although initially suspected, WannaCry
3:54 - 3:57

did not originate from a phishing attack,
3:57 - 3:59

but we'll get to that later.
3:59 - 4:01

Once a computer is infected,
4:01 - 4:03

the ransomware runs an encryption
4:03 - 4:05

process, and usually in less than a
4:05 - 4:06

minute,
4:06 - 4:09

some or all the files depending on what
4:09 - 4:11

the ransomware is meant to affect in the
4:11 - 4:12

user's computer
4:12 - 4:14

is converted from plain text to
4:14 - 4:16

ciphertext.
4:16 - 4:18

Plain text is readable or comprehensible
4:18 - 4:19

data,
4:19 - 4:21

and ciphertext is unintelligible
4:21 - 4:23

gibberish.
4:23 - 4:25

In order to turn this back into plain
4:25 - 4:27

text, the user will need what is known as
4:27 - 4:29

a decryption key,
4:29 - 4:31

which the attacker promises to provide
4:31 - 4:35

if the user were to pay the ransom.
4:35 - 4:37

What makes ransomware so dreadful is
4:37 - 4:39

that once your files have been encrypted,
4:39 - 4:41

you can't exactly decrypt it and
4:41 - 4:43

retrieve your data.
4:43 - 4:45

Well, you can, but with the current
4:45 - 4:47

technology we have, to break common
4:47 - 4:49

encryption algorithms used in ransomware
4:49 - 4:50

attacks
4:50 - 4:53

such as the RSA, it would take millions
4:53 - 4:56

to billions to trillions of years.
4:56 - 5:00

[Music]
5:01 - 5:03

[Typing]
5:04 - 5:05

This is what you'd see if you were to
5:05 - 5:07

become infected with the WannaCry
5:07 - 5:09

ransomware.
5:09 - 5:10

In addition to this intimidating
5:10 - 5:12

wallpaper, your documents,
5:12 - 5:16

spreadsheets, images, videos,
5:16 - 5:19

music, and most everyday productivity and
5:19 - 5:21

multimedia files become encrypted,
5:21 - 5:23

essentially being held hostage till the
5:23 - 5:26

ransom payment has been made.
5:27 - 5:29

The Wanna Decryptor 2.0 comes with a set
5:29 - 5:30

of instructions
5:30 - 5:32

and in 28 different languages for
5:32 - 5:34

victims to follow in order to recover
5:34 - 5:35

their files.
5:35 - 5:38

The attackers demanded for $300 worth of
5:38 - 5:39

bitcoin,
5:39 - 5:41

and after three days it would be updated to
5:41 - 5:42

$600.
5:42 - 5:44

If the payment were to be made seven
5:44 - 5:46

days after the infection, the files would
5:46 - 5:48

be recoverable.
5:48 - 5:50

However, despite this, they also go on to
5:50 - 5:52

state that they will return the files
5:52 - 5:55

for free to "Users who are so poor
5:55 - 5:57

that they couldn't pay"
5:57 - 5:59

after six months. The method of
5:59 - 6:00

payment,
6:00 - 6:01

bitcoin.
6:01 - 6:04

[Music]
6:04 - 6:06

The reason the attackers chose bitcoin
6:06 - 6:08

was because it is what we know
6:08 - 6:10

as a private cryptocurrency. This allows
6:10 - 6:12

the holder of the currency to remain
6:12 - 6:13

anonymous.
6:13 - 6:15

Though the money could be traced to a
6:15 - 6:17

cryptocurrency wallet, which is where the
6:17 - 6:18

currency itself is stored,
6:18 - 6:20

it would be exponentially difficult to
6:20 - 6:21

find the owner of the wallet without
6:21 - 6:24

extensive forensic analysis.
6:24 - 6:27

This is the reason that bitcoin is used
6:27 - 6:28

widely in the dark web
6:28 - 6:31

to purchase guns, drugs, and other illegal
6:31 - 6:32

goods and services that for obvious
6:32 - 6:33

reasons,
6:33 - 6:35

you would not be able to find on the
6:35 - 6:36

surface web.
6:39 - 6:43

[Typing]
6:48 - 6:50

The problem with WannaCry and what made it
6:50 - 6:52

exponentially more dangerous than your
6:52 - 6:53

average ransomware
6:53 - 6:56

was its propagating capabilities.
6:56 - 6:58

But to understand this fully, we need to
6:58 - 7:00

go back in time a little bit
7:00 - 7:04

to 2016. In August of 2016, the equation
7:04 - 7:06

group, suspected to have ties with the
7:06 - 7:08

National Security Agency's tailored
7:08 - 7:09

operations unit,
7:09 - 7:11

and described by Kaspersky as one of the
7:11 - 7:13

most sophisticated cyberattack groups
7:13 - 7:14

in the world,
7:14 - 7:16

was said to be hacked by a group called
7:16 - 7:18

the shadow brokers.
7:18 - 7:20

In this hack, disks full of the NSA's
7:20 - 7:22

secrets were stolen.
7:23 - 7:25

This was bad because the NSA houses what
7:25 - 7:28

we know as Nation State Attacks
7:28 - 7:30

which are exploits or hacking tools that
7:30 - 7:31

are used to carry out a hack for their
7:31 - 7:32

home country
7:32 - 7:35

against another country. The NSA would
7:35 - 7:37

essentially recruit a skilled hacker and
7:37 - 7:39

give them a license to hack
7:39 - 7:41

which means if they did carry it out, it
7:41 - 7:43

wouldn't be illegal
7:43 - 7:45

at least in that country, and the hacker
7:45 - 7:47

would not be charged.
7:49 - 7:51

The danger here is that the Nation State
7:51 - 7:52

Tools in itself are usually pretty
7:52 - 7:53

effective,
7:53 - 7:55

especially considering they are to be
7:55 - 7:57

used as weapons against entire states
7:57 - 7:58

and countries.
8:00 - 8:04

[Music]
8:04 - 8:05

The NSA is said to have discovered a
8:05 - 8:07

multitude of other vulnerabilities in
8:07 - 8:08

the Windows OS
8:08 - 8:11

as early as 2013, but was speculated to
8:11 - 8:13

have developed exploits secretly and
8:13 - 8:15

stockpile them,
8:15 - 8:17

rather than reporting it to Microsoft or
8:17 - 8:18

the InfoSec community,
8:18 - 8:20

so that they could weaponize it and
8:20 - 8:22

utilize them in their nation state and
8:22 - 8:24

other attacks.
8:25 - 8:27

The shadow brokers would go on to
8:27 - 8:29

auction off some of these tools that
8:29 - 8:30

were developed,
8:30 - 8:32

but due to skepticism online on whether
8:32 - 8:34

the hackers really did have files as
8:34 - 8:36

dangerous as they had claimed,
8:36 - 8:38

this would essentially go on to become a
8:38 - 8:41

catastrophic failure.
8:41 - 8:42

We can talk quite a bit about the shadow
8:42 - 8:45

brokers. The story is itself worth
8:45 - 8:47

examining individually and maybe even on
8:47 - 8:48

a separate video,
8:48 - 8:50

but let's narrow our focus down to the
8:50 - 8:52

leak that made WannaCry possible
8:52 - 8:54

which at that point was the fifth leak
8:54 - 8:56

by the group and was said to be the most
8:56 - 8:59

damaging one yet.
8:59 - 9:02

On April 14, 2017, the shadow brokers
9:02 - 9:04

would post a tweet that linked to their
9:04 - 9:05

Steem blockchain
9:05 - 9:09

on a post titled lost in translation.
9:09 - 9:10

This leak contained files from the
9:10 - 9:12

initial failed auction which they now
9:12 - 9:14

decided to release to the public
9:14 - 9:18

for free. The description accompanying
9:18 - 9:20

the leaked files doesn't really contain
9:20 - 9:21

much worth noting.
9:21 - 9:23

As always the shadow brokers would use
9:23 - 9:25

broken, but still somewhat comprehensible
9:25 - 9:26

English.
9:26 - 9:28

However, this is widely speculated not to
9:28 - 9:30

speak to their proficiency in the
9:30 - 9:31

language,
9:31 - 9:32

but rather an attempt to mislead
9:32 - 9:34

analysts and prevent them from yielding
9:34 - 9:36

any results regarding their identity
9:36 - 9:40

characterized by how they type.
9:40 - 9:41

The link, which has now been taken down,
9:41 - 9:43

takes you to an archive filled with a
9:43 - 9:45

number of Windows exploits developed by
9:45 - 9:46

the NSA.
9:46 - 9:48

It did contain many other valuable tools
9:48 - 9:49

worth examining,
9:49 - 9:51

but the ones relevant to our story and
9:51 - 9:53

what made a regular ransomware so
9:53 - 9:54

destructive
9:54 - 9:57

were the payload, Doublepulsar and the
9:57 - 9:59

now infamous exploit used in the
9:59 - 10:00

WannaCry attack,
10:00 - 10:01

Eternalblue.
10:01 - 10:06

[Music]
10:08 - 10:11

[Typing]
10:15 - 10:19

Server Message Block version 1 or SMBv1
10:19 - 10:21

is a network communication protocol
10:21 - 10:24

which was developed in 1983.
10:24 - 10:25

The function of this protocol would be
10:25 - 10:27

to allow one Windows computer to
10:27 - 10:29

communicate with another
10:29 - 10:31

and share files and printers on a local
10:31 - 10:32

network.
10:32 - 10:35

However, SMB version 1 had a critical
10:35 - 10:36

vulnerability
10:36 - 10:39

which allowed for what is known as a
10:39 - 10:42

Remote Arbitrary Code Execution
10:42 - 10:43

in which an attacker would be able to
10:43 - 10:45

execute whatever code that they'd like
10:45 - 10:48

on their target or victim's computer
10:48 - 10:49

over the Internet
10:49 - 10:52

usually with malicious intent. The
10:52 - 10:53

function of Eternalblue was to take
10:53 - 10:56

advantage of this vulnerability.
10:56 - 10:58

Essentially, and I'm going to try and strip
10:58 - 11:00

it down to simplify it as much as
11:00 - 11:01

possible,
11:01 - 11:03

when the shadow brokers first leaked the
11:03 - 11:04

NSA tools,
11:04 - 11:06

hackers took this opportunity to install
11:06 - 11:08

Doublepulsar
11:08 - 11:09

which is a tool which opens what we
11:09 - 11:11

commonly know in security
11:11 - 11:14

as a backdoor. Backdoors allows hackers
11:14 - 11:17

to create an entry point into the system
11:17 - 11:19

or a network of systems and gain easy
11:19 - 11:21

access later on.
11:21 - 11:23

The initial infection of WannaCry is not
11:23 - 11:24

known,
11:24 - 11:26

but it is speculated that the attackers
11:26 - 11:27

took advantage of the backdoor to
11:27 - 11:29

deliver the payload.
11:29 - 11:30

The payload in this case is the
11:30 - 11:33

ransomware WannaCry.
11:33 - 11:34

When a computer is infected with
11:34 - 11:36

WannaCry, oddly
11:36 - 11:37

it then tries to connect to the
11:37 - 11:40

following unregistered domain
11:40 - 11:42

which is basically a random string of
11:42 - 11:43

numbers and letters.
11:43 - 11:45

If it cannot establish a connection to
11:45 - 11:48

this domain, then the real damage begins.
11:48 - 11:51

It scans for port 445 on the network
11:51 - 11:53

which is the port that is used to host
11:53 - 11:54

SMB version 1,
11:54 - 11:56

and if the port is deemed to be open, it
11:56 - 11:58

would then proceed to spread to that
11:58 - 11:59

computer.
12:00 - 12:02

This is how it propagated so quickly.
12:03 - 12:05

Whether the other users in the network
12:05 - 12:07

actually downloaded or clicked on
12:07 - 12:08

anything malicious,
12:08 - 12:10

regardless, they would be infected, and in
12:10 - 12:12

seconds all their data would be
12:12 - 12:13

encrypted.
12:14 - 12:17

So the damage came in two parts, the
12:17 - 12:19

ransomware that encrypts the data
12:19 - 12:21

and the worm-like component that is used
12:21 - 12:22

to spread the ransomware to any
12:22 - 12:23

connected,
12:23 - 12:26

vulnerable devices in the network as a
12:26 - 12:29

result of Eternalblue and Doublepulsar.
12:29 - 12:31

The attack only affected Windows systems,
12:31 - 12:33

mainly targeting Windows XP,
12:33 - 12:36

Vista, Windows 7, Windows 8, and Windows
12:36 - 12:38

10.
12:38 - 12:40

However, a month prior to the leak by the
12:40 - 12:42

shadow brokers on March 14, 2017,
12:42 - 12:44

Microsoft was made aware of this
12:44 - 12:46

vulnerability after it was publicly
12:46 - 12:47

reported
12:47 - 12:50

almost five years after its discovery.
12:50 - 12:52

Microsoft then released a critical patch
12:52 - 12:54

to fix this vulnerability,
12:54 - 12:57

MS17-010.
12:57 - 13:00

However, despite the release of the patch,
13:00 - 13:02

a significant number of organizations
13:02 - 13:03

never updated their systems,
13:03 - 13:06

and unfortunately there were still major
13:06 - 13:08

organizations running Windows XP
13:08 - 13:12

or Server 2003. These devices were at end
13:12 - 13:13

of support
13:13 - 13:15

which means that even if updates were
13:15 - 13:17

out, they would not receive them
13:17 - 13:18

and be completely vulnerable to the
13:18 - 13:20

exploit.
13:21 - 13:22

If you want to know more about the
13:22 - 13:24

vulnerability that the Eternalblue
13:24 - 13:25

exploited,
13:25 - 13:26

it is now logged in the national
13:26 - 13:28

vulnerability database
13:28 - 13:32

as CVE-2017-0144
13:32 - 13:36

[Music]
13:38 - 13:41

[Typing]
13:48 - 13:51

Marcus Hutchins, also known online by his
13:51 - 13:52

alias MalwareTech,
13:52 - 13:54

was a 23 year old British security
13:54 - 13:56

researcher at Kryptos Logic
13:56 - 14:00

in LA. After returning from lunch with a
14:00 - 14:02

friend on the afternoon of the attack,
14:02 - 14:04

he found himself scouring messaging
14:04 - 14:05

boards where he came across
14:05 - 14:08

news of a ransomware rapidly taking down
14:08 - 14:10

systems in the National Health Service
14:10 - 14:14

or NHS all over the UK.
14:14 - 14:15

Hutchins, who found it odd that the
14:15 - 14:17

ransomware was consistently affecting so
14:17 - 14:18

many devices,
14:18 - 14:20

concluded that the attack was probably a
14:20 - 14:22

computer worm and not just
14:22 - 14:25

a simple ransomware. He quickly requested
14:25 - 14:27

one of his friends to pass him a sample
14:27 - 14:28

of the malware
14:28 - 14:30

so that he could examine it and reverse
14:30 - 14:32

engineer it to analyze exactly how it
14:32 - 14:33

worked.
14:33 - 14:35

Once he had gotten his hands on the
14:35 - 14:36

malware sample,
14:36 - 14:38

he had run it using a virtual
14:38 - 14:40

environment with fake files
14:40 - 14:42

and found out that it was trying to
14:42 - 14:44

connect to an unregistered domain,
14:44 - 14:48

which we discussed earlier in Chapter 4.
14:48 - 14:50

Hutchins would go on to register this
14:50 - 14:54

domain for only $10.69,
14:54 - 14:55

which unbeknownst to him,
14:55 - 14:57

would actually halt the wannacry
14:57 - 14:59

infection.
14:59 - 15:00

He would later admit in a tweet that
15:00 - 15:03

same day that the domain registration
15:03 - 15:04

leading to a pause in the rapid
15:04 - 15:05

infection
15:05 - 15:08

was indeed an accident dubbing Marcus
15:08 - 15:09

Hutchins
15:09 - 15:13

as the accidental hero.
15:13 - 15:17

[Music]
15:18 - 15:23

[Music]
15:23 - 15:26

To Hutchins, taking control of
15:26 - 15:28

unregistered domains was just a part of
15:28 - 15:29

his workflow
15:29 - 15:30

when it came to stopping botnets and
15:30 - 15:32

tracking malware.
15:32 - 15:34

This was so that he could get further
15:34 - 15:36

insight into how the malware or botnets
15:36 - 15:37

were spreading.
15:37 - 15:39

For those of you unaware of what a
15:39 - 15:41

botnet is, it is essentially a group of
15:41 - 15:43

computers that have been hijacked by
15:43 - 15:44

malicious actors
15:44 - 15:46

or hackers in order to be used in their
15:46 - 15:47

attacks to drive
15:47 - 15:51

excess network traffic or steal data.
15:51 - 15:52

One computer that has been hijacked is
15:52 - 15:55

called a bot and a network of them
15:55 - 15:58

is called a botnet, however,
15:58 - 16:00

since, as we discussed earlier, the attack
16:00 - 16:02

only executes if it's unable to reach
16:02 - 16:05

the domains that it checks for.
16:05 - 16:07

Think of it as a simple if then
16:07 - 16:08

statement.
16:08 - 16:10

If the infection cannot connect to x
16:10 - 16:13

domain, then proceed with the infection.
16:13 - 16:17

If it can reach x domain, stop the attack.
16:17 - 16:18

And so the malware being able to connect
16:18 - 16:20

to the domain was known as the kill
16:20 - 16:21

switch,
16:21 - 16:23

the big red button that stops the attack
16:23 - 16:26

from spreading any further.
16:26 - 16:28

But why would the attackers implement a
16:28 - 16:30

kill switch at all?
16:30 - 16:32

The first theory is that the creators of
16:32 - 16:34

WannaCry wanted a way to stop the attack
16:34 - 16:36

if it ever got out of hand or had any
16:36 - 16:39

unintentional effects.
16:39 - 16:40

The second and the most likely theory
16:40 - 16:42

proposed by Hutchins and other security
16:42 - 16:44

researchers
16:44 - 16:45

was that the kill switch was present in
16:45 - 16:47

order to prevent researchers from
16:47 - 16:49

looking into the behavior of WannaCry
16:49 - 16:51

if it was being executed within what is
16:51 - 16:52

known in security
16:52 - 16:56

as a sandbox. A sandbox is usually a
16:56 - 16:58

virtual computer that is used to run
16:58 - 16:59

malware.
16:59 - 17:00

It is a contained environment with
17:00 - 17:02

measures that have been taken to not
17:02 - 17:05

infect any important files or spread to
17:05 - 17:06

other networks,
17:06 - 17:08

much like what I used in Chapter 2 to
17:08 - 17:10

demonstrate the WannaCry ransomware.
17:12 - 17:14

Researchers use these sandboxes to run
17:14 - 17:16

malware and then use tools to determine
17:16 - 17:18

the behavior of the attack.
17:18 - 17:20

This is what Hutchins did with fake
17:20 - 17:23

files as well.
17:23 - 17:25

So the intent behind this kill switch
17:25 - 17:26

was to destroy the ransomware if it
17:26 - 17:29

existed within a sandbox environment,
17:29 - 17:31

again, since they didn't want researchers
17:31 - 17:32

to be able to analyze exactly how it
17:32 - 17:34

worked.
17:34 - 17:36

However, since the attackers used a
17:36 - 17:37

static domain,
17:37 - 17:39

a domain name that did not change for
17:39 - 17:41

each infection, instead of using
17:41 - 17:43

dynamically generated domain names
17:43 - 17:45

like other renditions of this concept
17:45 - 17:46

would usually do,
17:46 - 17:48

the WannaCry infections around the world
17:48 - 17:50

believed that it was being analyzed in a
17:50 - 17:52

sandbox environment
17:52 - 17:54

and essentially killed itself since
17:54 - 17:56

every single infection was trying to reach
17:56 - 17:59

one single hard-coded domain, and now
17:59 - 18:01

they could after Hutchins had purchased
18:01 - 18:03

it and put it online.
18:03 - 18:05

If it had been a randomly generated
18:05 - 18:06

domain name,
18:06 - 18:08

then the infection would only have
18:08 - 18:10

removed itself from Hutchins's sandbox
18:10 - 18:11

environment
18:11 - 18:12

because the domain he registered would
18:12 - 18:14

be unique to him and would not
18:14 - 18:17

affect anyone else. This
18:17 - 18:20

seems to be an amateur mistake. So
18:20 - 18:22

amateur in fact, that the researchers
18:22 - 18:24

have speculated that maybe the intent of
18:24 - 18:25

the attackers
18:25 - 18:28

was not monetary gain, but rather a more
18:28 - 18:29

political intention
18:29 - 18:32

such as to bring shame to the NSA.
18:32 - 18:32

However,
18:32 - 18:34

to this date, there is nothing that
18:34 - 18:36

confirms nor denies the motive
18:36 - 18:38

of the WannaCry attack.
18:38 - 18:44

[Music]
18:46 - 18:51

[Music]
18:51 - 18:53

The rapid infection had seemed to stop,
18:53 - 18:55

but for Hutchins or MalwareTech and his
18:55 - 18:59

team, the nightmare had only just begun.
18:59 - 19:00

Less than an hour from when he had
19:00 - 19:03

activated the domain, it was under attack.
19:03 - 19:05

The motive of the attackers were to use
19:05 - 19:07

the Mirai botnet to host a distributed
19:07 - 19:09

denial of service attack,
19:09 - 19:11

also known as DDoS, to shut down the
19:11 - 19:13

domain so that it would be unreachable
19:13 - 19:16

once again and all the halted infections
19:16 - 19:18

would resume.
19:18 - 19:20

A DDoS attack is usually performed to
19:20 - 19:21

flood a domain with
19:21 - 19:23

junk traffic 'till it can't handle
19:23 - 19:26

anymore and is driven offline.
19:26 - 19:28

The Mirai botnet that the attackers were
19:28 - 19:30

employing was previously used in one of
19:30 - 19:32

the largest ever DDoS attacks
19:32 - 19:34

and was comprised of hundreds and
19:34 - 19:36

thousands of devices.
19:36 - 19:38

The haunting realization that they were
19:38 - 19:39

the wall between a flood of infections
19:39 - 19:41

that was currently being blocked
19:41 - 19:43

slowly dawned on Hutchins and the other
19:43 - 19:46

researchers working on the case.
19:46 - 19:48

They eventually dealt with the issue by
19:48 - 19:50

taking the site to a cached version
19:50 - 19:52

which was capable of handling a much
19:52 - 19:55

higher traffic load than a live site.
19:55 - 19:57

Two days after the domain went live, the
19:57 - 19:59

data showed that two million infections
19:59 - 20:00

had been halted
20:00 - 20:02

showing us what the extent of the damage
20:02 - 20:04

could have been if it was not for the
20:04 - 20:06

discovery of the kill switch.
20:20 - 20:25

[Music]
20:25 - 20:28

Marcus Hutchins's story does not stop here.
20:28 - 20:30

He would go on to be named as a
20:30 - 20:32

cybercrime hero,
20:32 - 20:34

a title which he didn't enjoy as it
20:34 - 20:37

would bring to him unwanted attention,
20:37 - 20:38

people trying to piece together his
20:38 - 20:40

address, media camping outside of his
20:40 - 20:41

house,
20:41 - 20:43

and in addition to all of this, he was
20:43 - 20:45

still under the pressure of the domain
20:45 - 20:47

going offline any minute and wreaking
20:47 - 20:48

havoc.
20:48 - 20:50

However, he was able to get through these
20:50 - 20:53

weary days and sleepless nights
20:53 - 20:57

only to be thrown back into chaos.
20:57 - 20:59

Three months after the WannaCry attack,
20:59 - 21:02

in August of 2017,
21:02 - 21:04

Marcus Hutchins, after partying in Vegas
21:04 - 21:05

for a week and a half
21:05 - 21:08

during DEFCON, a hacker convention, was
21:08 - 21:10

arrested in the airport by the FBI on
21:10 - 21:12

his way back home.
21:12 - 21:14

It seemed that Hutchins in his teenage
21:14 - 21:15

years had developed a malware named
21:15 - 21:16

Kronos
21:16 - 21:19

that would steal banking credentials. He
21:19 - 21:20

would go on to sell this malware to
21:20 - 21:22

multiple individuals with the help of
21:22 - 21:23

someone he met online
21:23 - 21:27

named Vinny K. Kronos is still an
21:27 - 21:31

ongoing threat to banks around the world.
21:31 - 21:33

Hutchins initially battled the charges
21:33 - 21:34

with a non-guilty plea,
21:34 - 21:36

but after a long and exhausting ordeal
21:36 - 21:38

that lasted for years,
21:38 - 21:41

in April 2019, he took a plea deal that
21:41 - 21:42

would essentially dismiss
21:42 - 21:45

all but two counts set against him,
21:45 - 21:48

conspiracy to defraud the united states
21:48 - 21:49

and actively marketing the kronos
21:49 - 21:51

malware.
21:51 - 21:53

He faced the possibility of a maximum
21:53 - 21:55

prison sentence of ten years,
21:55 - 21:57

but because of his contribution towards
21:57 - 21:59

WannaCry and as the community had
21:59 - 22:00

constantly pointed out
22:00 - 22:02

his active involvement in defending the
22:02 - 22:04

world against cyber attacks,
22:04 - 22:08

the judge ruled in his favor. He was then
22:08 - 22:08

released
22:08 - 22:11

with zero jail time and is now a free
22:11 - 22:11

man.
22:16 - 22:20

[Typing]
22:23 - 22:27

[Music]
22:27 - 22:29

As stated before, the WannaCry attack
22:29 - 22:31

impacted over 150 countries
22:31 - 22:34

and approximately 230,000 computers
22:34 - 22:35

globally.
22:35 - 22:38

Russia was the most severely infected
22:38 - 22:40

with over half the affected computers.
22:40 - 22:43

India, Ukraine, and Taiwan also suffered
22:43 - 22:45

significant disruption.
22:49 - 22:51

The most popular victim to emerge out of
22:51 - 22:52

the attacks were the UK's National
22:52 - 22:53

Health Service
22:53 - 22:57

or the NHS. In the NHS, over 70,000
22:57 - 22:59

devices such as computers,
22:59 - 23:02

MRI scanners, devices used to test blood,
23:02 - 23:05

theater equipment, and over 1200 pieces
23:05 - 23:10

of diagnostic equipment were affected.
23:10 - 23:12

Approximately, the attack cost the NHS
23:12 - 23:14

over 92 million euros,
23:14 - 23:16

and globally, the cost amounted to
23:16 - 23:18

somewhere between four and eight billion
23:18 - 23:20

dollars.
23:20 - 23:21

You'd think that the attackers who
23:21 - 23:23

launched WannaCry would have made a
23:23 - 23:24

decent amount considering how many
23:24 - 23:25

countries
23:25 - 23:28

and devices were affected, however, as of
23:28 - 23:30

June 14, 2017,
23:30 - 23:33

when the attacks had begun to subside,
23:33 - 23:39

they had only made $130,634.77.
23:39 - 23:41

Victims were urged not to pay the ransom
23:41 - 23:43

since not only did it encourage the
23:43 - 23:44

hackers,
23:44 - 23:45

but it also did not guarantee the return
23:45 - 23:48

of their data due to skepticism of
23:48 - 23:49

whether the attackers could actually
23:49 - 23:50

place the paid ransom
23:50 - 23:53

to the correct victim. This was clearly
23:53 - 23:54

evident from the fact that a large
23:54 - 23:55

proportion,
23:55 - 23:57

almost all of the affected victims who
23:57 - 23:58

had paid the ransom
23:58 - 24:01

had still not been returned their data.
24:01 - 24:08

[Music]
24:09 - 24:14

[Music]
24:14 - 24:15

Although initially the prime victims of
24:15 - 24:17

WannaCry were said to be Windows XP
24:17 - 24:20

clients, over 98% of the victims were
24:20 - 24:22

actually running unpatched versions of
24:22 - 24:23

Windows 7,
24:23 - 24:26

and less than 0.1% of the victims
24:26 - 24:28

were using Windows XP.
24:28 - 24:30

In the case of Russia, they believed
24:30 - 24:32

updates did more to break their devices
24:32 - 24:34

rather than fix them,
24:34 - 24:36

partly due to the fact that a majority
24:36 - 24:38

of people use cracked or pirated
24:38 - 24:39

versions of Windows
24:39 - 24:40

which means they wouldn't have received
24:40 - 24:42

the updates which were released by
24:42 - 24:45

Microsoft months prior to the attack.
24:45 - 24:47

Microsoft eventually released the
24:47 - 24:48

updates for systems that were at end of
24:48 - 24:49

support
24:49 - 24:51

including Windows XP and other older
24:51 - 24:54

versions of Windows.
24:54 - 24:56

To this day, if the domain that Marcus
24:56 - 24:57

Hutchins acquired were to go down,
24:57 - 24:59

the millions of infections that it has
24:59 - 25:01

at bay would be released,
25:01 - 25:03

but possibly ineffective if the
25:03 - 25:05

computers had already applied the patch
25:05 - 25:08

that microsoft released.
25:08 - 25:10

Eternalblue is still in the wild and
25:10 - 25:11

variants of WannaCry have since then
25:11 - 25:13

surfaced like Uiwix
25:13 - 25:15

which did not come with a kill switch
25:15 - 25:17

and addressed the bitcoin payment issue
25:17 - 25:18

by assigning a new address for each
25:18 - 25:20

victim to collect payment
25:20 - 25:22

therefore easily allowing to track the
25:22 - 25:24

payment back to the victim.
25:24 - 25:26

However, since it did not have an
25:26 - 25:28

automatic worm-like functionality that
25:28 - 25:29

WannaCry exhibited
25:29 - 25:32

it did not pose much of a threat. The
25:32 - 25:35

impact of WannaCry is still seen today.
25:35 - 25:37

Trend Micro's data clearly indicates that
25:37 - 25:39

WannaCry was the most detected malware
25:39 - 25:40

family in 2020
25:40 - 25:42

thanks to its vulnerable nature. And
25:42 - 25:44

F-Secure reports that the most seen type
25:44 - 25:46

of exploit is against the SMB version 1
25:46 - 25:47

vulnerability
25:47 - 25:50

using Eternalblue. The fact that
25:50 - 25:51

attackers still continue to try and
25:51 - 25:52

exploit this
25:52 - 25:54

must mean that there are organizations
25:54 - 25:56

out there who have not patched against
25:56 - 25:58

this vulnerability.
25:58 - 26:00

[Music]
26:03 - 26:06

[Typing]
26:10 - 26:16

[Music]
26:16 - 26:18

Four years after the attack, there is
26:18 - 26:20

still no confirmed identity of the
26:20 - 26:22

creators of the WannaCry.
26:22 - 26:24

There have been accusations towards the
26:24 - 26:25

Lazarus Group
26:25 - 26:27

who has strong links to North Korea.
26:27 - 26:28

However,
26:28 - 26:32

this is nothing more than hearsay. So
26:32 - 26:34

who is to blame for the catastrophic
26:34 - 26:36

damage of WannaCry?
26:36 - 26:37

Is it the NSHA who should not have
26:37 - 26:39

stockpiled exploits without alerting the
26:39 - 26:41

necessary entities about the
26:41 - 26:42

vulnerabilities?
26:42 - 26:44

Is it the shadow brokers who took
26:44 - 26:46

advantage of this, stole, and released it
26:46 - 26:48

into the wild?
26:48 - 26:50

Is it the developers of WannaCry? Or is
26:50 - 26:52

it the fault of microsoft who did not
26:52 - 26:54

identify this vulnerability
26:54 - 26:57

sooner? While all of this might be true
26:57 - 26:58

to some extent,
26:58 - 27:00

at the end of the day, the actions these
27:00 - 27:02

organizations take are largely out of
27:02 - 27:04

the control of the public
27:04 - 27:06

and business owners who are usually the
27:06 - 27:08

victims of the attack.
27:08 - 27:10

Regardless of what we claim, the solution
27:10 - 27:12

is very simple.
27:12 - 27:13

Make sure we follow the guidelines to
27:13 - 27:15

have our data secured.
27:15 - 27:17

The most crucial of it is to have a
27:17 - 27:19

consistent schedule for updating our
27:19 - 27:20

devices,
27:20 - 27:23

and to obviously not use outdated
27:23 - 27:25

operating systems that put
27:25 - 27:27

employee and customer data and their
27:27 - 27:29

privacy at huge risks.
27:29 - 27:31

When it comes to ransomware, the most
27:31 - 27:33

crucial form of defense is frequent
27:33 - 27:35

backup. The more frequent it is,
27:35 - 27:38

the better. Less than 50% of ransomware
27:38 - 27:40

payments actually result in the data
27:40 - 27:41

being returned to the victims,
27:41 - 27:43

and so needless to say, payment should
27:43 - 27:44

not be an option
27:44 - 27:46

lest your goal is to lose money and your
27:46 - 27:48

data as well.
27:48 - 27:50

The biggest mistake that organizations
27:50 - 27:52

tend to make is refusing to believe that
27:52 - 27:54

they would be a target.
27:54 - 27:55

According to a study by Cloudwords in
27:55 - 27:57

2021,
27:57 - 27:59

every 11 seconds a company is hit by
27:59 - 28:01

ransomware, and a large proportion of
28:01 - 28:02

organizations are small
28:02 - 28:04

to medium-sized businesses that never
28:04 - 28:06

see it coming as they're often found to
28:06 - 28:08

have less than effective security
28:08 - 28:09

strategies in place
28:09 - 28:10

making them ideal targets for such
28:10 - 28:12

attacks.
28:12 - 28:13

Digital transformation during the
28:13 - 28:15

Coronavirus pandemic has started to move
28:15 - 28:17

businesses to the cloud,
28:17 - 28:19

and so cyber criminals have now shifted
28:19 - 28:21

their focus to the cloud as well
28:21 - 28:22

giving them an entirely new attack
28:22 - 28:24

surface to work with.
28:24 - 28:26

The cost of ransomware is said to top 20
28:26 - 28:29

billion dollars by the end of 2021
28:29 - 28:32

and that is ransomware alone. By 2025,
28:32 - 28:34

cybersecurity ventures estimates that
28:34 - 28:36

cybercrime will cost businesses
28:36 - 28:39

10.5 trillion dollars annually
28:39 - 28:41

which would amount to just 2 trillion
28:41 - 28:43

short of China's economy,
28:43 - 28:46

the second biggest economy in the world.
28:46 - 28:48

We are headed towards bigger and more
28:48 - 28:51

destructive attacks than WannaCry,
28:51 - 28:53

and our most reliable defense is our
28:53 - 28:54

awareness
28:54 - 28:56

and our action to better protect
28:56 - 28:59

ourselves. Thank you for watching.
28:59 - 29:04

[Music]
29:06 - 29:31

[Music]
29:31 - 29:47

[Music]
29:47 - 29:51

[Music]

Title:: WANNACRY: The World's Largest Ransomware Attack (Documentary)
Description:: more » « less
Video Language:: English
Duration:: 29:52

	OEVIDEOS edited English subtitles for WANNACRY: The World's Largest Ransomware Attack (Documentary)
	OEVIDEOS edited English subtitles for WANNACRY: The World's Largest Ransomware Attack (Documentary)
	OEVIDEOS edited English subtitles for WANNACRY: The World's Largest Ransomware Attack (Documentary)
	OEVIDEOS edited English subtitles for WANNACRY: The World's Largest Ransomware Attack (Documentary)
	OEVIDEOS edited English subtitles for WANNACRY: The World's Largest Ransomware Attack (Documentary)
	OEVIDEOS edited English subtitles for WANNACRY: The World's Largest Ransomware Attack (Documentary)
	OEVIDEOS edited English subtitles for WANNACRY: The World's Largest Ransomware Attack (Documentary)
	OEVIDEOS edited English subtitles for WANNACRY: The World's Largest Ransomware Attack (Documentary)

Show all

English subtitles

Revisions Compare revisions

Revision 9 Edited

OEVIDEOS
Revision 8 Edited

OEVIDEOS
Revision 7 Edited

OEVIDEOS
Revision 6 Edited

OEVIDEOS
Revision 5 Edited

OEVIDEOS
Revision 4 Edited

OEVIDEOS
Revision 3 Edited

OEVIDEOS
Revision 2 Edited

OEVIDEOS
Revision 1 Uploaded

OEVIDEOS

	Revision Number	Author	Created
	9	OEVIDEOS
	8	OEVIDEOS
	7	OEVIDEOS
	6	OEVIDEOS
	5	OEVIDEOS
	4	OEVIDEOS
	3	OEVIDEOS
	2	OEVIDEOS
	1	OEVIDEOS

WANNACRY: The World's Largest Ransomware Attack (Documentary)

Revisions Compare revisions

Our website uses cookies

Operating cookies (Required)