WANNACRY: The World's Largest Ransomware Attack (Documentary)

[Music] a small note before we start as much as this video is meant to be a storytelling experience i have also intended it to be educational and so i have coupled the story along with how some of these attacks and technologies work this is my first documentary style video and so i appreciate any and all feedback in the comments below i really hope you enjoy and hopefully learn a few new things right now a crippling cyber attack has businesses around the world on high alert the ransomware known as wannacry want to move on to the other developing story this morning the global cyber attack the national security agency developed this software and it's now being used by criminals around the world to demand ransom security experts say this is one of the worst and most widespread pieces of malware they've ever seen [Music] in may of 2017 a worldwide cyber attack by the name of wannacry shot for one a crypter impacted over 150 countries and hit around 230 000 computers globally needless to say it became known as one of the biggest ransomware attacks in history let's start at the very beginning on the morning of the 12th of may 2017 according to akamai a content delivery network this was the timeline reportedly the first case identified originated from a southeast asian isp which was detected at 7 44 am utc over the next hour there were cases seen from latin america then the continental europe and uk then brazil and argentinian isps until at 12 39 pm utc 74 of all isps in asia were affected and by 3 28 pm utc the ransomware had taken hold of 65 percent of latin american isps wannacry was spreading and at an incredible rate prior to this such a quick and widespread ransomware was unheard of a lot of organizations unable to recover their losses were forced to permanently shut down some had to put a pause on their networks and services and reported huge losses some in millions of dollars the attack did not discriminate small to medium-sized businesses large enterprises the private sector the public sector railways healthcare banks malls ministries police energy companies isps and there just seemed to be no end to the victims within few hours it had spread to over 11 countries and by the end of the first day of the attack the ransomware had been encountered in 74 countries within thousands and thousands of organizations and so it begged the question how much damage will this really cause over the next few days or weeks or months if no solution presents itself your surface has been temporarily disconnected ransomware works in a very simple manner it is the type of malware most commonly spread through phishing attacks which are essentially emails used to trick a user into clicking a link that leads them to a website where they enter sensitive data or to download attachments which if executed will infect the computer although initially suspected wannacry did not originate from a phishing attack but we'll get to that once later computer is infected the ransomware runs an encryption process and usually in less than a minute some or all the files depending on what the ransomware is meant to affect in the user's computer is converted from plain text to ciphertext plain text is readable or comprehensible data and ciphertext is unintelligible gibberish in order to turn this back into plain text the user will need what is known as a decryption key which the attacker promises to provide if the user were to pay the ransom what makes ransomware so dreadful is that once your files have been encrypted you can't exactly decrypt it and retrieve your data well you can but with the current technology we have to break common encryption algorithms used in ransomware attacks such as the rsa it would take millions to billions to trillions of years [Music] this is what you'd see if you were to become infected with the wannacry ransomware in addition to this intimidating wallpaper your documents spreadsheets images videos music and most everyday productivity and multimedia files become encrypted essentially being held hostage till the ransom payment has been made the wanted crypto 2. 0 comes with a set of instructions and in 28 different languages for victims to follow in order to recover their files the attackers demanded for 300 worth of bitcoin and after three days would be updated to six hundred dollars if the payment were to be made seven days after the infection the files would be recoverable however despite this they also go on to state that they will return the files for free to quote users who are so poor that they couldn't pay end quote after six months the method of payment bitcoin the reason that attackers chose bitcoin was because it is what we know as a private cryptocurrency this allows the holder of the currency to remain anonymous though the money could be traced to a cryptocurrency wallet which is where the currency itself is stored it would be exponentially difficult to find the owner of the wallet without extensive forensic analysis this is the reason that bitcoin is used widely in the dark web to purchase guns drugs and other illegal goods and services that for obvious reasons you would not be able to find on the surface web problem with wannacry and what made it exponentially more dangerous than your average ransomware was its propagating capabilities but to understand this fully we need to go back in time a little bit to 2016. in august of 2016 the equation group suspected to have ties with the national security agency's tailored operations unit and described by kaspersky as one of the most sophisticated cyber attack groups in the world was said to be hacked by a group called the shadow brokers in this hack disks full of the nsa secrets were stolen this was bad because the nsa houses what we know as nation state attacks which are exploits or hacking tools that are used to carry out a hack for their home country against another country the nsa would essentially recruit a skilled hacker and give them a license to hack which means if they did carry it out it wouldn't be illegal at least in that country and the hacker would not be charged the danger here is that the nation-state tools in itself are usually pretty effective especially considering they are to be used as weapons against entire states and countries the nsa is said to have discovered a multitude of other vulnerabilities in the windows os as early as 2013 but was speculated to have developed exploits secretly and stockpile them rather than reporting it to microsoft or the infosec community so that they could weaponize it and utilize them in their nation state and other attacks the shadow brokers would go on to auction off some of these tools that were developed but due to skepticism online on whether the hackers really did have files as dangerous as they had claimed this would essentially go on to become a catastrophic failure we can talk quite a bit about the shadow brokers the story is itself worth examining individually and maybe even on a separate video but let's narrow our focus down to the leak that made wannacry possible which at that point was the fifth leak by the group and was said to be the most damaging one yet on april 14 2017 the shadow brokers would post a tweet that linked to their steam blockchain on a post titled lost in translation this leak contained files from the initial failed auction which they now decided to release to the public for free the description accompanying the leaked files doesn't really contain much worth noting as always the shadow brokers would use broken but still somewhat comprehensible english however this is widely speculated not to speak to their proficiency in the language but rather an attempt to mislead analysts and prevent them from yielding any results regarding their identity characterized by how they type the link which has now been taken down takes you to an archive filled with a number of windows exploits developed by the nsa it did contain many other valuable tools worth examining but the ones relevant to our story and what made a regular ransomware so destructive were the payload double pulsar and the now infamous exploit used in the wannacry attack eternal blue [Music] server message block version 1 or smb v1 is a network communication protocol which was developed in 1983.

the function of this protocol would be to allow one windows computer to communicate with another and share files and printers on a local network however smb version 1 had a critical vulnerability which allowed for what is known as a remote arbitrary code execution in which an attacker would be able to execute whatever code that they'd like on their target or victim's computer over the internet usually with malicious intent the function of eternal blue was to take advantage of this vulnerability essentially i'm going to try and strip it down to simplify it as much as possible when the shadow brokers first leaked the nsa tools hackers took this opportunity to install double pulsar which is a tool which opens what we commonly know in security as a back door backdoors allows hackers to create an entry point into the system or a network of systems and gain easy access later on the initial infection of wannacry is not known but it is speculated that the attackers took advantage of the back door to deliver the payload the payload in this case is the ransomware wannacry when a computer is infected with wannacry oddly it then tries to connect to the following unregistered domain which is basically a random string of numbers and letters if it cannot establish a connection to this domain then the real damage begins it scans for port 445 on the network which is the port that is used to host smb version 1 and if the port is deemed to be open it would then proceed to spread to that computer this is how it propagated so quickly [Music] whether the other users in the network actually downloaded or clicked on anything malicious regardless they would be infected and in seconds all their data would be encrypted [Music] so the damage came in two parts the ransomware that encrypts the data and the worm-like component that is used to spread the ransomware to any connected vulnerable devices in the network as a result of eternal blue and double pulsar the attack only affected windows systems mainly targeting windows xp vista windows 7 windows 8 and windows 10. however a month prior to the leak by the shadow brokers on march 14 2017 microsoft was made aware of this vulnerability after it was publicly reported almost five years after its discovery microsoft then released a critical patch to fix this vulnerability [Music] ms-17010 however despite the release of the patch a significant number of organizations never updated their systems and unfortunately there were still major organizations running windows xp or server 2003 these devices were at end of support which means that even if updates were out they would not receive them and be completely vulnerable to the exploit if you want to know more about the vulnerability that the eternalblue exploited it is now logged in the national vulnerability database as cve 20170144 [Music] marcus hutchins also known online by his alias malwa attack was a 23 year old british security researcher at kryptos logic in la after returning from lunch with a friend on the afternoon of the attack he found himself scouring messaging boards where he came across news of a ransomware rapidly taking down systems in the national health service or nhs all over the uk hutchins who found it odd that the ransomware was consistently affecting so many devices concluded that the attack was probably a computer worm and not just a simple ransomware he quickly requested one of his friends to pass him a sample of the malware so that he could examine it and reverse engineer it to analyze exactly how it worked once he had gotten his hands on the malware sample he had run it using a virtual environment with fake files and found out that it was trying to connect to an unregistered domain which we discussed earlier in chapter 4. hutchins would go on to register this domain for only 10 and 69 cents which unbeknownst to him would actually halt the wannacry infection he would later admit in a tweet that same day that the domain registration leading to a pause in the rapid infection was indeed an accident dubbing marcus hutchins as the accidental hero to hachins taking control of unregistered domains was just a part of his workflow when it came to stopping botnets and tracking malware this was so that he could get further insight into how the malware or botnets were spreading for those of you unaware of what a botnet is it is essentially a group of computers that have been hijacked by malicious actors or hackers in order to be used in their attacks to drive excess network traffic or steel data one computer that has been hijacked is called a bot and a network of them is called a botnet however since as we discussed earlier the attack only executes if it's unable to reach the domains that it checks for think of it as a simple if then statement if the infection cannot connect to x domain then proceed with the infection if it can reach x domain stop the attack and so the malware being able to connect to the domain was known as the kill switch the big red button that stops the attack from spreading any further but why would the attackers implement a kill switch at all the first theory is that the creators of wannacry wanted a way to stop the attack if it ever got out of hand or had any unintentional effects the second and the most likely theory proposed by hutchins and other security researchers was that the kill switch was present in order to prevent researchers from looking into the behavior of monocry if it was being executed within what is known in security as a sandbox a sandbox is usually a virtual computer that is used to run malware it is a contained environment with measures that have been taken to not infect any important files or spread to other networks much like what i used in chapter 2 to demonstrate the wannacry ransomware [Music] researchers used these sandboxes to run malware and then use tools to determine the behavior of the attack this is what hutchins did with fake files as well so the intent behind this kill switch was to destroy the ransomware if it existed within a sandbox environment again since they didn't want researchers to be able to analyze exactly how it worked however since the attackers used a static domain a domain name that did not change for each infection instead of using dynamically generated domain names like other renditions of this concept would usually do the wannacry infections around the world believed that it was being analyzed in a sandbox environment and essentially killed itself since every single infection was trying to reach one single hard-coded domain and now they could after hutchins had purchased it and put it online if it had been a randomly generated domain name then the infection would only have removed itself from hutchins's sandbox environment because the domain he registered would be unique to him and would not affect anyone else this seems to be an amateur mistake so amateur in fact that the researchers have speculated that maybe the intent of the attackers was not monetary gain but rather a more political intention such as to bring shame to the nsa however to this date there is nothing that confirms nor denies the motive of the wannacry attack the rapid infection had seemed to stop but for hutchins or malwater and his team the nightmare had only just begun less than an hour from when he had activated the domain it was under attack the motive of the attackers were to use the mirai botnet to host a distributed denial of service attack also known as ddos to shut down the domain so that it would be unreachable once again and all the halted infections would resume a ddos attack is usually performed to flood a domain with junk traffic till it can't handle anymore and is driven offline the mirai botnet that the attackers were employing was previously used in one of the largest ever ddos attacks and was comprised of hundreds and thousands of devices the haunting realization that they were the wall between a flood of infections that was currently being blocked slowly dawned on hutchins and the other researchers working on the case they eventually dealt with the issue by taking the site to a cached version which was capable of handling a much higher traffic load than a live site two days after the domain went live the data showed that two million infections had been halted showing us what the extent of the damage could have been if it was not for the discovery of the kill switch marcus hutchins story does not stop here he would go on to be named as a cyber crime hero a title which he didn't enjoy as it would bring to him unwanted attention people trying to piece together his address media camping outside of his house and in addition to all of this he was still under the pressure of the domain going offline any minute and wreaking havoc however he was able to get through these weary days and sleepless nights only to be thrown back into chaos three months after the wannacry attack in august of 2017 marcus hutchins after partying in vegas for a week and a half during defcon a hacker convention was arrested in the airport by the fbi on his way back home it seemed that hutchins in his teenage years had developed a malware named kronos that would steal banking credentials he would go on to sell this malware to multiple individuals with the help of someone he met online named vinnie k kronos is still an ongoing threat to banks around the world hutchins initially battled the charges with a non-guilty plea but after a long and exhausting ordeal that lasted for years in april 2019 he took a plea deal that would essentially dismiss all but two counts set against him conspiracy to defraud the united states and actively marketing the kronos malware he faced the possibility of a maximum prison sentence of ten years but because of his contribution towards wannacry and as the community had constantly pointed out his active involvement in defending the world against cyber attacks the judge ruled in his favor he was then released with zero jail time and is now a free man as stated before wannacry attack impacted over 150 countries and approximately 230 000 computers globally russia was the most severely infected with over half the affected computers india ukraine and taiwan also suffered significant disruption the most popular victim to emerge out of the attacks were the uk's national health service or the nhs in the nhs over 70 000 devices such as computers mri scanners devices used to test blood theater equipment and over 1200 pieces of diagnostic equipment were affected approximately the attack cost the nhs over 92 million euros and globally the cost amounted to somewhere between four and eight billion dollars you'd think that the attackers who launched wannacry would have made a decent amount considering how many countries and devices were affected however as of june 14 2017 when the attacks had begun to subside they had only made a hundred and thirty thousand six hundred and thirty four dollars and seventy seven cents victims were urged not to pay the ransom since not only did it encourage the hackers but it also did not guarantee the return of their data due to skepticism of whether the attackers could actually place the paid ransom to the correct victim this was clearly evident from the fact that a large proportion almost all of the affected victims who had paid the ransom had still not been returned their data [Music] although initially the prime victims of wannacry were said to be windows xp clients over 98 of the victims were actually running unpatched versions of windows 7 and less than 0.

1 percent of the victims were using windows xp in the case of russia they believed updates did more to break their devices rather than fix them partly due to the fact that a majority of people use cracked or pirated versions of windows which means they wouldn't have received the updates which were released by microsoft months prior to the attack microsoft eventually released the updates for systems that were at end of support including windows xp and other older versions of windows to this day if the domain that marcus hutchins acquired were to go down the millions of infections that it has at bay would be released but possibly ineffective if the computers had already applied the patch that microsoft released eternal blue is still in the wild and variants of wannacry have since then surfaced like ui wix which did not come with a kill switch and addressed the bitcoin payment issue by assigning a new address for each victim to collect payment therefore easily allowing to track the payment back to the victim however since it did not have an automatic worm-like functionality that wannacry exhibited it did not pose much of a threat the impact of wannacry is still seen today trend micros data clearly indicates that wannacry was the most detected malware family in 2020 thanks to its vulnerable nature and f-secure reports that the most seen type of exploit is against the smb version 1 vulnerability using eternal blue the fact that attackers still continue to try and exploit this must mean that there are organizations out there who have not patched against this vulnerability four years after the attack there is still no confirmed identity of the creators of the wannacry there have been accusations towards the lazarus group who has strong links to north korea however this is nothing more than hearsay so who is to blame for the catastrophic damage of wannacry is it the nsa who should not have stockpiled exploits without alerting the necessary entities about the vulnerabilities is it the shadow brokers who took advantage of this stole and released it into the wild is it the developers of wannacry or is it the fault of microsoft who did not identify this vulnerability sooner while all of this might be true to some extent at the end of the day the actions these organizations take are largely out of the control of the public and business owners who are usually the victims of the attack regardless of what we claim the solution is very simple make sure we follow the guidelines to have our data secured the most crucial of it is to have a consistent schedule for updating our devices and to obviously not use outdated operating systems that put employee and customer data and their privacy at huge risks when it comes to ransomware the most crucial form of defense is frequent backup the more frequent it is the better less than 50 of ransomware payments actually result in the data being returned to the victims and so needless to say payment should not be an option lest your goal is to lose money and your data as well the biggest mistake that organizations tend to make is refusing to believe that they would be a target according to a study by cloudwords in 2021 every 11 seconds a company is hit by ransomware and a large proportion of organizations are small to medium-sized businesses that never see it coming as they're often found to have less than effective security strategies in place making them ideal targets for such attacks digital transformation during the coronavirus pandemic has started to move businesses to the cloud and so cyber criminals have now shifted their focus to the cloud as well giving them an entirely new attack surface to work with the cost of ransomware is said to top 20 billion dollars by the end of 2021 and that is ransomware alone by 2025 cyber security ventures estimates that cyber crime will cost businesses 10.