June 16, 2017 • 55 mins
What is ransomware? Why does it so often target healthcare organizations? Tune in to learn all about the history of holding data hostage — from Dr. Popp to the recent WannaCry virus.
Learn more about your ad-choices at https://www.iheartpodcastnetwork.com
See omnystudio.com/listener for privacy information.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:04):
Get in text with technology with tech Stuff from how
stuff works dot com. Hey there, and welcome to tech Stuff.
I'm your host, senior writer John in Strickland right for
how stuff works dot com. It's a groovy website. You've
never been there. You should go check it out. You've
been listening to tech stuff all this time and didn't
(00:25):
know there was website. Work on your listening skills. I
love you how stuff works dot Com. Check it out.
So today I thought take a look at a tech
story that happened not too long ago as the recording
of this podcast. I'm recording it on ma It is
publishing much later than that, but not too long ago
from today. A virus emerge that really caused a lot
(00:48):
of headaches, particularly in the UK and a lot of
other countries. Not so much in the United States, but
a lot of other ones. And it's called Wanna Cry.
It's the Wanna Cry ran somewhere virus. It really became
big news starting on May twelve, sen That's where when
it went viral for the first time and spread the
(01:08):
thousands of machines. Uh. The account goes anywhere between two
hundred thousand and four hundred thousand computers, depending upon what
authority you're looking at. I want to cry was exploiting
a vulnerability in a protocol used by the Windows operating system.
But I'll explain all of that a little bit later. First,
let's talk about what ransomware is and where it came from. So,
(01:34):
to put it simply, ransomware is a subset of malware,
and malware stands for malicious software. Um. You might also
hear it described as a computer virus. That's largely because
in the early days of personal computers there are really
only two major types of malware, and those were viruses
and worms. Uh, and so we've often used computer viruses
(01:57):
shorthand for malware. But there are a lot and lots
of different kinds of malware out there, and so using
a term like virus is not as specific as most
people would prefer. But what the heck is a virus
and what the heck is a worm? Well, a virus
is some malicious code that a programmer designs that inserts
itself into another program. They're typically part of some sort
of executable file, so e x E in the Windows
(02:19):
operating System world or DOSS. Even the virus does not
activate until the computer runs the respective file. So you
can have a computer that has a virus on it,
but the virus is inactive. It is dormant because you
have not yet run that file, and as long as
you don't run that file, the virus will remain dormant.
It will be inert. But once you run the file,
(02:42):
it activates the virus and it ends up replicating itself.
Sometimes it will use other programs to spread itself to
other machines. In the old days, before you had networked computers,
it would essentially replicate itself over and over again in
order to overwrite everything on the computer and essentially jam
everything up. You couldn't end up saving anything to the computer.
(03:04):
Everything would be overwritten by this virus, essentially rendered your
computer useless. Uh. It's pretty nasty stuff. The worm, on
the other hand, is a self propagating piece of code
that does not rely on another file, and typically the
programmer depends upon some sort of trick like social engineering
(03:25):
to get people to execute the worm and start that
self propagation process. Now, both viruses and worms are part
of a larger classification of malware, and ransomware is a
specific type of malware that as the name suggests holds
a victim's computer for ransom. It doesn't break into their
house and steal it and then put a gun to
(03:46):
the monitor and say pay up or it gets it.
Otherwise you would just need a particular set of skills
to go after those folks, as we learned in the
documentary Taken. Typically, malware that as ransomware will do one
of two things. The most common version on desktop machines
and laptops is that it will encrypt the victims computer,
(04:09):
so that means it will encode your computer so that
none of your files will be readable or even you know,
you won't even be able to locate them because they're
all renamed. Under this nonsense encryption approach, that can end
up causing your computer to be useless or at least
give make it your information inaccessible. The goal is to
(04:30):
get the victim to fork over some cash and in return,
the hackers will decrypt the computer. They'll give whatever the
password is or the methodology to decrypt all the information
and turn it back to the way it was before
it was attacked. Now, uh, there's the second variant of
(04:50):
ransomware that doesn't encrypt a computer. Instead, what it does
is locks people out of a device. This is the
locker version of in somewhere. It's most frequently seen in
Android based devices, so mostly mobile sets like handsets, tablets,
that kind of thing. And essentially hackers full of victim
(05:11):
into downloading and installing a malicious app, and then the
app will then activate this software that locks the victim
off from accessing their device. They won't be able to
use it, essentially bricks it until you are to pay
up a ransom. You might get like a little screen
that demons that shows you, you know, until you pay
x amount to why you won't have access to this device.
(05:35):
So you are told that you have to pay the
hackers in order to regain access to your device. And
in either case, ransomware is not pretty. Now. This is
similar to, but distinct from, another scheme that some hackers
employ over the last few years, which is blackmail. Hacker
groups like rex Mundy have targeted large corporations with a
(05:57):
goal of infiltrating their systems and dealing as much data
as possible, including customer data. That's one of the big targets.
So having that customer data is a very powerful tool.
Companies do not want their customers to lose confidence in them.
So if a hacker group is able to get hold
(06:17):
of a huge amount of customer information from a company
and then say, hey, if you don't pay up, we're
going to release this information or we're gonna sell it off. Uh,
it's bad news and it's very hard to recover as
a company if you've suffered that kind of data breach.
So it's similar to blackmail, but not exactly the same
(06:37):
because with ransomware, the hackers might not even be interested
at all in what's on the computer systems they target.
They don't care if there's customer information or if it's
internal systems that that doesn't matter. What they want to
do is affect as many critical computers as they possibly
can with ransomware, because if it's a critical device, if
(07:01):
it's something that's very important for the operations of a
larger organization or company, then that puts a huge amount
of pressure on the company to pay up the ransom
so they can get access to that critical hardware. Again, um,
that's the whole point of ransomware. They don't they don't
care if it's you know, what the nature of the
(07:21):
stuff is, as long as it's important because they're not
after the data itself there after money. They just want
to lock down those computers as much as they can
and then convince people to pay them so that they
can unlock them. Now, the first recorded instance of ransomware
was called the AIDS trojan and it was designed by
(07:41):
Joseph L. Pop p O p P. That particular attack
falls under the category of the trojan horse, which is
of course named after the legendary gift to the city
of Troy that secretly housed invading soldiers that were from Greece.
A trojan horse is malware that that looks like a
(08:02):
regular program. It fools someone into thinking they're using some
benign piece of software, but in reality they're essentially handing
over some critical part of their computer systems to the
whims of a hacker. So a lot of trojan horse
programs these days are programs that look like they're innocent.
You run them, and then it allows a hacker to
get a back end, like a back door entry into
(08:25):
your computer, usually administrative level control, and from there they
can do lots of different things. They can lock you
out of a system, They can allow you to continue
using a system so that you don't know that they're
even there. They can spy on what you're doing. They
can even redirect your computer to send traffic to a
target machine as part of the distributed denial of service attacks.
(08:46):
So this is a very common ploy that hackers will
use in order to build bot nets or computer armies. Now,
the AIDS trojan virus predates the World Wide Web, so
this was not a virus that was spread over email.
It wasn't spread over a compromised website. It was distributed
(09:09):
actually on floppy disks, good old floppy disks, and they
were sent over the postal service. Most of the recipients
were from other parts of the world, not the United States.
Here in the US, we really didn't have an issue
with the AIDS trojan virus directly. These were the targeted
(09:29):
systems were mostly in other places in the world, like Europe,
in Africa, in uh Asia, that kind of thing. So
the target for this attack happened to be companies and
agencies that were either in education or healthcare, and they
were concerned with educating people about the AIDS virus. The
(09:53):
disc was posing as educational software that was to teach
you about the AIDS virus. So it's pretty insidious that
it was. It took on this form. The software on
the disc included an actual survey that would tell the
taker what their odds were of contracting the AIDS virus
based off their responses. So, for example, it might ask
(10:13):
if you take intrivinous drugs and if so, do you
share needles? That sort of thing, and as you would
answer it, it would give you the odds of you
contracting the AIDS fires. So on the surface, it seemed
like actual educational software. What you didn't realize as you
ran this software on your computer is that in the
background code was running so that it would infect the computer,
(10:37):
and after a predetermined number of reboots to the system,
the software would encrypt all of your files. So, in
other words, it would set up as kind of a
doomsday clock, except instead of time, it was in reboots.
So every time you shut down your system and turned
it on, you were one step closer to activating this worm,
(10:57):
and eventually you would hit that threshold old and the
next time you turned on your computer, all of your
files would get encrypted by this by this malware. The
only thing you would see when you would reboot that
system that last time would be a message that says
turn on a printer. So essentially you'd have to have
(11:18):
a printer connected to the affected computer and when you
turned it on, it would send a print command to
the printer and print on a sheet of paper with
the instructions to pay the ransom, which is kind of interesting,
a little primitive, but obviously you didn't have bitcoin or
anything like that back in those days, so the ransom
(11:38):
note would print out once the computer was activated or
connected to an activated printer. The note directed victims to
send one eighty nine dollars to a post office box
located in Panama. After doing so, uh Pop, who of
course was not identifying himself as the perpetrator, promised that
(12:00):
he would send the decryption program to unlock the contents
of the victim's computers. In the UK, where the virus
was first reported, some medical institutions began to delete data
rather than pay the ransom. They were worried that their
systems have been totally compromised and that a hacker had
access to all of that data, so as a result,
they started the leading stuff, and in fact other parts
(12:22):
of the world were following a similar strategy. The Independent
reported that there was one organization in Italy that lost
a decade's worth of AIDS research as a result of this,
because there was a panic that uh, the compromised data
could be otherwise changed or altered, UH, which I guess
is repetitive or redundant, but at any rate that they
(12:44):
were worried that this vulnerability was worse than what they
were already seeing. So there were people who who lost
years and years of work as a result of this
ransomware attack. Now I mentioned earlier, we know who made
this virus. So knowing who made it, what exactly happened?
How did this story unfold? It's a bit strange, to
(13:05):
be honest. So let's give you some background on the
man who had programmed the virus in the first place.
Joseph L. Pop had graduated with a PhD from Harvard University,
and he was in the field of evolutionary biologies, not
in the field that you would immediately associate with someone
who's programming the world's first ransomware virus. UH. He was
(13:28):
actually not an enemy to AIDS research. That was his field.
He was consulting with the World Health Organization in the
area of AIDS research over in Kenya, so why would
he design a computer program that locked away computers used
by people who were trying to research AIDS and provide
education for at risk populations. Well, that depends upon whose
(13:51):
story you believe. So story number one came from Pop's lawyer,
who said that Pop's plan was to shake things up.
He wanted to change the the whole model of how
AIDS research was going about. He thought it was two regimented,
he thought it was off base. According to the lawyer,
(14:12):
uh and that Pop's plan was to use the ransom
money that he would get from people paying this d
dollars a pop to fund alternative AIDS education programs. So
you could argue that if this is actually the case,
this was a protest against the establishment and their approach
to AIDS research. So you would think of Pop as
some sort of crypto activist or crypto anarchist. But the
(14:37):
judge in the case actually disagreed with this and said
that Pop just wasn't even fit to stand trial, and
this was because his behavior had become something pretty strange
and erratic. He was the reason he was caught in
the first place. I mean, he could have just gotten
away from Europe and and no one would have ever
known it was him. The reason he was caught was
(14:59):
that he was in an airport in Amsterdam and he
wrote the sentence doctor Pop has been poisoned, which I
think would make a great title for an album, but
he wrote it on another passenger suitcase. It's pretty strange already.
Apparently he had been um acting somewhat unusually as the
(15:21):
stress was getting to him about trying to get out
of Europe while this story about the AIDS trojan virus
was making headlines over there, so he was feeling a
lot of pressure, and according to some stories, at least
he cracked well. The authorities saw that he was writing
stuff on other people's suitcases and took him aside for questioning,
(15:43):
and they searched his baggage, and when they did, they
found evidence that he was the one behind manufacturing and
distributing all those discs that had the malware on them. So,
while he was waiting for trial in the UK, his
behavior grew increasingly strange, and eventually Judge Jeffrey Rivlin dismissed
the case because he said that Pop was unfit to
(16:05):
stand trial. Pop was released and essentially got off scott free.
He eventually would open up a butterfly conservatory in upstate
New York. So you can go see Joseph L. Pop's
butterfly Conservatory and see the the conservatory built by a
guy who built the first ransomware in the world, which
(16:25):
is a little unusual. There is another theory about what
pops motivations were that have nothing to do with crypto
anarchist tendencies or erratic behavior. It's not nearly as grand
an act as all that, it's not as strange as
all that. The theory states that Pop was actually just
(16:46):
seeking revenge. He had been passed over for a position
with the World Health Organization, so some theories say he
got very upset that he wasn't picked for this job,
and as a result, he designed and then unleashed the
software targeting organizations that he felt he should have been
taking a larger role in, but because he got passed over,
(17:08):
he didn't have that opportunity. And he even had a
digital diary that contained evidence that he had been planning
this attack for more than a year and a half,
so it was a premeditated act, not something that was
done spontaneously, at least according to that digital diary. Ah. So,
there are some people who say that he was just
bitter about not getting that job, and that was the
(17:30):
motivation he had for building the first ransomware. But whatever
the reason, he didn't serve any time for his crime.
And his encryption scheme was relatively simple to reverse. It
was symmetric encryption, and it wasn't particularly robust, so after
some time, experts were able to figure out how to
reverse engineer it, essentially using brute force to decrypt the
(17:53):
affected computers. So uh, it really wasn't as bad as
it could have been, or as it later would turn
to be, as future ransomware hackers would create more robust
means of of putting your data off limits. So one
(18:14):
thing that Pop also set into motion was this tendency
for hackers who have developed ransomware to target healthcare organizations,
whether it's hospitals or organizations that are related to healthcare,
that's a prime target for ransomware. And the reason is
the information inside those computers is critical, literally critical to
(18:39):
the lives of human beings. So by targeting these very
critical systems that have a high sense of of urgency
about the data that they contain, the hackers are maximizing
the chance that people will give in and pay their demands.
So two different trends that he started. He started the
(19:02):
ransomware trend and he started the targeting healthcare trend, both
of which are pretty odious, I would say, But yeah,
the more valuable and urgent the information is, the more
likely you are to pay up when something gets locked away.
Now we'll talk more about early ransomware in just a minute,
(19:23):
but before we jump into that, let's take a quick
break to thank our sponsor. So early ransomware attackers would
originally they were building their own encryption codes to convert
files into seemingly meaningless gibberish. So what's going on with
(19:45):
encryption in the first place? What does that actually mean?
I used the term a lot. You've probably heard it
a lot, and some of you are probably very familiar
with the whole concept of encryption. But in case you
are not, and you're wondering, what does that even mean?
I mean, I get that it turning my files into
stuff that I can't read, but what is actually happening?
I thought I would give a very very basic explanation
(20:08):
of what encryption is. Now, keep in mind, this is
at its most basic level encryption involves using a key
to encode data in a way that makes it meaningless
to an outside observer who does not also possess that key.
So this is just making codes essentially, It's what it
boils down to. It's just using a very advanced algorithm
(20:30):
in order to do it, and using a huge number
of potential of variations on that so that you make
it very very difficult for people to reverse engineer the
strategy you use to encrypt the information, thus making it safe. Uh,
if you use a very simple set of rules, then
obviously your data isn't that safe. All it takes is
(20:52):
someone to notice what the rules are and then they
can reverse it that way. So if you've ever used
a substitut tuition cipher, you're you've experimented with an extremely
simple version of encryption. So you might decide with a
buddy that you're going to shift all the meaning of
letters one over from their actual place on the alphabet,
(21:13):
so that when you write your to a message encode
to your buddy, a B is an A, and a
C is a B, and so on and so forth.
That's a very simple one shift substitution cipher. When you
receive a message, you use that key, which in this
case is just that very simple rule to decode the message,
and then you read it, and then later that night
(21:34):
you'll probably TP someone's home, because that's the kind of
thing we allows the kids used to do before there
was an Internet and Nintendo switches and whatnot. Obviously, computers
are using much more robust encryption techniques than a simple
substitution cipher. The goal is to create a method of
encryption that is so sophisticated that it would take someone
years or even decades before they could decrypt the information
(21:57):
without the use of a key in others, to use
brute force. Brute force is essentially when you just tele computer,
I want you to work through every variation of this
particular approach until you find the one that works. And
the more approaches there are, the longer that will take
(22:19):
a computer to accomplish. So your goal is to make
the encryption process difficult enough so that a computer doesn't
have any hope of solving it by brute force in
any reasonable amount of time. The earliest forms of computer
encryption used a fifty six bit key. Now remember a
bit is a single unit of information. It is either
(22:41):
a zero or a one. So if you have fifty
six bits, how many different combinations will that get you.
The answer is it's around seventy quadrillion possible combinations. That
sounds like a lot, seventy quadrillion, but as it turns out,
modern computers can brute for us that fairly quickly, quickly
(23:03):
being a relative term. But it's not impossible to use
brute force and break that kind of encryption, so it's
not safe. So today you would use a much higher
uh bit for your encryption, like two fifty six bit encryption,
which gives you way more potential combinations, exponentially more combinations.
(23:26):
So to decrypt without brute force, if you're not going
to try and just force all those different variations through,
you need that key. The key is like a secret
dacoder ring. So if you get hit with ransomware, what
the hackers are actually offering you is the decryption key.
In exchange for money you pay them, they give you
(23:47):
the secret super secret dacoder rings, so you can decode
all that stuff that's on your computer and you can
use it again. These days, the money is typically demanded
in the form of digital currency like bitcoin, or in
prepaid cards like money Pack, which, by the way, and
one of the stories I was reading was misspelled with
(24:08):
a typo calling it monkey pack, and I wish it
was monkey Pack, but monkey Pack is a brand of backpacks.
It is not a method of cash transfer, unless you
were to stuff a monkey pack filled with money and
then hand it to someone, then technically it is cash transfer.
But I'm pretty sure that the the author of the
(24:29):
article meant money Pack. More's the pity. So using Bitcoin
or these prepaid options it allows hackers to maintain their anonymity,
as opposed to giving you an address, like a physical
address to send money to, which you know you could
just hand over to authorities who would then stake it
(24:50):
out and try and catch the people who are responsible.
Using the digital approach, it's a lot harder to do that.
Since ransomware has become a more popular method to attack computers,
and it really took off once the World Wide Web
matured and upon the launch of the smartphone industry as well.
The Internet Crime Complaint Center or I SEE three says
(25:12):
that between two thousand five and two thousand sixteen they
received reports of more than seven thousand, six hundred ransomware attacks,
and by comparison, the i C three says it received
more than six thousand reports of data breaches, so ransomware
actually outnumbers data breaches the information you tend to see
in the US, at least, you see these big stories
(25:35):
about companies that had their systems compromised and people stole
a lot of information. That's a data breach. The big
Sony data breach from a few years ago is a
great example. Um not that it's great, but it serves
as a great example. Ransomware actually happens way more frequently
than those big data breaches because again, you don't have
to care about what information is in the system. You
(25:58):
just want to make it unreachable. So all you have
to do is fool someone into executing some malicious code,
and depending upon the nature of the malware, you might
be able to infect an entire system just through one
point of entry. You don't have to try and navigate
a complex and potentially very secure system of computers in
(26:21):
order to look for specific information, because again you don't
care what the information is, You just want them to
have no access to it. Now, in the mid two thousands,
there are a lot of different types of malware in
the ransomware category that debuted that included stuff like gp code, Archivas, Crotton,
(26:42):
cry Zip, may Archive, and troj Dot ransom dot A
and these were using tougher algorithms that were harder to crack.
Arcives was one of the first, and it used our
essay encryption and demanded that users visit specific websites to
make purchases and are to buy a password to remove
the lock on their files. So you would get a
(27:04):
message saying you need to go to this pharmacy's website
and you need to buy x amount of drugs from
this pharmacy, and after you do, we'll give you the password.
Pretty aggressive marketing scheme for that pharmacy, if you were
to ask me. Obviously it was a front for these hackers,
but pretty nasty stuff. And more and more frequently hackers
(27:28):
began to use off the shelf solutions as time went on.
Rather than build their own encryption codes, they began to
use stuff that a couple of people had developed and
then had released out into the wild for others to
use at their own discretion. So this did two things.
It increased the sophistication of the encryption algorithms that the
(27:50):
hackers were using, and it lowered the barrier to entrgue
for hackers to the point where if you are willing
to pay the money, you and get very simple hacker
tool kits that are easy to run. Like they are
they are made to be user friendly for the hacker
UM and you don't have to know how they work.
(28:13):
You just have to use them. It's like using any
other program on a computer. You don't have to know
how it works in order for it to work. And
that makes it much more dangerous because it suddenly makes
ransomware a more viable option for a larger group of
people and thus put more computers at risk. It's a
pretty ugly cycle. So you also saw websites began to
(28:41):
get compromised and that became an issue too. UM and
you also started to see malware that would copy notifications
from trusted sources to fool people into installing malicious software.
So you've probably encountered something like this in the past.
You may have gone to a website that was not secure,
(29:03):
it was maybe a compromised website, and you might get
a pop up window that says, hey, you need to
update your flash, so that you can watch this content,
or you might get a notification saying, hey, the FBI
is looking at you right now, so you need to
follow this this link. But in in general, these are
not legitimate things. These are actually phishing attempts to try
(29:26):
and get you to click on stuff to download and
install the malware so that you compromise your own computer.
So don't do that, and don't go to that website anymore.
It's been compromised. It is not a nice place for
you to go visit. Go outside, get some fresh air,
or if it's on your phone, turn your phone off.
(29:48):
You know, just be careful. Over time, the demands from
hackers have increased as well as the sophistication of the
hacking program. In the mid two thousand's, the typical demand
for payment is hovering somewhere around three hundred dollars, typically
between two hundred and four hundred bucks. And this is
where the economies of scale come into place. A three
(30:08):
hundred dollars in the grand scheme of things is not
that much money. Now, it's not cheap. Three dollars is significant.
I mean, I'm not gonna just drop three hundred bucks
and walk away without a care. In the world. That's
it's a significant amount of money, but it's not an
enormous ransom. It's not like the sort of stuff you
see in movies where a character gets kidnapped and then
(30:32):
the the kidnappers demand a million dollars in ransom money.
It's three hundred bucks. However, you also have to remember
that ransomware typically if it's being really successful, is infecting
hundreds or thousands of computers at three hundred bucks of pop.
Assuming that people are playing ball, that ends up adding
(30:53):
up pretty quickly, so it ends up being uh an
effective way to extort people out of money. Today, the
price is closer to five dollars on average, so it's
gone up. It's no longer around three hundreds, around five.
And again, just through sheer number alone, you can see
the potential for hackers to make lots of money using
(31:15):
this methodology. And also a lot of the software today
comes along with a deadline, so it's not just that
your information is locked away, but that you have a
limited amount of time before UH something worse happens to you.
So you've gotta like pay up before the end of
the month, or we'll start deleting your information. We'll start
(31:38):
deleting your files so that not only are they not
accessible to you now, you'll never be able to access
them again because we're gonna completely delete and overwrite them.
So it becomes that kind of level of extortion. You know,
you've got a nice, uh database, only it sure would
be a shame as someone out though encrypted it and
then stead deleting it piece by peace. That's the sort
(32:03):
of message that the hackers are sending. So it's definitely
gotten more sophisticated, more expensive, and more um malicious over time. However,
ransomware does tend to change very quickly. You don't tend
to see one type of ransomware dominate for longer than
(32:24):
say a year or so. Kaspersky Labs, which is a
computer security company, reported that the most prominent ransomware between
two thousand and fourteen and two thousand fifteen was a
program called crypto Wall, which accounted for more than half
of all the ransomware examples found in the wild. Something
like fifty eight percent of all ransomware was crypto Wall
(32:45):
or some variation of crypto Wall, and according to the FBI,
the hackers behind crypto Wall made eighteen million dollars from
their victims, and crypto Wall was one of the earliest
types of ransomware to spread over compromised websites, and earlier
ransomwarely relied on other methodology too for distribution, but crypto
wall went through compromise websites and email attachments and affected
(33:10):
a lot of targeted computers. It used a two hundred
fifty six bit key to encrypt specific types of files,
so it would look for files that had uh specific
extensions like a dot d C file, a dot A
document file. It would look for those sorts of files
and encrypt them using this two d fifty six bit key.
Then it would use a two thousand, forty eight bit
(33:34):
r s A key to encrypt the two fifties six
bit key. This double encryption made it much more difficult
for you to figure out how to reverse the process.
But the following year saw crypto wall reduced to just
five point one of all ransomware, so it went from
fifty eight percent to five point to one percent in
the span of one year. The new heavy hitter was
(33:56):
a piece of software called Tesla crypt, and the hackers
behind that malware frequently demanded their ransoms in Bitcoin and
other forms of digital payment. Ransomware attackers continued to aim
at the healthcare industry for the reasons I mentioned earlier.
Hospitals have been affected by various types of ransomware UH.
Some of them include Los Angeles Hollywood Presbyterian Medical Center,
(34:20):
the Los Angeles County Department of Health Services, Ottawa Hospital,
Kentucky Methodist Hospital, and lots and lots of others. A
ton of them are in California. In fact, in some cases,
hospitals paid the ransom in order to regain control and
access of their systems, but in other cases, savvy tech
professionals were helping to quarantine affected computers to disconnect them
(34:43):
from the network so that they wouldn't spread the malware
further into the system. And then they worked to UH
to reboot the systems using old backups, so essentially going
to the backup files and you know, you lose some
stuff because chances are you generated some data since the
(35:03):
last backup, but it meant that they got back these
systems UH and didn't have to pay the ransom in
several cases. Now, sometimes hackers have a real flair for
the dramatic UH. There's the team that's behind the Jigsaw ransomware,
Jigsaw taking its name from the villain in the Saw
(35:23):
series of films. The malware not only locked the victim's computer,
but displayed an image of the puppet that was used
by Jigsaw, Billy, the puppet from the Saw series, And
there was a message there that would state that rather
than just a regular deadline, Jigsaw would delete files as
time passed, like every hour that passed would mean more
(35:45):
files deleted. So the longer you waited, the more information
you would lose. That gave that sense of urgency to
pay off the hackers. H And also if you turned
off your computer, it was even worse really, because the
next time you booted your computer, one thousand files would
be deleted from your computer. It was an incentive to
(36:07):
not turn your system off, um, because once you turn
it on again, you would lose a thousand times what
you would lose every hour. It's pretty evil. By fourteen,
hackers were designing locker based ransomware for Android systems, and
one of those was Saiping, which used fake Adobe Flash
update messages to commence users to install the malware that
(36:30):
would lock you out of your Android device until you
paid a two D dollar ransom using money packs. Those
are those prepaid charge cards. So what happened is when
you try to activate your phone, instead of getting the
screen to unlock your phone, you've got a message saying
you had to pay this amount of money uh in
money packs to this particular account or you would not
(36:54):
get access to your phone again. A similar piece of
ransomware was called Coal or ko l e R or
Color if you prefer, which claimed that the holder of
the phone was being investigated by law enforcement and then
they were being fined as a result. So this is
playing on people's fear, right Like if you send them
(37:15):
a message saying, hey, you're in trouble and unless you
follow this link, you're gonna go to jail, that gives
people a big incentive to try and figure out what's
going on. A lot of people are going to click
that link, not thinking that, hey, the FBI probably doesn't
reach out through websites to let you know that you're
in trouble. They probably come door to door for that
(37:36):
kind of thing. But uh, it's the sort of thing
that's meant to instill panic. And when we panic, we
make bad decisions. We make very quick decisions. We don't
think we don't use critical thinking. So that's the whole
method of attack in this type of ransomware. So this
one also added a nasty additional kick. It was a
(37:58):
locker worm type of all where that would then send
messages to anyone in the context list of a compromised device.
So if you got me with that, if you send
me a message saying, hey, we're the FBI and your
totes in trouble brow and I fell for it and
I clicked on it, then it would the malware would
not only lock me on my phone, it would go
through my contact list and send a message out to
(38:20):
everyone in my contact list with a similar message in
the hopes of catching even more people. So this way
you allow the virus to propagate across the network. All
you have to do is in fact a couple of
well connected people, and chances are you're going to see
a lot more infected devices as a resultant that becomes
like a ripple effect that keeps moving out from the source. Uh,
(38:43):
people who are savvy to it will ignore it, but
that doesn't help all the people who don't ignore it.
It's pretty nasty stuff though. By two thousand fifteen, enterprising
programmers began to create ransomware as a service or are
a a s now. These were the people who had
designed the tools that other folks would actually use. So
(39:05):
you might have programmers who have no desire to actually
use ransomware themselves. They're not directly going to put it
to use. Instead, they'll sell it to hackers who do
want to use it, but who don't have the ability
to program or design these algorithms or these types of malware,
and so you'd sell it for like a thousand to
(39:26):
three thousand dollars. There's a lot of money, but when
you factor into the account the fact that you can
demand five h bucks per locked computer, and if you're
hitting thousands of them, three thousand dollars is nothing. A
lot of these ransomware as a service providers also demand
a certain percentage of the profits, like ten, but still
(39:49):
you're still talking huge amounts of money, So it doesn't
take very many victims to play ball before you recapture
your costs, and it makes ransomware even more prevalent. One
ransomware attack that made headlines in the United States happened
on November That was the Friday following the US holiday
of Thanksgiving, which is also known as Black Friday. For
(40:12):
those who don't know what Black Friday is, that's a day.
It's called that because a lot of stores will open
up with special sales and it's all in an effort
to sell enough stuff to make an overall profit for
the end of the year, to go in the black.
As they say, if you're in the red, that means
that you're operating at a loss. If you're in the black,
you're operating at a profit. That's why it's called Black Friday. Well,
(40:33):
that's a very popular day for people to go out shopping,
and it means it's also a popular day to to
just get outside and travel. So the hackers had targeted
San Francisco's municipal transportation system also known as MUNI, M
You and I, and on that day they were able
to infect the ticketing and bus management system for MUNI
(40:55):
with a ransomware attack. They demanded one hundred bitcoin for
the antidote for the the key to decode everything uh
and at that time a hundred bitcoin was worth about
seventy three thousand dollars. But instead of paying the ransom,
MUNI decided to offer free rides to passengers while they
(41:17):
worked on a solution. So for two days you could
ride Muni absolutely free. You didn't have to have a
ticket or anything. You could just get on um. But
then once they were able to reboot the system and
restore from backup the it was back to normal operations.
So it was only a temporary downtime for Muni. It
(41:37):
was very you know, it was still damaging because that's
two days without any revenue, but it showed that the
city of San Francisco and Muni in particular, was not
willing to play ball by the hackers standards. Now, there
are dozens of other variations that have appeared over the years,
but I think it's a good time too now look
over at the want to Cry virus, because that is
(42:00):
the most recent version of ransomware as of the recording
of this episode, and I'm gonna jump right into that
topic right as when we take another break to thank
our sponsors. One of Cry is an aggressive, coordinated ransomware attack,
(42:21):
one of the biggest ransomware attacks in history, and it's
affected hundreds of thousands of computers, many of which are
part of the health care industry. Its main method of
compromising a machine is to exploit vulnerabilities that are in
an old build of the Service Message Block Protocol, which
is part of a larger block of protocols that Windows
(42:45):
machines used for file sharing. Specifically, the virus could attack
computers that had inbound SMB communications on ports one, nine
or four forty five, and then there were some later
variants that aimed at different ports, but the initial one
was looking at those two. All you have to do
to protect yourself against this, by the way, is updating
(43:06):
your computer to the latest Microsoft security patch. It removes
the vulnerability. Now, once the computer is infected, the malware
could sort of put out feelers across the local network.
So if this infected machine is on a local network
with other machines, it could then use that to send
(43:27):
the malware to the other devices on that local network,
so it could spread really fast. All it takes is
that one compromise device on a system to have it
spread throughout the entire system, and it made it particularly
dangerous for these interconnected devices that weren't up to date
on security patches. Now. Before it made its debut, Want
to Cry was published as part of a large group
(43:49):
of documents stolen from the n ess A by a
group of hackers. So among those documents was a list
of twenty three hacking tools that targeted indoors vulnerabilities. One
of those hacking tools was codenamed Eternal Blue, and that
is what would become Wanna Cry. So Wanna Cry started
off as an n S a identified and targeted vulnerability
(44:14):
in Windows operating systems. This raises some tricky questions about
intelligence agencies and how they intersect with computer vulnerabilities that
I will get to in just a moment. But nearly
a month went by without want to Cry becoming a
public menace. So it was released by this group of
hackers into the wild. Anyone who went to tour and
(44:34):
went to this particular site could or really file sharing
area could get hold of these documents. But for about
a month nothing really happened. Then on May twelve, two
thousand seventeen, at eight forty two a m. London time,
and I love how precise we can be with this,
the virus was unleashed and the first attacked attack lasted
(44:57):
for most of the day and it compromised hundreds of
thousands of machines. But it wasn't as bad as it
could have been because it got sidelined when a British
cybersecurity analyst found a u r L embedded in the
Wanna cry virus attack. That led them to a kill
switch for the virus. So this was something that the
(45:18):
hackers had built into the system, or really you could
argue the n S a built into the system so
that you could shut it off remotely. So they did.
They flipped the kill switch and it stopped the spread
of the virus right there, So it could have been
much worse than it was if it had left been
left unchecked. The hacking group that was responsible was called
(45:41):
the Shadow Brokers Um. They sent out a message on
May sixteenth claiming to have many more exploits for sale
if hackers wanted to subscribe to their services. So they
were saying, hey, you see how much mess we made
with want to cry? We have a whole lot more.
Just become a subscriber and then we'll share our tools
with you. Meanwhile, affected computers were causing huge headaches for
(46:04):
thousands of people in the UK. Several hospitals sent out
messages that some appointments and operations would be postponed while
they were working on fixing these compromise systems. They said,
it just wasn't safe. It was putting people's health at
risk to try and maintain appointments and operations without having
those computer systems in place. Experts were work working really
(46:28):
hard to restore systems from backups, but that's a pretty
slow process, and just the sheer number of affected computers
across multiple companies and multiple countries meant that there was
no coordinated effort. Right Like, you had all these individual
little islands that were affected by this virus, and each
one had to respond to it in its own way,
(46:49):
in its own time, So there was no coordinated, major
effort to overturn the virus. It was just pockets of
that throughout the world. The same was true for others
systems all over the world. In all, fifty countries were
affected by the Wanna cry virus. That being said, according
to zd net, despite the fact that the virus was
(47:10):
pretty widespread, only zero point one percent of the victims
have opted to pay the ransom. As of the zd
net report, the hackers had raised about a hundred eight
thousand dollars total, which, considering the size of the attack
and the number of systems that were compromised. Is actually
a pretty small amount of money. Hundred eight thousand dollars.
(47:32):
It's a lot of money to me, But if you're
talking about the payoff for a massive attack on that scale,
it's a fraction of what those hackers were hoping for.
I'm sure of that. Uh. Now here are some takeaways
from the Wanna Cry experience that I think are really important. First,
let's talk about the n s A. And I'm gonna
try and maintain my composure because I have very strong
(47:55):
feelings about this particular issue. So this is my own
personal opinion in This is not the opinion of how
stuff works. It's just Jonathan Strickland's opinion. I find it
unconscionable that an intelligence agency would identify and design an
exploit for a vulnerability in software rather than informing the
(48:16):
respective parties about the vulnerability. So, in other words, instead
of going to Microsoft and saying, hey, we we discovered
this vulnerability that's in your software. You should patch it
or else someone else might create an exploit for it,
they said, hey, there's a vulnerability in Windows. Let's create
our own exploit for it that we might end up
(48:36):
using for intelligence purposes. In the future. Never mind the
fact that this puts everyone at risk, as is evidenced
by the fact that the want to Cry virus is
an actual thing. So the company Microsoft had no knowledge
of this vulnerability. They weren't aware that it existed. It
(48:57):
wasn't until the shadow brokers published those n s A
hacking tools that Microsoft found out about it, and then
they got to work creating a security patch to cover
and change that exploit so that it wouldn't work anymore.
And then they made the security patch available, so if
you installed it, you were fine. Your security patch was
up to date. Then the at least the initial attack
(49:19):
of want to Cry wouldn't affect you because the vulnerability
had been patched up. So I say shame on the
n s A for identifying and then building a tool
to exploit such a vulnerability for their own purposes. As
we've seen this particular case, it can result in someone
else getting those same tools and using them to cause
a great deal of trouble. But it was also possible
(49:42):
that just by sitting on this information and not sharing
it with Microsoft, the n s A could have given
other parties the chance to discover that same weakness and
develop their own exploits for it, which would have been
even worse because Microsoft wouldn't have known about until after
people had been actively affected by that exploit. So, in
(50:03):
other words, even if the NSA had never had their
hacking tools stolen, let's say that the hackers never were
able to get hold of eternal Blue and turn it
into want to cry. Even if that had never happened,
someone still might have discovered that Microsoft vulnerability and exploited it. Meanwhile,
the n s A had known about it the whole time.
I really maintain that it was their responsibility to share
(50:25):
that information with Microsoft considering the potential for destruction. And
I find it really troubling that an intelligence agency can
act in such a way that puts hundreds of thousands
of computers and people, because we're talking about the health
care industry at risk. I don't know that any intelligence
is worth that. Again, that's my own personal opinion. So
(50:49):
that's the Jonathan bias to be perfectly blunt. But another
takeaway is that in order to practice good security, you
need to make sure your operating system is patched and current.
Now I'm just as guilty as other people at putting
off installing updates if you ever get that message like
you need to install some updates, chances are you've gotten
(51:11):
on the computer to do something specific and you don't
really want to put that off by installing updates. You
want to get to whatever it is you need to do,
and so you might just put it off, and you
might keep putting it off until your computer forces you
to do it. But really the better plan is to
go ahead and install those security patches when you get them,
(51:32):
so that you can make sure that your computer is
not vulnerable to these sort of attacks. Plus, you know
what often means that your system is just running more
effectively if it's patched properly. So just be sure you're
installing legitimate updates to your system, not falling for some
fishing scam. Typically you can do it because if it's
(51:53):
the system itself that's prompting you to update, and you're
not in any browser or anything, you're probably pretty safe.
You're either pretty safe for your computer is already compromised,
in which case you know it's too late anyway. And finally,
back up your data. Use some sort of system to
back everything up, whether it's an external drive a cloud
(52:14):
based system, back up your information that way. If worst
comes to worst, if you cannot retrieve your information because
of a ransomware attack, you can bite the bullet, wipe
your system, install the operating system again, go to your backups,
and restore from your backups. Now, that probably means that
(52:35):
you're gonna lose some stuff, because chances are you've generated
some data since the last time you did a backup.
Unless you're doing backups very frequently, that's always going to
be the case. But it's better to lose some data
rather than lose everything or be forced to pay into
a ransomware attack, because every time someone pays the hackers,
(52:58):
you are sending the message this is a way you
can make money, and you're inspiring other people to take
the same pathway as the hackers did, whether they're designing
their own or using and off the shelf ransomware as
a service approach. So don't negotiate with the hackers. Instead,
(53:19):
use backups, patch your security, have up to date antivirus software,
running practice, good web browsing and email hygiene so that
you're not inviting these sort of attacks into your life.
And if you do that, you really minimize the chance
that you will fall victim to this kind of attack.
(53:42):
It no, no system is ever going to be perfect,
no system is ever going to be full proof, but
you reduce those odds drastically, and if you are backing
up your information, then you can at least you know again,
wipe your machine and start over again without worrying about
enabling some hackers into and inspiring future generations of hackers
(54:06):
to do the same thing further down the line. And
that's it. That's all I have to say about ransomware
and want to cry for this episode. I might end
up having to do another one in the future. The
story is still playing out as I record this episode,
so who knows. But if you guys have any suggestions
for future episodes of tech Stuff, whether it's a topic
you want me to cover, or someone you would like
me to interview, or perhaps a guest host you would
(54:29):
love to see on the show, send me a message.
The email address for the show is text stuff at
how stuff works dot com, where you can drop me
a line on Twitter or Facebook. The handle for the
show at both of those is text Stuff hs W.
And finally, you can watch this show stream live on Twitch.
(54:50):
I record I live stream all my recordings. You get
to see me make mistakes chat with folks in between segments.
So if you want to be part of that, want
to be part of the community, go to twitch dot
tv slash tech stuff. You'll be able to see the
show page and the schedule. And I would love for
you to join me someday in one of these podcast dreams.
(55:12):
I have a lot of fun chatting with everyone there
and just kind of geeking out over technology. So join me,
won't you, And I'll talk to you guys again really
soon for more on this and thousands of other topics
because it how staff works dot com
Get in text with technology with tech Stuff from how
stuff works dot com. Hey there, and welcome to tech Stuff.
I'm your host, senior writer John in Strickland right for
how stuff works dot com. It's a groovy website. You've
never been there. You should go check it out. You've
been listening to tech stuff all this time and didn't
(00:25):
know there was website. Work on your listening skills. I
love you how stuff works dot Com. Check it out.
So today I thought take a look at a tech
story that happened not too long ago as the recording
of this podcast. I'm recording it on ma It is
publishing much later than that, but not too long ago
from today. A virus emerge that really caused a lot
(00:48):
of headaches, particularly in the UK and a lot of
other countries. Not so much in the United States, but
a lot of other ones. And it's called Wanna Cry.
It's the Wanna Cry ran somewhere virus. It really became
big news starting on May twelve, sen That's where when
it went viral for the first time and spread the
(01:08):
thousands of machines. Uh. The account goes anywhere between two
hundred thousand and four hundred thousand computers, depending upon what
authority you're looking at. I want to cry was exploiting
a vulnerability in a protocol used by the Windows operating system.
But I'll explain all of that a little bit later. First,
let's talk about what ransomware is and where it came from. So,
(01:34):
to put it simply, ransomware is a subset of malware,
and malware stands for malicious software. Um. You might also
hear it described as a computer virus. That's largely because
in the early days of personal computers there are really
only two major types of malware, and those were viruses
and worms. Uh, and so we've often used computer viruses
(01:57):
shorthand for malware. But there are a lot and lots
of different kinds of malware out there, and so using
a term like virus is not as specific as most
people would prefer. But what the heck is a virus
and what the heck is a worm? Well, a virus
is some malicious code that a programmer designs that inserts
itself into another program. They're typically part of some sort
of executable file, so e x E in the Windows
(02:19):
operating System world or DOSS. Even the virus does not
activate until the computer runs the respective file. So you
can have a computer that has a virus on it,
but the virus is inactive. It is dormant because you
have not yet run that file, and as long as
you don't run that file, the virus will remain dormant.
It will be inert. But once you run the file,
(02:42):
it activates the virus and it ends up replicating itself.
Sometimes it will use other programs to spread itself to
other machines. In the old days, before you had networked computers,
it would essentially replicate itself over and over again in
order to overwrite everything on the computer and essentially jam
everything up. You couldn't end up saving anything to the computer.
(03:04):
Everything would be overwritten by this virus, essentially rendered your
computer useless. Uh. It's pretty nasty stuff. The worm, on
the other hand, is a self propagating piece of code
that does not rely on another file, and typically the
programmer depends upon some sort of trick like social engineering
(03:25):
to get people to execute the worm and start that
self propagation process. Now, both viruses and worms are part
of a larger classification of malware, and ransomware is a
specific type of malware that as the name suggests holds
a victim's computer for ransom. It doesn't break into their
house and steal it and then put a gun to
(03:46):
the monitor and say pay up or it gets it.
Otherwise you would just need a particular set of skills
to go after those folks, as we learned in the
documentary Taken. Typically, malware that as ransomware will do one
of two things. The most common version on desktop machines
and laptops is that it will encrypt the victims computer,
(04:09):
so that means it will encode your computer so that
none of your files will be readable or even you know,
you won't even be able to locate them because they're
all renamed. Under this nonsense encryption approach, that can end
up causing your computer to be useless or at least
give make it your information inaccessible. The goal is to
(04:30):
get the victim to fork over some cash and in return,
the hackers will decrypt the computer. They'll give whatever the
password is or the methodology to decrypt all the information
and turn it back to the way it was before
it was attacked. Now, uh, there's the second variant of
(04:50):
ransomware that doesn't encrypt a computer. Instead, what it does
is locks people out of a device. This is the
locker version of in somewhere. It's most frequently seen in
Android based devices, so mostly mobile sets like handsets, tablets,
that kind of thing. And essentially hackers full of victim
(05:11):
into downloading and installing a malicious app, and then the
app will then activate this software that locks the victim
off from accessing their device. They won't be able to
use it, essentially bricks it until you are to pay
up a ransom. You might get like a little screen
that demons that shows you, you know, until you pay
x amount to why you won't have access to this device.
(05:35):
So you are told that you have to pay the
hackers in order to regain access to your device. And
in either case, ransomware is not pretty. Now. This is
similar to, but distinct from, another scheme that some hackers
employ over the last few years, which is blackmail. Hacker
groups like rex Mundy have targeted large corporations with a
(05:57):
goal of infiltrating their systems and dealing as much data
as possible, including customer data. That's one of the big targets.
So having that customer data is a very powerful tool.
Companies do not want their customers to lose confidence in them.
So if a hacker group is able to get hold
(06:17):
of a huge amount of customer information from a company
and then say, hey, if you don't pay up, we're
going to release this information or we're gonna sell it off. Uh,
it's bad news and it's very hard to recover as
a company if you've suffered that kind of data breach.
So it's similar to blackmail, but not exactly the same
(06:37):
because with ransomware, the hackers might not even be interested
at all in what's on the computer systems they target.
They don't care if there's customer information or if it's
internal systems that that doesn't matter. What they want to
do is affect as many critical computers as they possibly
can with ransomware, because if it's a critical device, if
(07:01):
it's something that's very important for the operations of a
larger organization or company, then that puts a huge amount
of pressure on the company to pay up the ransom
so they can get access to that critical hardware. Again, um,
that's the whole point of ransomware. They don't they don't
care if it's you know, what the nature of the
(07:21):
stuff is, as long as it's important because they're not
after the data itself there after money. They just want
to lock down those computers as much as they can
and then convince people to pay them so that they
can unlock them. Now, the first recorded instance of ransomware
was called the AIDS trojan and it was designed by
(07:41):
Joseph L. Pop p O p P. That particular attack
falls under the category of the trojan horse, which is
of course named after the legendary gift to the city
of Troy that secretly housed invading soldiers that were from Greece.
A trojan horse is malware that that looks like a
(08:02):
regular program. It fools someone into thinking they're using some
benign piece of software, but in reality they're essentially handing
over some critical part of their computer systems to the
whims of a hacker. So a lot of trojan horse
programs these days are programs that look like they're innocent.
You run them, and then it allows a hacker to
get a back end, like a back door entry into
(08:25):
your computer, usually administrative level control, and from there they
can do lots of different things. They can lock you
out of a system, They can allow you to continue
using a system so that you don't know that they're
even there. They can spy on what you're doing. They
can even redirect your computer to send traffic to a
target machine as part of the distributed denial of service attacks.
(08:46):
So this is a very common ploy that hackers will
use in order to build bot nets or computer armies. Now,
the AIDS trojan virus predates the World Wide Web, so
this was not a virus that was spread over email.
It wasn't spread over a compromised website. It was distributed
(09:09):
actually on floppy disks, good old floppy disks, and they
were sent over the postal service. Most of the recipients
were from other parts of the world, not the United States.
Here in the US, we really didn't have an issue
with the AIDS trojan virus directly. These were the targeted
(09:29):
systems were mostly in other places in the world, like Europe,
in Africa, in uh Asia, that kind of thing. So
the target for this attack happened to be companies and
agencies that were either in education or healthcare, and they
were concerned with educating people about the AIDS virus. The
(09:53):
disc was posing as educational software that was to teach
you about the AIDS virus. So it's pretty insidious that
it was. It took on this form. The software on
the disc included an actual survey that would tell the
taker what their odds were of contracting the AIDS virus
based off their responses. So, for example, it might ask
(10:13):
if you take intrivinous drugs and if so, do you
share needles? That sort of thing, and as you would
answer it, it would give you the odds of you
contracting the AIDS fires. So on the surface, it seemed
like actual educational software. What you didn't realize as you
ran this software on your computer is that in the
background code was running so that it would infect the computer,
(10:37):
and after a predetermined number of reboots to the system,
the software would encrypt all of your files. So, in
other words, it would set up as kind of a
doomsday clock, except instead of time, it was in reboots.
So every time you shut down your system and turned
it on, you were one step closer to activating this worm,
(10:57):
and eventually you would hit that threshold old and the
next time you turned on your computer, all of your
files would get encrypted by this by this malware. The
only thing you would see when you would reboot that
system that last time would be a message that says
turn on a printer. So essentially you'd have to have
(11:18):
a printer connected to the affected computer and when you
turned it on, it would send a print command to
the printer and print on a sheet of paper with
the instructions to pay the ransom, which is kind of interesting,
a little primitive, but obviously you didn't have bitcoin or
anything like that back in those days, so the ransom
(11:38):
note would print out once the computer was activated or
connected to an activated printer. The note directed victims to
send one eighty nine dollars to a post office box
located in Panama. After doing so, uh Pop, who of
course was not identifying himself as the perpetrator, promised that
(12:00):
he would send the decryption program to unlock the contents
of the victim's computers. In the UK, where the virus
was first reported, some medical institutions began to delete data
rather than pay the ransom. They were worried that their
systems have been totally compromised and that a hacker had
access to all of that data, so as a result,
they started the leading stuff, and in fact other parts
(12:22):
of the world were following a similar strategy. The Independent
reported that there was one organization in Italy that lost
a decade's worth of AIDS research as a result of this,
because there was a panic that uh, the compromised data
could be otherwise changed or altered, UH, which I guess
is repetitive or redundant, but at any rate that they
(12:44):
were worried that this vulnerability was worse than what they
were already seeing. So there were people who who lost
years and years of work as a result of this
ransomware attack. Now I mentioned earlier, we know who made
this virus. So knowing who made it, what exactly happened?
How did this story unfold? It's a bit strange, to
(13:05):
be honest. So let's give you some background on the
man who had programmed the virus in the first place.
Joseph L. Pop had graduated with a PhD from Harvard University,
and he was in the field of evolutionary biologies, not
in the field that you would immediately associate with someone
who's programming the world's first ransomware virus. UH. He was
(13:28):
actually not an enemy to AIDS research. That was his field.
He was consulting with the World Health Organization in the
area of AIDS research over in Kenya, so why would
he design a computer program that locked away computers used
by people who were trying to research AIDS and provide
education for at risk populations. Well, that depends upon whose
(13:51):
story you believe. So story number one came from Pop's lawyer,
who said that Pop's plan was to shake things up.
He wanted to change the the whole model of how
AIDS research was going about. He thought it was two regimented,
he thought it was off base. According to the lawyer,
(14:12):
uh and that Pop's plan was to use the ransom
money that he would get from people paying this d
dollars a pop to fund alternative AIDS education programs. So
you could argue that if this is actually the case,
this was a protest against the establishment and their approach
to AIDS research. So you would think of Pop as
some sort of crypto activist or crypto anarchist. But the
(14:37):
judge in the case actually disagreed with this and said
that Pop just wasn't even fit to stand trial, and
this was because his behavior had become something pretty strange
and erratic. He was the reason he was caught in
the first place. I mean, he could have just gotten
away from Europe and and no one would have ever
known it was him. The reason he was caught was
(14:59):
that he was in an airport in Amsterdam and he
wrote the sentence doctor Pop has been poisoned, which I
think would make a great title for an album, but
he wrote it on another passenger suitcase. It's pretty strange already.
Apparently he had been um acting somewhat unusually as the
(15:21):
stress was getting to him about trying to get out
of Europe while this story about the AIDS trojan virus
was making headlines over there, so he was feeling a
lot of pressure, and according to some stories, at least
he cracked well. The authorities saw that he was writing
stuff on other people's suitcases and took him aside for questioning,
(15:43):
and they searched his baggage, and when they did, they
found evidence that he was the one behind manufacturing and
distributing all those discs that had the malware on them. So,
while he was waiting for trial in the UK, his
behavior grew increasingly strange, and eventually Judge Jeffrey Rivlin dismissed
the case because he said that Pop was unfit to
(16:05):
stand trial. Pop was released and essentially got off scott free.
He eventually would open up a butterfly conservatory in upstate
New York. So you can go see Joseph L. Pop's
butterfly Conservatory and see the the conservatory built by a
guy who built the first ransomware in the world, which
(16:25):
is a little unusual. There is another theory about what
pops motivations were that have nothing to do with crypto
anarchist tendencies or erratic behavior. It's not nearly as grand
an act as all that, it's not as strange as
all that. The theory states that Pop was actually just
(16:46):
seeking revenge. He had been passed over for a position
with the World Health Organization, so some theories say he
got very upset that he wasn't picked for this job,
and as a result, he designed and then unleashed the
software targeting organizations that he felt he should have been
taking a larger role in, but because he got passed over,
(17:08):
he didn't have that opportunity. And he even had a
digital diary that contained evidence that he had been planning
this attack for more than a year and a half,
so it was a premeditated act, not something that was
done spontaneously, at least according to that digital diary. Ah. So,
there are some people who say that he was just
bitter about not getting that job, and that was the
(17:30):
motivation he had for building the first ransomware. But whatever
the reason, he didn't serve any time for his crime.
And his encryption scheme was relatively simple to reverse. It
was symmetric encryption, and it wasn't particularly robust, so after
some time, experts were able to figure out how to
reverse engineer it, essentially using brute force to decrypt the
(17:53):
affected computers. So uh, it really wasn't as bad as
it could have been, or as it later would turn
to be, as future ransomware hackers would create more robust
means of of putting your data off limits. So one
(18:14):
thing that Pop also set into motion was this tendency
for hackers who have developed ransomware to target healthcare organizations,
whether it's hospitals or organizations that are related to healthcare,
that's a prime target for ransomware. And the reason is
the information inside those computers is critical, literally critical to
(18:39):
the lives of human beings. So by targeting these very
critical systems that have a high sense of of urgency
about the data that they contain, the hackers are maximizing
the chance that people will give in and pay their demands.
So two different trends that he started. He started the
(19:02):
ransomware trend and he started the targeting healthcare trend, both
of which are pretty odious, I would say, But yeah,
the more valuable and urgent the information is, the more
likely you are to pay up when something gets locked away.
Now we'll talk more about early ransomware in just a minute,
(19:23):
but before we jump into that, let's take a quick
break to thank our sponsor. So early ransomware attackers would
originally they were building their own encryption codes to convert
files into seemingly meaningless gibberish. So what's going on with
(19:45):
encryption in the first place? What does that actually mean?
I used the term a lot. You've probably heard it
a lot, and some of you are probably very familiar
with the whole concept of encryption. But in case you
are not, and you're wondering, what does that even mean?
I mean, I get that it turning my files into
stuff that I can't read, but what is actually happening?
I thought I would give a very very basic explanation
(20:08):
of what encryption is. Now, keep in mind, this is
at its most basic level encryption involves using a key
to encode data in a way that makes it meaningless
to an outside observer who does not also possess that key.
So this is just making codes essentially, It's what it
boils down to. It's just using a very advanced algorithm
(20:30):
in order to do it, and using a huge number
of potential of variations on that so that you make
it very very difficult for people to reverse engineer the
strategy you use to encrypt the information, thus making it safe. Uh,
if you use a very simple set of rules, then
obviously your data isn't that safe. All it takes is
(20:52):
someone to notice what the rules are and then they
can reverse it that way. So if you've ever used
a substitut tuition cipher, you're you've experimented with an extremely
simple version of encryption. So you might decide with a
buddy that you're going to shift all the meaning of
letters one over from their actual place on the alphabet,
(21:13):
so that when you write your to a message encode
to your buddy, a B is an A, and a
C is a B, and so on and so forth.
That's a very simple one shift substitution cipher. When you
receive a message, you use that key, which in this
case is just that very simple rule to decode the message,
and then you read it, and then later that night
(21:34):
you'll probably TP someone's home, because that's the kind of
thing we allows the kids used to do before there
was an Internet and Nintendo switches and whatnot. Obviously, computers
are using much more robust encryption techniques than a simple
substitution cipher. The goal is to create a method of
encryption that is so sophisticated that it would take someone
years or even decades before they could decrypt the information
(21:57):
without the use of a key in others, to use
brute force. Brute force is essentially when you just tele computer,
I want you to work through every variation of this
particular approach until you find the one that works. And
the more approaches there are, the longer that will take
(22:19):
a computer to accomplish. So your goal is to make
the encryption process difficult enough so that a computer doesn't
have any hope of solving it by brute force in
any reasonable amount of time. The earliest forms of computer
encryption used a fifty six bit key. Now remember a
bit is a single unit of information. It is either
(22:41):
a zero or a one. So if you have fifty
six bits, how many different combinations will that get you.
The answer is it's around seventy quadrillion possible combinations. That
sounds like a lot, seventy quadrillion, but as it turns out,
modern computers can brute for us that fairly quickly, quickly
(23:03):
being a relative term. But it's not impossible to use
brute force and break that kind of encryption, so it's
not safe. So today you would use a much higher
uh bit for your encryption, like two fifty six bit encryption,
which gives you way more potential combinations, exponentially more combinations.
(23:26):
So to decrypt without brute force, if you're not going
to try and just force all those different variations through,
you need that key. The key is like a secret
dacoder ring. So if you get hit with ransomware, what
the hackers are actually offering you is the decryption key.
In exchange for money you pay them, they give you
(23:47):
the secret super secret dacoder rings, so you can decode
all that stuff that's on your computer and you can
use it again. These days, the money is typically demanded
in the form of digital currency like bitcoin, or in
prepaid cards like money Pack, which, by the way, and
one of the stories I was reading was misspelled with
(24:08):
a typo calling it monkey pack, and I wish it
was monkey Pack, but monkey Pack is a brand of backpacks.
It is not a method of cash transfer, unless you
were to stuff a monkey pack filled with money and
then hand it to someone, then technically it is cash transfer.
But I'm pretty sure that the the author of the
(24:29):
article meant money Pack. More's the pity. So using Bitcoin
or these prepaid options it allows hackers to maintain their anonymity,
as opposed to giving you an address, like a physical
address to send money to, which you know you could
just hand over to authorities who would then stake it
(24:50):
out and try and catch the people who are responsible.
Using the digital approach, it's a lot harder to do that.
Since ransomware has become a more popular method to attack computers,
and it really took off once the World Wide Web
matured and upon the launch of the smartphone industry as well.
The Internet Crime Complaint Center or I SEE three says
(25:12):
that between two thousand five and two thousand sixteen they
received reports of more than seven thousand, six hundred ransomware attacks,
and by comparison, the i C three says it received
more than six thousand reports of data breaches, so ransomware
actually outnumbers data breaches the information you tend to see
in the US, at least, you see these big stories
(25:35):
about companies that had their systems compromised and people stole
a lot of information. That's a data breach. The big
Sony data breach from a few years ago is a
great example. Um not that it's great, but it serves
as a great example. Ransomware actually happens way more frequently
than those big data breaches because again, you don't have
to care about what information is in the system. You
(25:58):
just want to make it unreachable. So all you have
to do is fool someone into executing some malicious code,
and depending upon the nature of the malware, you might
be able to infect an entire system just through one
point of entry. You don't have to try and navigate
a complex and potentially very secure system of computers in
(26:21):
order to look for specific information, because again you don't
care what the information is, You just want them to
have no access to it. Now, in the mid two thousands,
there are a lot of different types of malware in
the ransomware category that debuted that included stuff like gp code, Archivas, Crotton,
(26:42):
cry Zip, may Archive, and troj Dot ransom dot A
and these were using tougher algorithms that were harder to crack.
Arcives was one of the first, and it used our
essay encryption and demanded that users visit specific websites to
make purchases and are to buy a password to remove
the lock on their files. So you would get a
(27:04):
message saying you need to go to this pharmacy's website
and you need to buy x amount of drugs from
this pharmacy, and after you do, we'll give you the password.
Pretty aggressive marketing scheme for that pharmacy, if you were
to ask me. Obviously it was a front for these hackers,
but pretty nasty stuff. And more and more frequently hackers
(27:28):
began to use off the shelf solutions as time went on.
Rather than build their own encryption codes, they began to
use stuff that a couple of people had developed and
then had released out into the wild for others to
use at their own discretion. So this did two things.
It increased the sophistication of the encryption algorithms that the
(27:50):
hackers were using, and it lowered the barrier to entrgue
for hackers to the point where if you are willing
to pay the money, you and get very simple hacker
tool kits that are easy to run. Like they are
they are made to be user friendly for the hacker
UM and you don't have to know how they work.
(28:13):
You just have to use them. It's like using any
other program on a computer. You don't have to know
how it works in order for it to work. And
that makes it much more dangerous because it suddenly makes
ransomware a more viable option for a larger group of
people and thus put more computers at risk. It's a
pretty ugly cycle. So you also saw websites began to
(28:41):
get compromised and that became an issue too. UM and
you also started to see malware that would copy notifications
from trusted sources to fool people into installing malicious software.
So you've probably encountered something like this in the past.
You may have gone to a website that was not secure,
(29:03):
it was maybe a compromised website, and you might get
a pop up window that says, hey, you need to
update your flash, so that you can watch this content,
or you might get a notification saying, hey, the FBI
is looking at you right now, so you need to
follow this this link. But in in general, these are
not legitimate things. These are actually phishing attempts to try
(29:26):
and get you to click on stuff to download and
install the malware so that you compromise your own computer.
So don't do that, and don't go to that website anymore.
It's been compromised. It is not a nice place for
you to go visit. Go outside, get some fresh air,
or if it's on your phone, turn your phone off.
(29:48):
You know, just be careful. Over time, the demands from
hackers have increased as well as the sophistication of the
hacking program. In the mid two thousand's, the typical demand
for payment is hovering somewhere around three hundred dollars, typically
between two hundred and four hundred bucks. And this is
where the economies of scale come into place. A three
(30:08):
hundred dollars in the grand scheme of things is not
that much money. Now, it's not cheap. Three dollars is significant.
I mean, I'm not gonna just drop three hundred bucks
and walk away without a care. In the world. That's
it's a significant amount of money, but it's not an
enormous ransom. It's not like the sort of stuff you
see in movies where a character gets kidnapped and then
(30:32):
the the kidnappers demand a million dollars in ransom money.
It's three hundred bucks. However, you also have to remember
that ransomware typically if it's being really successful, is infecting
hundreds or thousands of computers at three hundred bucks of pop.
Assuming that people are playing ball, that ends up adding
(30:53):
up pretty quickly, so it ends up being uh an
effective way to extort people out of money. Today, the
price is closer to five dollars on average, so it's
gone up. It's no longer around three hundreds, around five.
And again, just through sheer number alone, you can see
the potential for hackers to make lots of money using
(31:15):
this methodology. And also a lot of the software today
comes along with a deadline, so it's not just that
your information is locked away, but that you have a
limited amount of time before UH something worse happens to you.
So you've gotta like pay up before the end of
the month, or we'll start deleting your information. We'll start
(31:38):
deleting your files so that not only are they not
accessible to you now, you'll never be able to access
them again because we're gonna completely delete and overwrite them.
So it becomes that kind of level of extortion. You know,
you've got a nice, uh database, only it sure would
be a shame as someone out though encrypted it and
then stead deleting it piece by peace. That's the sort
(32:03):
of message that the hackers are sending. So it's definitely
gotten more sophisticated, more expensive, and more um malicious over time. However,
ransomware does tend to change very quickly. You don't tend
to see one type of ransomware dominate for longer than
(32:24):
say a year or so. Kaspersky Labs, which is a
computer security company, reported that the most prominent ransomware between
two thousand and fourteen and two thousand fifteen was a
program called crypto Wall, which accounted for more than half
of all the ransomware examples found in the wild. Something
like fifty eight percent of all ransomware was crypto Wall
(32:45):
or some variation of crypto Wall, and according to the FBI,
the hackers behind crypto Wall made eighteen million dollars from
their victims, and crypto Wall was one of the earliest
types of ransomware to spread over compromised websites, and earlier
ransomwarely relied on other methodology too for distribution, but crypto
wall went through compromise websites and email attachments and affected
(33:10):
a lot of targeted computers. It used a two hundred
fifty six bit key to encrypt specific types of files,
so it would look for files that had uh specific
extensions like a dot d C file, a dot A
document file. It would look for those sorts of files
and encrypt them using this two d fifty six bit key.
Then it would use a two thousand, forty eight bit
(33:34):
r s A key to encrypt the two fifties six
bit key. This double encryption made it much more difficult
for you to figure out how to reverse the process.
But the following year saw crypto wall reduced to just
five point one of all ransomware, so it went from
fifty eight percent to five point to one percent in
the span of one year. The new heavy hitter was
(33:56):
a piece of software called Tesla crypt, and the hackers
behind that malware frequently demanded their ransoms in Bitcoin and
other forms of digital payment. Ransomware attackers continued to aim
at the healthcare industry for the reasons I mentioned earlier.
Hospitals have been affected by various types of ransomware UH.
Some of them include Los Angeles Hollywood Presbyterian Medical Center,
(34:20):
the Los Angeles County Department of Health Services, Ottawa Hospital,
Kentucky Methodist Hospital, and lots and lots of others. A
ton of them are in California. In fact, in some cases,
hospitals paid the ransom in order to regain control and
access of their systems, but in other cases, savvy tech
professionals were helping to quarantine affected computers to disconnect them
(34:43):
from the network so that they wouldn't spread the malware
further into the system. And then they worked to UH
to reboot the systems using old backups, so essentially going
to the backup files and you know, you lose some
stuff because chances are you generated some data since the
(35:03):
last backup, but it meant that they got back these
systems UH and didn't have to pay the ransom in
several cases. Now, sometimes hackers have a real flair for
the dramatic UH. There's the team that's behind the Jigsaw ransomware,
Jigsaw taking its name from the villain in the Saw
(35:23):
series of films. The malware not only locked the victim's computer,
but displayed an image of the puppet that was used
by Jigsaw, Billy, the puppet from the Saw series, And
there was a message there that would state that rather
than just a regular deadline, Jigsaw would delete files as
time passed, like every hour that passed would mean more
(35:45):
files deleted. So the longer you waited, the more information
you would lose. That gave that sense of urgency to
pay off the hackers. H And also if you turned
off your computer, it was even worse really, because the
next time you booted your computer, one thousand files would
be deleted from your computer. It was an incentive to
(36:07):
not turn your system off, um, because once you turn
it on again, you would lose a thousand times what
you would lose every hour. It's pretty evil. By fourteen,
hackers were designing locker based ransomware for Android systems, and
one of those was Saiping, which used fake Adobe Flash
update messages to commence users to install the malware that
(36:30):
would lock you out of your Android device until you
paid a two D dollar ransom using money packs. Those
are those prepaid charge cards. So what happened is when
you try to activate your phone, instead of getting the
screen to unlock your phone, you've got a message saying
you had to pay this amount of money uh in
money packs to this particular account or you would not
(36:54):
get access to your phone again. A similar piece of
ransomware was called Coal or ko l e R or
Color if you prefer, which claimed that the holder of
the phone was being investigated by law enforcement and then
they were being fined as a result. So this is
playing on people's fear, right Like if you send them
(37:15):
a message saying, hey, you're in trouble and unless you
follow this link, you're gonna go to jail, that gives
people a big incentive to try and figure out what's
going on. A lot of people are going to click
that link, not thinking that, hey, the FBI probably doesn't
reach out through websites to let you know that you're
in trouble. They probably come door to door for that
(37:36):
kind of thing. But uh, it's the sort of thing
that's meant to instill panic. And when we panic, we
make bad decisions. We make very quick decisions. We don't
think we don't use critical thinking. So that's the whole
method of attack in this type of ransomware. So this
one also added a nasty additional kick. It was a
(37:58):
locker worm type of all where that would then send
messages to anyone in the context list of a compromised device.
So if you got me with that, if you send
me a message saying, hey, we're the FBI and your
totes in trouble brow and I fell for it and
I clicked on it, then it would the malware would
not only lock me on my phone, it would go
through my contact list and send a message out to
(38:20):
everyone in my contact list with a similar message in
the hopes of catching even more people. So this way
you allow the virus to propagate across the network. All
you have to do is in fact a couple of
well connected people, and chances are you're going to see
a lot more infected devices as a resultant that becomes
like a ripple effect that keeps moving out from the source. Uh,
(38:43):
people who are savvy to it will ignore it, but
that doesn't help all the people who don't ignore it.
It's pretty nasty stuff though. By two thousand fifteen, enterprising
programmers began to create ransomware as a service or are
a a s now. These were the people who had
designed the tools that other folks would actually use. So
(39:05):
you might have programmers who have no desire to actually
use ransomware themselves. They're not directly going to put it
to use. Instead, they'll sell it to hackers who do
want to use it, but who don't have the ability
to program or design these algorithms or these types of malware,
and so you'd sell it for like a thousand to
(39:26):
three thousand dollars. There's a lot of money, but when
you factor into the account the fact that you can
demand five h bucks per locked computer, and if you're
hitting thousands of them, three thousand dollars is nothing. A
lot of these ransomware as a service providers also demand
a certain percentage of the profits, like ten, but still
(39:49):
you're still talking huge amounts of money, So it doesn't
take very many victims to play ball before you recapture
your costs, and it makes ransomware even more prevalent. One
ransomware attack that made headlines in the United States happened
on November That was the Friday following the US holiday
of Thanksgiving, which is also known as Black Friday. For
(40:12):
those who don't know what Black Friday is, that's a day.
It's called that because a lot of stores will open
up with special sales and it's all in an effort
to sell enough stuff to make an overall profit for
the end of the year, to go in the black.
As they say, if you're in the red, that means
that you're operating at a loss. If you're in the black,
you're operating at a profit. That's why it's called Black Friday. Well,
(40:33):
that's a very popular day for people to go out shopping,
and it means it's also a popular day to to
just get outside and travel. So the hackers had targeted
San Francisco's municipal transportation system also known as MUNI, M
You and I, and on that day they were able
to infect the ticketing and bus management system for MUNI
(40:55):
with a ransomware attack. They demanded one hundred bitcoin for
the antidote for the the key to decode everything uh
and at that time a hundred bitcoin was worth about
seventy three thousand dollars. But instead of paying the ransom,
MUNI decided to offer free rides to passengers while they
(41:17):
worked on a solution. So for two days you could
ride Muni absolutely free. You didn't have to have a
ticket or anything. You could just get on um. But
then once they were able to reboot the system and
restore from backup the it was back to normal operations.
So it was only a temporary downtime for Muni. It
(41:37):
was very you know, it was still damaging because that's
two days without any revenue, but it showed that the
city of San Francisco and Muni in particular, was not
willing to play ball by the hackers standards. Now, there
are dozens of other variations that have appeared over the years,
but I think it's a good time too now look
over at the want to Cry virus, because that is
(42:00):
the most recent version of ransomware as of the recording
of this episode, and I'm gonna jump right into that
topic right as when we take another break to thank
our sponsors. One of Cry is an aggressive, coordinated ransomware attack,
(42:21):
one of the biggest ransomware attacks in history, and it's
affected hundreds of thousands of computers, many of which are
part of the health care industry. Its main method of
compromising a machine is to exploit vulnerabilities that are in
an old build of the Service Message Block Protocol, which
is part of a larger block of protocols that Windows
(42:45):
machines used for file sharing. Specifically, the virus could attack
computers that had inbound SMB communications on ports one, nine
or four forty five, and then there were some later
variants that aimed at different ports, but the initial one
was looking at those two. All you have to do
to protect yourself against this, by the way, is updating
(43:06):
your computer to the latest Microsoft security patch. It removes
the vulnerability. Now, once the computer is infected, the malware
could sort of put out feelers across the local network.
So if this infected machine is on a local network
with other machines, it could then use that to send
(43:27):
the malware to the other devices on that local network,
so it could spread really fast. All it takes is
that one compromise device on a system to have it
spread throughout the entire system, and it made it particularly
dangerous for these interconnected devices that weren't up to date
on security patches. Now. Before it made its debut, Want
to Cry was published as part of a large group
(43:49):
of documents stolen from the n ess A by a
group of hackers. So among those documents was a list
of twenty three hacking tools that targeted indoors vulnerabilities. One
of those hacking tools was codenamed Eternal Blue, and that
is what would become Wanna Cry. So Wanna Cry started
off as an n S a identified and targeted vulnerability
(44:14):
in Windows operating systems. This raises some tricky questions about
intelligence agencies and how they intersect with computer vulnerabilities that
I will get to in just a moment. But nearly
a month went by without want to Cry becoming a
public menace. So it was released by this group of
hackers into the wild. Anyone who went to tour and
(44:34):
went to this particular site could or really file sharing
area could get hold of these documents. But for about
a month nothing really happened. Then on May twelve, two
thousand seventeen, at eight forty two a m. London time,
and I love how precise we can be with this,
the virus was unleashed and the first attacked attack lasted
(44:57):
for most of the day and it compromised hundreds of
thousands of machines. But it wasn't as bad as it
could have been because it got sidelined when a British
cybersecurity analyst found a u r L embedded in the
Wanna cry virus attack. That led them to a kill
switch for the virus. So this was something that the
(45:18):
hackers had built into the system, or really you could
argue the n S a built into the system so
that you could shut it off remotely. So they did.
They flipped the kill switch and it stopped the spread
of the virus right there, So it could have been
much worse than it was if it had left been
left unchecked. The hacking group that was responsible was called
(45:41):
the Shadow Brokers Um. They sent out a message on
May sixteenth claiming to have many more exploits for sale
if hackers wanted to subscribe to their services. So they
were saying, hey, you see how much mess we made
with want to cry? We have a whole lot more.
Just become a subscriber and then we'll share our tools
with you. Meanwhile, affected computers were causing huge headaches for
(46:04):
thousands of people in the UK. Several hospitals sent out
messages that some appointments and operations would be postponed while
they were working on fixing these compromise systems. They said,
it just wasn't safe. It was putting people's health at
risk to try and maintain appointments and operations without having
those computer systems in place. Experts were work working really
(46:28):
hard to restore systems from backups, but that's a pretty
slow process, and just the sheer number of affected computers
across multiple companies and multiple countries meant that there was
no coordinated effort. Right Like, you had all these individual
little islands that were affected by this virus, and each
one had to respond to it in its own way,
(46:49):
in its own time, So there was no coordinated, major
effort to overturn the virus. It was just pockets of
that throughout the world. The same was true for others
systems all over the world. In all, fifty countries were
affected by the Wanna cry virus. That being said, according
to zd net, despite the fact that the virus was
(47:10):
pretty widespread, only zero point one percent of the victims
have opted to pay the ransom. As of the zd
net report, the hackers had raised about a hundred eight
thousand dollars total, which, considering the size of the attack
and the number of systems that were compromised. Is actually
a pretty small amount of money. Hundred eight thousand dollars.
(47:32):
It's a lot of money to me, But if you're
talking about the payoff for a massive attack on that scale,
it's a fraction of what those hackers were hoping for.
I'm sure of that. Uh. Now here are some takeaways
from the Wanna Cry experience that I think are really important. First,
let's talk about the n s A. And I'm gonna
try and maintain my composure because I have very strong
(47:55):
feelings about this particular issue. So this is my own
personal opinion in This is not the opinion of how
stuff works. It's just Jonathan Strickland's opinion. I find it
unconscionable that an intelligence agency would identify and design an
exploit for a vulnerability in software rather than informing the
(48:16):
respective parties about the vulnerability. So, in other words, instead
of going to Microsoft and saying, hey, we we discovered
this vulnerability that's in your software. You should patch it
or else someone else might create an exploit for it,
they said, hey, there's a vulnerability in Windows. Let's create
our own exploit for it that we might end up
(48:36):
using for intelligence purposes. In the future. Never mind the
fact that this puts everyone at risk, as is evidenced
by the fact that the want to Cry virus is
an actual thing. So the company Microsoft had no knowledge
of this vulnerability. They weren't aware that it existed. It
(48:57):
wasn't until the shadow brokers published those n s A
hacking tools that Microsoft found out about it, and then
they got to work creating a security patch to cover
and change that exploit so that it wouldn't work anymore.
And then they made the security patch available, so if
you installed it, you were fine. Your security patch was
up to date. Then the at least the initial attack
(49:19):
of want to Cry wouldn't affect you because the vulnerability
had been patched up. So I say shame on the
n s A for identifying and then building a tool
to exploit such a vulnerability for their own purposes. As
we've seen this particular case, it can result in someone
else getting those same tools and using them to cause
a great deal of trouble. But it was also possible
(49:42):
that just by sitting on this information and not sharing
it with Microsoft, the n s A could have given
other parties the chance to discover that same weakness and
develop their own exploits for it, which would have been
even worse because Microsoft wouldn't have known about until after
people had been actively affected by that exploit. So, in
(50:03):
other words, even if the NSA had never had their
hacking tools stolen, let's say that the hackers never were
able to get hold of eternal Blue and turn it
into want to cry. Even if that had never happened,
someone still might have discovered that Microsoft vulnerability and exploited it. Meanwhile,
the n s A had known about it the whole time.
I really maintain that it was their responsibility to share
(50:25):
that information with Microsoft considering the potential for destruction. And
I find it really troubling that an intelligence agency can
act in such a way that puts hundreds of thousands
of computers and people, because we're talking about the health
care industry at risk. I don't know that any intelligence
is worth that. Again, that's my own personal opinion. So
(50:49):
that's the Jonathan bias to be perfectly blunt. But another
takeaway is that in order to practice good security, you
need to make sure your operating system is patched and current.
Now I'm just as guilty as other people at putting
off installing updates if you ever get that message like
you need to install some updates, chances are you've gotten
(51:11):
on the computer to do something specific and you don't
really want to put that off by installing updates. You
want to get to whatever it is you need to do,
and so you might just put it off, and you
might keep putting it off until your computer forces you
to do it. But really the better plan is to
go ahead and install those security patches when you get them,
(51:32):
so that you can make sure that your computer is
not vulnerable to these sort of attacks. Plus, you know
what often means that your system is just running more
effectively if it's patched properly. So just be sure you're
installing legitimate updates to your system, not falling for some
fishing scam. Typically you can do it because if it's
(51:53):
the system itself that's prompting you to update, and you're
not in any browser or anything, you're probably pretty safe.
You're either pretty safe for your computer is already compromised,
in which case you know it's too late anyway. And finally,
back up your data. Use some sort of system to
back everything up, whether it's an external drive a cloud
(52:14):
based system, back up your information that way. If worst
comes to worst, if you cannot retrieve your information because
of a ransomware attack, you can bite the bullet, wipe
your system, install the operating system again, go to your backups,
and restore from your backups. Now, that probably means that
(52:35):
you're gonna lose some stuff, because chances are you've generated
some data since the last time you did a backup.
Unless you're doing backups very frequently, that's always going to
be the case. But it's better to lose some data
rather than lose everything or be forced to pay into
a ransomware attack, because every time someone pays the hackers,
(52:58):
you are sending the message this is a way you
can make money, and you're inspiring other people to take
the same pathway as the hackers did, whether they're designing
their own or using and off the shelf ransomware as
a service approach. So don't negotiate with the hackers. Instead,
(53:19):
use backups, patch your security, have up to date antivirus software,
running practice, good web browsing and email hygiene so that
you're not inviting these sort of attacks into your life.
And if you do that, you really minimize the chance
that you will fall victim to this kind of attack.
(53:42):
It no, no system is ever going to be perfect,
no system is ever going to be full proof, but
you reduce those odds drastically, and if you are backing
up your information, then you can at least you know again,
wipe your machine and start over again without worrying about
enabling some hackers into and inspiring future generations of hackers
(54:06):
to do the same thing further down the line. And
that's it. That's all I have to say about ransomware
and want to cry for this episode. I might end
up having to do another one in the future. The
story is still playing out as I record this episode,
so who knows. But if you guys have any suggestions
for future episodes of tech Stuff, whether it's a topic
you want me to cover, or someone you would like
me to interview, or perhaps a guest host you would
(54:29):
love to see on the show, send me a message.
The email address for the show is text stuff at
how stuff works dot com, where you can drop me
a line on Twitter or Facebook. The handle for the
show at both of those is text Stuff hs W.
And finally, you can watch this show stream live on Twitch.
(54:50):
I record I live stream all my recordings. You get
to see me make mistakes chat with folks in between segments.
So if you want to be part of that, want
to be part of the community, go to twitch dot
tv slash tech stuff. You'll be able to see the
show page and the schedule. And I would love for
you to join me someday in one of these podcast dreams.
(55:12):
I have a lot of fun chatting with everyone there
and just kind of geeking out over technology. So join me,
won't you, And I'll talk to you guys again really
soon for more on this and thousands of other topics
because it how staff works dot com
TechStuff News
Hosts And Creators
Oz Woloshyn
Karah Preiss
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
My Favorite Murder with Karen Kilgariff and Georgia Hardstark
My Favorite Murder is a true crime comedy podcast hosted by Karen Kilgariff and Georgia Hardstark. Each week, Karen and Georgia share compelling true crimes and hometown stories from friends and listeners. Since MFM launched in January of 2016, Karen and Georgia have shared their lifelong interest in true crime and have covered stories of infamous serial killers like the Night Stalker, mysterious cold cases, captivating cults, incredible survivor stories and important events from history like the Tulsa race massacre of 1921. My Favorite Murder is part of the Exactly Right podcast network that provides a platform for bold, creative voices to bring to life provocative, entertaining and relatable stories for audiences everywhere. The Exactly Right roster of podcasts covers a variety of topics including historic true crime, comedic interviews and news, science, pop culture and more. Podcasts on the network include Buried Bones with Kate Winkler Dawson and Paul Holes, That's Messed Up: An SVU Podcast, This Podcast Will Kill You, Bananas and more.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.