Previous: Does Anti-Aging Cream Work?
Next: Why Is Salt So Bad for You, Anyway?



View count:899,428
Last sync:2023-01-11 01:15
On Friday, May 12th, 2017, the ransomware program WannaCry started spreading to computers all over the world at an alarming rate. A couple days later, it was basically completely contained with very little damage done. So what happened?

Hosted by: Hank Green
Support SciShow by becoming a patron on Patreon:
Dooblydoo thanks go to the following Patreon supporters—we couldn't make SciShow without them! Shout out to Kevin, Bealer, Mark Terrio-Cameron, KatieMarie Magnone, Patrick Merrithew, Charles Southerland, Fatima Iqbal, Sultan Alkhulaifi, Tim Curwick, Scott Satovsky Jr, Philippe von Bergen, Bella Nash, Bryce Daifuku, Chris Peters, Patrick D. Ashmore, Piya Shedden, Charles George
Looking for SciShow elsewhere on the internet?
It was all over the news. Friday, May 12th, hospitals in the UK couldn't get access to their systems, and were turning patients away. Car factories in France had to shut down. A Spanish telecommunications company told their employees to shut down their computers.

Computers all over the world were being infected by WannaCry. A massive hacking attack that caused worldwide computer chaos.

By May 14th, more than 200,000 computers in more than 150 countries had been affected. And, yet, the attack didn't seem to cause much long-term damage, and the hackers only made about $100,000 in total.

We just witnessed one of the largest and strangest computer attacks ever.

WannaCry is an example of a type of attack called Ransomware, when the data on an infected computer is encrypted or scrambled. In return for restoring access to your files the hackers demand a ransom payment.

In this case, either 300 or $600 worth of the digital currency Bitcoin. 

There are lots of kinds of Ransomware out there, but WannaCry spread very quickly using a tool that security experts believe was created by the NSA. To be clear the NSA wasn't interested in ransom, jut snooping.

But they created a tool that took advantage of a security weakness in Microsoft software. This tool, dubbed Eternalblue, exploits a vulnerability in something called the server message block, or SMB protocol.

The SMB protocol is basically a system for sharing file access across a network. It's used by lots of people all the time, and the reason why you might never have heard of it is that, normally, it's totally safe.

Well, the NSA discovered that in some versions of Windows, the SMB protocol can be tricked into accepting packets of data from remote attackers. Eternalblue was designed to use that flaw as a way in.

That's pretty freaky to think about, but no one outside of the NSA would have known about it, and WannaCry might have never have happened, if it weren't for a leak, earlier this year.

In April, the Shadow Brokers, a group of hackers that's thought be tied to Russia, stole Eternalblue from the NSA, and published the exploit online.

Microsoft quickly released a patch for the issue for the operating systems they still officially support, like Windows7 and Windows10. 

In theory, that should've headed off any potential problems with the patch. Eternalblue would be useless. But not everyone actually installs patches and updates their systems regularly. 

I mean, at some point, we have all clicked the little button saying 'Tomorrow. Remind me tomorrow'. It's annoying.

And more than 5% of Windows computers are still running XP, even though Microsoft stopped releasing security updates for it three years ago.

So, people and organizations worldwide were left with a gaping hole in their cyber security, which WannaCry took advantage of.

The UK's national health service hospital system was especially vulnerable because as recently as last year, computers in 90% of NHS hospitals were still running XP.

It's easy to blame the hospitals for using a sixteen-year-old operating system, like, it doesn't seem that hard to upgrade. But it's not actually that simple.

From MRIs to microscopes, practically everything in hospitals uses computer programs, and it's often hard to get them to work properly with newer operating systems. So, upgrading everything would've been a major IT investment. 

But hospital's data was all backed up, though. So within a day of the attack, pretty much everything was up and running again, no ransom payments needed.

But, just like not everyone downloads and installs those annoying software updates, not everyone is as vigilant about backing up their data as they should be.

So, even though most big organizations were fine, lots of individual people were losing access to their data.

That is, until someone discovered that WannaCry had a major flaw. A kill switch that an anonymous cyber security expert in England discovered almost by accident.

This hero, who goes by the name Malware Tech was looking through the WannaCry code as it spread on Friday and found that it was built to check whether or not a specific gibberish URL led to a live website.

So, he registered the domain to see what would happen and it turned out to be a kill switch built in by the Ransomware's creators. Registering the URL was a signal that stopped the Malware from spreading.

New variants of the Malware have popped up and continue to spread, but they've mostly included their own kill switch domain name. This leading to a game of cyber security Wack-a-mole.

It's not clear why the hackers behind the attack included this in the code, but we're lucky they did. And that's the thing, the part of the Ransomware's code that's based on Eternalblue is really sophisticated. But according to the security experts, having a kill switch was an like amateur mistake.

And so was the way the hackers set up their ransom payment system. They didn't code it in a way that let them keep track of who actually paid the ransom, and it's set up so that they would have to decrypt each victim's files manually. Which might explain why almost no one seems to have gotten their files decrypted.

So, a more sophisticated attack could have done a lot more damage.

At this point, there's no reason anyone else should be affected by WannaCry or it's copycats. Microsoft released a special one-time patch for old operating systems that are vulnerable, including Windows XP.

So, no matter what you're running, you should be safe if you update. And if you were infected by WannaCry, security experts have released tools that can decrypt your files as long as you haven't rebooted your computer.

We still don't know for certain who was behind this, and we may never find out. This won't be the last time that a Malware attack sweeps the planet, though. Hackers are always finding new vulnerabilities, and there will always be people who do not update right away.

So, WannaCry's lesson is clear: install those updates! And back up your stuff!

Thanks for watching this episode of Scishow News. Hopefully, we won't have to make another news episode about a massive computer attack anytime soon, but if you wanna learn more about some really bad ones, check out our video on the worst computer viruses of all time.