WEBVTT - Ransomware and WannaCry 0:00:04.200 --> 0:00:07.240 Get in text with technology with tech Stuff from how 0:00:07.280 --> 0:00:14.000 stuff works dot com. Hey there, and welcome to tech Stuff. 0:00:14.040 --> 0:00:17.840 I'm your host, senior writer John in Strickland right for 0:00:17.960 --> 0:00:20.720 how stuff works dot com. It's a groovy website. You've 0:00:20.760 --> 0:00:23.280 never been there. You should go check it out. You've 0:00:23.320 --> 0:00:25.360 been listening to tech stuff all this time and didn't 0:00:25.440 --> 0:00:29.760 know there was website. Work on your listening skills. I 0:00:29.840 --> 0:00:32.360 love you how stuff works dot Com. Check it out. 0:00:32.400 --> 0:00:34.479 So today I thought take a look at a tech 0:00:34.560 --> 0:00:37.120 story that happened not too long ago as the recording 0:00:37.120 --> 0:00:41.159 of this podcast. I'm recording it on ma It is 0:00:41.200 --> 0:00:43.960 publishing much later than that, but not too long ago 0:00:44.000 --> 0:00:48.640 from today. A virus emerge that really caused a lot 0:00:48.680 --> 0:00:52.600 of headaches, particularly in the UK and a lot of 0:00:52.640 --> 0:00:54.600 other countries. Not so much in the United States, but 0:00:54.720 --> 0:00:58.200 a lot of other ones. And it's called Wanna Cry. 0:00:58.640 --> 0:01:02.360 It's the Wanna Cry ran somewhere virus. It really became 0:01:02.400 --> 0:01:06.200 big news starting on May twelve, sen That's where when 0:01:06.200 --> 0:01:08.760 it went viral for the first time and spread the 0:01:08.840 --> 0:01:12.880 thousands of machines. Uh. The account goes anywhere between two 0:01:13.000 --> 0:01:16.959 hundred thousand and four hundred thousand computers, depending upon what 0:01:17.040 --> 0:01:21.280 authority you're looking at. I want to cry was exploiting 0:01:21.280 --> 0:01:26.080 a vulnerability in a protocol used by the Windows operating system. 0:01:26.120 --> 0:01:28.360 But I'll explain all of that a little bit later. First, 0:01:28.440 --> 0:01:33.080 let's talk about what ransomware is and where it came from. So, 0:01:34.120 --> 0:01:39.400 to put it simply, ransomware is a subset of malware, 0:01:39.640 --> 0:01:44.600 and malware stands for malicious software. Um. You might also 0:01:44.640 --> 0:01:47.919 hear it described as a computer virus. That's largely because 0:01:47.920 --> 0:01:50.800 in the early days of personal computers there are really 0:01:50.800 --> 0:01:53.880 only two major types of malware, and those were viruses 0:01:53.960 --> 0:01:57.800 and worms. Uh, and so we've often used computer viruses 0:01:57.880 --> 0:02:00.480 shorthand for malware. But there are a lot and lots 0:02:00.520 --> 0:02:03.120 of different kinds of malware out there, and so using 0:02:03.120 --> 0:02:05.600 a term like virus is not as specific as most 0:02:05.600 --> 0:02:08.600 people would prefer. But what the heck is a virus 0:02:08.600 --> 0:02:10.160 and what the heck is a worm? Well, a virus 0:02:10.200 --> 0:02:13.000 is some malicious code that a programmer designs that inserts 0:02:13.000 --> 0:02:16.280 itself into another program. They're typically part of some sort 0:02:16.280 --> 0:02:19.520 of executable file, so e x E in the Windows 0:02:19.520 --> 0:02:23.120 operating System world or DOSS. Even the virus does not 0:02:23.280 --> 0:02:27.160 activate until the computer runs the respective file. So you 0:02:27.200 --> 0:02:29.680 can have a computer that has a virus on it, 0:02:29.800 --> 0:02:32.680 but the virus is inactive. It is dormant because you 0:02:32.760 --> 0:02:35.600 have not yet run that file, and as long as 0:02:35.600 --> 0:02:38.880 you don't run that file, the virus will remain dormant. 0:02:38.919 --> 0:02:41.919 It will be inert. But once you run the file, 0:02:42.000 --> 0:02:44.960 it activates the virus and it ends up replicating itself. 0:02:45.880 --> 0:02:48.920 Sometimes it will use other programs to spread itself to 0:02:49.160 --> 0:02:53.440 other machines. In the old days, before you had networked computers, 0:02:53.600 --> 0:02:56.080 it would essentially replicate itself over and over again in 0:02:56.200 --> 0:03:00.480 order to overwrite everything on the computer and essentially jam 0:03:00.520 --> 0:03:04.320 everything up. You couldn't end up saving anything to the computer. 0:03:04.639 --> 0:03:09.160 Everything would be overwritten by this virus, essentially rendered your 0:03:09.160 --> 0:03:15.040 computer useless. Uh. It's pretty nasty stuff. The worm, on 0:03:15.080 --> 0:03:17.760 the other hand, is a self propagating piece of code 0:03:17.800 --> 0:03:20.800 that does not rely on another file, and typically the 0:03:20.880 --> 0:03:25.200 programmer depends upon some sort of trick like social engineering 0:03:25.280 --> 0:03:28.440 to get people to execute the worm and start that 0:03:28.560 --> 0:03:32.120 self propagation process. Now, both viruses and worms are part 0:03:32.160 --> 0:03:35.080 of a larger classification of malware, and ransomware is a 0:03:35.120 --> 0:03:40.200 specific type of malware that as the name suggests holds 0:03:40.200 --> 0:03:44.200 a victim's computer for ransom. It doesn't break into their 0:03:44.240 --> 0:03:46.360 house and steal it and then put a gun to 0:03:46.440 --> 0:03:49.520 the monitor and say pay up or it gets it. 0:03:50.000 --> 0:03:52.440 Otherwise you would just need a particular set of skills 0:03:52.960 --> 0:03:55.200 to go after those folks, as we learned in the 0:03:55.240 --> 0:04:00.240 documentary Taken. Typically, malware that as ransomware will do one 0:04:00.240 --> 0:04:04.560 of two things. The most common version on desktop machines 0:04:04.600 --> 0:04:08.880 and laptops is that it will encrypt the victims computer, 0:04:09.480 --> 0:04:12.160 so that means it will encode your computer so that 0:04:12.200 --> 0:04:15.280 none of your files will be readable or even you know, 0:04:15.320 --> 0:04:17.120 you won't even be able to locate them because they're 0:04:17.160 --> 0:04:22.920 all renamed. Under this nonsense encryption approach, that can end 0:04:23.000 --> 0:04:25.760 up causing your computer to be useless or at least 0:04:26.000 --> 0:04:30.000 give make it your information inaccessible. The goal is to 0:04:30.080 --> 0:04:32.839 get the victim to fork over some cash and in return, 0:04:33.200 --> 0:04:36.320 the hackers will decrypt the computer. They'll give whatever the 0:04:36.360 --> 0:04:41.880 password is or the methodology to decrypt all the information 0:04:41.880 --> 0:04:43.720 and turn it back to the way it was before 0:04:43.880 --> 0:04:50.120 it was attacked. Now, uh, there's the second variant of 0:04:50.240 --> 0:04:54.640 ransomware that doesn't encrypt a computer. Instead, what it does 0:04:54.760 --> 0:04:57.919 is locks people out of a device. This is the 0:04:58.120 --> 0:05:02.440 locker version of in somewhere. It's most frequently seen in 0:05:02.560 --> 0:05:07.000 Android based devices, so mostly mobile sets like handsets, tablets, 0:05:07.040 --> 0:05:10.960 that kind of thing. And essentially hackers full of victim 0:05:11.000 --> 0:05:14.600 into downloading and installing a malicious app, and then the 0:05:14.920 --> 0:05:17.839 app will then activate this software that locks the victim 0:05:17.920 --> 0:05:21.040 off from accessing their device. They won't be able to 0:05:21.080 --> 0:05:24.520 use it, essentially bricks it until you are to pay 0:05:24.600 --> 0:05:26.640 up a ransom. You might get like a little screen 0:05:27.200 --> 0:05:30.160 that demons that shows you, you know, until you pay 0:05:30.560 --> 0:05:35.279 x amount to why you won't have access to this device. 0:05:35.920 --> 0:05:37.719 So you are told that you have to pay the 0:05:37.720 --> 0:05:39.680 hackers in order to regain access to your device. And 0:05:39.640 --> 0:05:43.440 in either case, ransomware is not pretty. Now. This is 0:05:43.839 --> 0:05:48.279 similar to, but distinct from, another scheme that some hackers 0:05:48.320 --> 0:05:52.599 employ over the last few years, which is blackmail. Hacker 0:05:52.640 --> 0:05:57.240 groups like rex Mundy have targeted large corporations with a 0:05:57.279 --> 0:06:01.440 goal of infiltrating their systems and dealing as much data 0:06:01.520 --> 0:06:06.480 as possible, including customer data. That's one of the big targets. 0:06:06.520 --> 0:06:10.839 So having that customer data is a very powerful tool. 0:06:11.120 --> 0:06:14.720 Companies do not want their customers to lose confidence in them. 0:06:15.160 --> 0:06:17.760 So if a hacker group is able to get hold 0:06:17.800 --> 0:06:20.360 of a huge amount of customer information from a company 0:06:20.640 --> 0:06:23.000 and then say, hey, if you don't pay up, we're 0:06:23.000 --> 0:06:26.760 going to release this information or we're gonna sell it off. Uh, 0:06:26.839 --> 0:06:29.960 it's bad news and it's very hard to recover as 0:06:29.960 --> 0:06:33.440 a company if you've suffered that kind of data breach. 0:06:34.400 --> 0:06:37.839 So it's similar to blackmail, but not exactly the same 0:06:37.880 --> 0:06:40.960 because with ransomware, the hackers might not even be interested 0:06:41.040 --> 0:06:44.280 at all in what's on the computer systems they target. 0:06:44.600 --> 0:06:49.240 They don't care if there's customer information or if it's 0:06:49.400 --> 0:06:53.120 internal systems that that doesn't matter. What they want to 0:06:53.200 --> 0:06:57.160 do is affect as many critical computers as they possibly 0:06:57.200 --> 0:07:01.000 can with ransomware, because if it's a critical device, if 0:07:01.000 --> 0:07:04.280 it's something that's very important for the operations of a 0:07:04.400 --> 0:07:08.799 larger organization or company, then that puts a huge amount 0:07:08.800 --> 0:07:11.239 of pressure on the company to pay up the ransom 0:07:11.360 --> 0:07:16.000 so they can get access to that critical hardware. Again, um, 0:07:16.040 --> 0:07:19.080 that's the whole point of ransomware. They don't they don't 0:07:19.120 --> 0:07:21.000 care if it's you know, what the nature of the 0:07:21.040 --> 0:07:24.080 stuff is, as long as it's important because they're not 0:07:24.240 --> 0:07:27.440 after the data itself there after money. They just want 0:07:27.440 --> 0:07:29.480 to lock down those computers as much as they can 0:07:30.360 --> 0:07:32.920 and then convince people to pay them so that they 0:07:32.920 --> 0:07:37.400 can unlock them. Now, the first recorded instance of ransomware 0:07:38.000 --> 0:07:41.520 was called the AIDS trojan and it was designed by 0:07:41.640 --> 0:07:46.280 Joseph L. Pop p O p P. That particular attack 0:07:46.320 --> 0:07:49.080 falls under the category of the trojan horse, which is 0:07:49.360 --> 0:07:52.679 of course named after the legendary gift to the city 0:07:52.680 --> 0:07:56.920 of Troy that secretly housed invading soldiers that were from Greece. 0:07:57.680 --> 0:08:02.040 A trojan horse is malware that that looks like a 0:08:02.080 --> 0:08:05.320 regular program. It fools someone into thinking they're using some 0:08:05.720 --> 0:08:09.600 benign piece of software, but in reality they're essentially handing 0:08:09.600 --> 0:08:11.920 over some critical part of their computer systems to the 0:08:11.920 --> 0:08:14.360 whims of a hacker. So a lot of trojan horse 0:08:14.400 --> 0:08:18.679 programs these days are programs that look like they're innocent. 0:08:19.040 --> 0:08:21.520 You run them, and then it allows a hacker to 0:08:21.560 --> 0:08:25.360 get a back end, like a back door entry into 0:08:25.440 --> 0:08:29.640 your computer, usually administrative level control, and from there they 0:08:29.640 --> 0:08:31.960 can do lots of different things. They can lock you 0:08:32.000 --> 0:08:34.640 out of a system, They can allow you to continue 0:08:34.760 --> 0:08:37.040 using a system so that you don't know that they're 0:08:37.040 --> 0:08:39.920 even there. They can spy on what you're doing. They 0:08:39.920 --> 0:08:43.000 can even redirect your computer to send traffic to a 0:08:43.160 --> 0:08:46.600 target machine as part of the distributed denial of service attacks. 0:08:46.679 --> 0:08:50.720 So this is a very common ploy that hackers will 0:08:50.800 --> 0:08:54.840 use in order to build bot nets or computer armies. Now, 0:08:55.240 --> 0:09:00.160 the AIDS trojan virus predates the World Wide Web, so 0:09:00.800 --> 0:09:04.120 this was not a virus that was spread over email. 0:09:04.160 --> 0:09:08.960 It wasn't spread over a compromised website. It was distributed 0:09:09.040 --> 0:09:14.200 actually on floppy disks, good old floppy disks, and they 0:09:14.200 --> 0:09:18.480 were sent over the postal service. Most of the recipients 0:09:18.559 --> 0:09:22.360 were from other parts of the world, not the United States. 0:09:22.400 --> 0:09:24.800 Here in the US, we really didn't have an issue 0:09:24.800 --> 0:09:29.240 with the AIDS trojan virus directly. These were the targeted 0:09:29.280 --> 0:09:32.400 systems were mostly in other places in the world, like Europe, 0:09:32.400 --> 0:09:36.719 in Africa, in uh Asia, that kind of thing. So 0:09:38.120 --> 0:09:44.280 the target for this attack happened to be companies and 0:09:44.360 --> 0:09:49.040 agencies that were either in education or healthcare, and they 0:09:49.040 --> 0:09:53.480 were concerned with educating people about the AIDS virus. The 0:09:53.559 --> 0:09:57.000 disc was posing as educational software that was to teach 0:09:57.040 --> 0:10:00.520 you about the AIDS virus. So it's pretty insidious that 0:10:00.600 --> 0:10:03.800 it was. It took on this form. The software on 0:10:03.840 --> 0:10:07.160 the disc included an actual survey that would tell the 0:10:07.200 --> 0:10:09.920 taker what their odds were of contracting the AIDS virus 0:10:09.960 --> 0:10:13.440 based off their responses. So, for example, it might ask 0:10:13.600 --> 0:10:17.240 if you take intrivinous drugs and if so, do you 0:10:17.280 --> 0:10:20.560 share needles? That sort of thing, and as you would 0:10:20.600 --> 0:10:22.880 answer it, it would give you the odds of you 0:10:23.080 --> 0:10:25.960 contracting the AIDS fires. So on the surface, it seemed 0:10:26.000 --> 0:10:30.480 like actual educational software. What you didn't realize as you 0:10:30.600 --> 0:10:33.160 ran this software on your computer is that in the 0:10:33.200 --> 0:10:37.240 background code was running so that it would infect the computer, 0:10:37.360 --> 0:10:40.800 and after a predetermined number of reboots to the system, 0:10:40.880 --> 0:10:44.160 the software would encrypt all of your files. So, in 0:10:44.160 --> 0:10:47.240 other words, it would set up as kind of a 0:10:47.280 --> 0:10:51.200 doomsday clock, except instead of time, it was in reboots. 0:10:51.520 --> 0:10:53.600 So every time you shut down your system and turned 0:10:53.640 --> 0:10:57.400 it on, you were one step closer to activating this worm, 0:10:57.720 --> 0:11:00.720 and eventually you would hit that threshold old and the 0:11:00.760 --> 0:11:02.840 next time you turned on your computer, all of your 0:11:03.000 --> 0:11:08.360 files would get encrypted by this by this malware. The 0:11:08.400 --> 0:11:11.000 only thing you would see when you would reboot that 0:11:11.120 --> 0:11:15.160 system that last time would be a message that says 0:11:15.320 --> 0:11:17.960 turn on a printer. So essentially you'd have to have 0:11:18.000 --> 0:11:21.520 a printer connected to the affected computer and when you 0:11:21.559 --> 0:11:23.760 turned it on, it would send a print command to 0:11:23.880 --> 0:11:26.120 the printer and print on a sheet of paper with 0:11:26.200 --> 0:11:30.760 the instructions to pay the ransom, which is kind of interesting, 0:11:30.800 --> 0:11:35.000 a little primitive, but obviously you didn't have bitcoin or 0:11:35.000 --> 0:11:38.800 anything like that back in those days, so the ransom 0:11:38.840 --> 0:11:43.040 note would print out once the computer was activated or 0:11:43.120 --> 0:11:46.680 connected to an activated printer. The note directed victims to 0:11:46.760 --> 0:11:50.559 send one eighty nine dollars to a post office box 0:11:50.640 --> 0:11:55.840 located in Panama. After doing so, uh Pop, who of 0:11:55.880 --> 0:11:59.920 course was not identifying himself as the perpetrator, promised that 0:12:00.040 --> 0:12:03.120 he would send the decryption program to unlock the contents 0:12:03.160 --> 0:12:06.280 of the victim's computers. In the UK, where the virus 0:12:06.320 --> 0:12:09.720 was first reported, some medical institutions began to delete data 0:12:09.840 --> 0:12:12.160 rather than pay the ransom. They were worried that their 0:12:12.200 --> 0:12:15.440 systems have been totally compromised and that a hacker had 0:12:15.559 --> 0:12:18.200 access to all of that data, so as a result, 0:12:18.760 --> 0:12:22.199 they started the leading stuff, and in fact other parts 0:12:22.200 --> 0:12:26.080 of the world were following a similar strategy. The Independent 0:12:26.480 --> 0:12:29.960 reported that there was one organization in Italy that lost 0:12:30.160 --> 0:12:33.880 a decade's worth of AIDS research as a result of this, 0:12:34.000 --> 0:12:37.760 because there was a panic that uh, the compromised data 0:12:37.800 --> 0:12:41.760 could be otherwise changed or altered, UH, which I guess 0:12:41.800 --> 0:12:44.840 is repetitive or redundant, but at any rate that they 0:12:44.880 --> 0:12:48.040 were worried that this vulnerability was worse than what they 0:12:48.080 --> 0:12:52.360 were already seeing. So there were people who who lost 0:12:52.480 --> 0:12:55.200 years and years of work as a result of this 0:12:55.520 --> 0:12:59.160 ransomware attack. Now I mentioned earlier, we know who made 0:12:59.160 --> 0:13:03.040 this virus. So knowing who made it, what exactly happened? 0:13:03.040 --> 0:13:05.760 How did this story unfold? It's a bit strange, to 0:13:05.760 --> 0:13:07.920 be honest. So let's give you some background on the 0:13:07.960 --> 0:13:10.360 man who had programmed the virus in the first place. 0:13:10.920 --> 0:13:15.800 Joseph L. Pop had graduated with a PhD from Harvard University, 0:13:15.840 --> 0:13:19.480 and he was in the field of evolutionary biologies, not 0:13:19.600 --> 0:13:22.520 in the field that you would immediately associate with someone 0:13:22.559 --> 0:13:28.360 who's programming the world's first ransomware virus. UH. He was 0:13:28.760 --> 0:13:33.319 actually not an enemy to AIDS research. That was his field. 0:13:33.640 --> 0:13:38.080 He was consulting with the World Health Organization in the 0:13:38.160 --> 0:13:41.600 area of AIDS research over in Kenya, so why would 0:13:41.640 --> 0:13:44.840 he design a computer program that locked away computers used 0:13:44.880 --> 0:13:47.080 by people who were trying to research AIDS and provide 0:13:47.160 --> 0:13:51.440 education for at risk populations. Well, that depends upon whose 0:13:51.559 --> 0:13:55.520 story you believe. So story number one came from Pop's lawyer, 0:13:55.600 --> 0:13:59.520 who said that Pop's plan was to shake things up. 0:14:00.080 --> 0:14:04.440 He wanted to change the the whole model of how 0:14:04.720 --> 0:14:08.679 AIDS research was going about. He thought it was two regimented, 0:14:08.720 --> 0:14:11.520 he thought it was off base. According to the lawyer, 0:14:12.280 --> 0:14:15.200 uh and that Pop's plan was to use the ransom 0:14:15.280 --> 0:14:18.199 money that he would get from people paying this d 0:14:18.720 --> 0:14:23.840 dollars a pop to fund alternative AIDS education programs. So 0:14:24.160 --> 0:14:26.680 you could argue that if this is actually the case, 0:14:27.080 --> 0:14:30.200 this was a protest against the establishment and their approach 0:14:30.200 --> 0:14:32.080 to AIDS research. So you would think of Pop as 0:14:32.120 --> 0:14:37.040 some sort of crypto activist or crypto anarchist. But the 0:14:37.120 --> 0:14:40.320 judge in the case actually disagreed with this and said 0:14:40.360 --> 0:14:43.480 that Pop just wasn't even fit to stand trial, and 0:14:43.520 --> 0:14:47.640 this was because his behavior had become something pretty strange 0:14:47.640 --> 0:14:51.440 and erratic. He was the reason he was caught in 0:14:51.480 --> 0:14:54.120 the first place. I mean, he could have just gotten 0:14:54.120 --> 0:14:56.160 away from Europe and and no one would have ever 0:14:56.200 --> 0:14:59.000 known it was him. The reason he was caught was 0:14:59.040 --> 0:15:03.200 that he was in an airport in Amsterdam and he 0:15:03.240 --> 0:15:08.120 wrote the sentence doctor Pop has been poisoned, which I 0:15:08.160 --> 0:15:11.480 think would make a great title for an album, but 0:15:11.560 --> 0:15:16.920 he wrote it on another passenger suitcase. It's pretty strange already. 0:15:16.960 --> 0:15:21.600 Apparently he had been um acting somewhat unusually as the 0:15:21.680 --> 0:15:24.360 stress was getting to him about trying to get out 0:15:24.360 --> 0:15:29.800 of Europe while this story about the AIDS trojan virus 0:15:29.960 --> 0:15:33.440 was making headlines over there, so he was feeling a 0:15:33.440 --> 0:15:36.680 lot of pressure, and according to some stories, at least 0:15:36.720 --> 0:15:39.880 he cracked well. The authorities saw that he was writing 0:15:39.880 --> 0:15:43.000 stuff on other people's suitcases and took him aside for questioning, 0:15:43.000 --> 0:15:45.800 and they searched his baggage, and when they did, they 0:15:45.840 --> 0:15:49.360 found evidence that he was the one behind manufacturing and 0:15:49.400 --> 0:15:53.960 distributing all those discs that had the malware on them. So, 0:15:54.000 --> 0:15:56.800 while he was waiting for trial in the UK, his 0:15:56.880 --> 0:16:01.840 behavior grew increasingly strange, and eventually Judge Jeffrey Rivlin dismissed 0:16:01.840 --> 0:16:04.920 the case because he said that Pop was unfit to 0:16:05.040 --> 0:16:10.240 stand trial. Pop was released and essentially got off scott free. 0:16:10.320 --> 0:16:14.680 He eventually would open up a butterfly conservatory in upstate 0:16:14.680 --> 0:16:17.720 New York. So you can go see Joseph L. Pop's 0:16:17.760 --> 0:16:22.800 butterfly Conservatory and see the the conservatory built by a 0:16:22.800 --> 0:16:25.920 guy who built the first ransomware in the world, which 0:16:25.920 --> 0:16:29.360 is a little unusual. There is another theory about what 0:16:30.160 --> 0:16:34.200 pops motivations were that have nothing to do with crypto 0:16:34.320 --> 0:16:41.720 anarchist tendencies or erratic behavior. It's not nearly as grand 0:16:41.720 --> 0:16:43.720 an act as all that, it's not as strange as 0:16:43.760 --> 0:16:46.280 all that. The theory states that Pop was actually just 0:16:46.360 --> 0:16:50.120 seeking revenge. He had been passed over for a position 0:16:50.280 --> 0:16:53.600 with the World Health Organization, so some theories say he 0:16:53.640 --> 0:16:55.960 got very upset that he wasn't picked for this job, 0:16:56.440 --> 0:16:59.280 and as a result, he designed and then unleashed the 0:16:59.400 --> 0:17:04.480 software targeting organizations that he felt he should have been 0:17:05.400 --> 0:17:07.960 taking a larger role in, but because he got passed over, 0:17:08.320 --> 0:17:10.800 he didn't have that opportunity. And he even had a 0:17:10.800 --> 0:17:13.840 digital diary that contained evidence that he had been planning 0:17:14.000 --> 0:17:15.960 this attack for more than a year and a half, 0:17:16.640 --> 0:17:19.600 so it was a premeditated act, not something that was 0:17:19.680 --> 0:17:24.840 done spontaneously, at least according to that digital diary. Ah. So, 0:17:25.800 --> 0:17:27.200 there are some people who say that he was just 0:17:27.359 --> 0:17:30.119 bitter about not getting that job, and that was the 0:17:30.119 --> 0:17:33.280 motivation he had for building the first ransomware. But whatever 0:17:33.280 --> 0:17:35.920 the reason, he didn't serve any time for his crime. 0:17:36.080 --> 0:17:39.560 And his encryption scheme was relatively simple to reverse. It 0:17:39.600 --> 0:17:45.359 was symmetric encryption, and it wasn't particularly robust, so after 0:17:45.480 --> 0:17:48.480 some time, experts were able to figure out how to 0:17:48.560 --> 0:17:52.879 reverse engineer it, essentially using brute force to decrypt the 0:17:53.320 --> 0:17:58.760 affected computers. So uh, it really wasn't as bad as 0:17:58.800 --> 0:18:02.040 it could have been, or as it later would turn 0:18:02.160 --> 0:18:06.240 to be, as future ransomware hackers would create more robust 0:18:06.480 --> 0:18:14.240 means of of putting your data off limits. So one 0:18:14.280 --> 0:18:20.560 thing that Pop also set into motion was this tendency 0:18:20.680 --> 0:18:25.360 for hackers who have developed ransomware to target healthcare organizations, 0:18:25.600 --> 0:18:29.960 whether it's hospitals or organizations that are related to healthcare, 0:18:30.640 --> 0:18:33.600 that's a prime target for ransomware. And the reason is 0:18:34.000 --> 0:18:39.080 the information inside those computers is critical, literally critical to 0:18:39.119 --> 0:18:43.640 the lives of human beings. So by targeting these very 0:18:43.720 --> 0:18:48.440 critical systems that have a high sense of of urgency 0:18:48.520 --> 0:18:53.480 about the data that they contain, the hackers are maximizing 0:18:53.520 --> 0:18:58.000 the chance that people will give in and pay their demands. 0:18:58.040 --> 0:19:02.280 So two different trends that he started. He started the 0:19:02.359 --> 0:19:06.360 ransomware trend and he started the targeting healthcare trend, both 0:19:06.440 --> 0:19:11.120 of which are pretty odious, I would say, But yeah, 0:19:11.160 --> 0:19:13.640 the more valuable and urgent the information is, the more 0:19:13.720 --> 0:19:16.880 likely you are to pay up when something gets locked away. 0:19:17.600 --> 0:19:23.240 Now we'll talk more about early ransomware in just a minute, 0:19:23.280 --> 0:19:26.280 but before we jump into that, let's take a quick 0:19:26.320 --> 0:19:38.200 break to thank our sponsor. So early ransomware attackers would 0:19:38.720 --> 0:19:42.040 originally they were building their own encryption codes to convert 0:19:42.119 --> 0:19:45.679 files into seemingly meaningless gibberish. So what's going on with 0:19:45.760 --> 0:19:47.880 encryption in the first place? What does that actually mean? 0:19:48.240 --> 0:19:50.119 I used the term a lot. You've probably heard it 0:19:50.160 --> 0:19:52.480 a lot, and some of you are probably very familiar 0:19:52.840 --> 0:19:55.560 with the whole concept of encryption. But in case you 0:19:55.600 --> 0:19:58.560 are not, and you're wondering, what does that even mean? 0:19:59.040 --> 0:20:01.680 I mean, I get that it turning my files into 0:20:01.680 --> 0:20:04.840 stuff that I can't read, but what is actually happening? 0:20:05.080 --> 0:20:08.840 I thought I would give a very very basic explanation 0:20:08.840 --> 0:20:12.119 of what encryption is. Now, keep in mind, this is 0:20:12.160 --> 0:20:16.720 at its most basic level encryption involves using a key 0:20:16.840 --> 0:20:19.760 to encode data in a way that makes it meaningless 0:20:19.800 --> 0:20:24.480 to an outside observer who does not also possess that key. 0:20:24.480 --> 0:20:27.679 So this is just making codes essentially, It's what it 0:20:27.680 --> 0:20:30.280 boils down to. It's just using a very advanced algorithm 0:20:30.280 --> 0:20:33.280 in order to do it, and using a huge number 0:20:33.400 --> 0:20:37.280 of potential of variations on that so that you make 0:20:37.280 --> 0:20:41.640 it very very difficult for people to reverse engineer the 0:20:41.640 --> 0:20:46.560 strategy you use to encrypt the information, thus making it safe. Uh, 0:20:46.600 --> 0:20:49.360 if you use a very simple set of rules, then 0:20:49.400 --> 0:20:52.280 obviously your data isn't that safe. All it takes is 0:20:52.400 --> 0:20:55.320 someone to notice what the rules are and then they 0:20:55.320 --> 0:20:59.400 can reverse it that way. So if you've ever used 0:20:59.400 --> 0:21:03.720 a substitut tuition cipher, you're you've experimented with an extremely 0:21:03.760 --> 0:21:06.600 simple version of encryption. So you might decide with a 0:21:06.600 --> 0:21:09.159 buddy that you're going to shift all the meaning of 0:21:09.280 --> 0:21:12.880 letters one over from their actual place on the alphabet, 0:21:13.280 --> 0:21:15.800 so that when you write your to a message encode 0:21:15.960 --> 0:21:19.080 to your buddy, a B is an A, and a 0:21:19.200 --> 0:21:21.400 C is a B, and so on and so forth. 0:21:21.400 --> 0:21:25.919 That's a very simple one shift substitution cipher. When you 0:21:26.000 --> 0:21:29.159 receive a message, you use that key, which in this 0:21:29.200 --> 0:21:32.680 case is just that very simple rule to decode the message, 0:21:32.720 --> 0:21:34.479 and then you read it, and then later that night 0:21:34.520 --> 0:21:37.439 you'll probably TP someone's home, because that's the kind of 0:21:37.440 --> 0:21:39.200 thing we allows the kids used to do before there 0:21:39.240 --> 0:21:44.119 was an Internet and Nintendo switches and whatnot. Obviously, computers 0:21:44.119 --> 0:21:47.520 are using much more robust encryption techniques than a simple 0:21:47.560 --> 0:21:50.399 substitution cipher. The goal is to create a method of 0:21:50.480 --> 0:21:53.080 encryption that is so sophisticated that it would take someone 0:21:53.600 --> 0:21:57.480 years or even decades before they could decrypt the information 0:21:57.600 --> 0:22:00.800 without the use of a key in others, to use 0:22:00.880 --> 0:22:05.800 brute force. Brute force is essentially when you just tele computer, 0:22:06.400 --> 0:22:09.480 I want you to work through every variation of this 0:22:10.000 --> 0:22:14.640 particular approach until you find the one that works. And 0:22:14.920 --> 0:22:19.000 the more approaches there are, the longer that will take 0:22:19.040 --> 0:22:23.600 a computer to accomplish. So your goal is to make 0:22:23.760 --> 0:22:28.119 the encryption process difficult enough so that a computer doesn't 0:22:28.160 --> 0:22:31.080 have any hope of solving it by brute force in 0:22:31.160 --> 0:22:35.320 any reasonable amount of time. The earliest forms of computer 0:22:35.400 --> 0:22:38.199 encryption used a fifty six bit key. Now remember a 0:22:38.240 --> 0:22:41.280 bit is a single unit of information. It is either 0:22:41.400 --> 0:22:44.760 a zero or a one. So if you have fifty 0:22:44.800 --> 0:22:49.600 six bits, how many different combinations will that get you. 0:22:50.160 --> 0:22:55.240 The answer is it's around seventy quadrillion possible combinations. That 0:22:55.280 --> 0:22:58.200 sounds like a lot, seventy quadrillion, but as it turns out, 0:22:58.359 --> 0:23:03.720 modern computers can brute for us that fairly quickly, quickly 0:23:03.760 --> 0:23:07.040 being a relative term. But it's not impossible to use 0:23:07.080 --> 0:23:09.720 brute force and break that kind of encryption, so it's 0:23:09.800 --> 0:23:13.680 not safe. So today you would use a much higher 0:23:14.320 --> 0:23:17.960 uh bit for your encryption, like two fifty six bit encryption, 0:23:18.359 --> 0:23:26.560 which gives you way more potential combinations, exponentially more combinations. 0:23:26.960 --> 0:23:30.600 So to decrypt without brute force, if you're not going 0:23:30.640 --> 0:23:34.000 to try and just force all those different variations through, 0:23:34.520 --> 0:23:37.560 you need that key. The key is like a secret 0:23:37.640 --> 0:23:40.919 dacoder ring. So if you get hit with ransomware, what 0:23:40.960 --> 0:23:44.480 the hackers are actually offering you is the decryption key. 0:23:44.560 --> 0:23:47.679 In exchange for money you pay them, they give you 0:23:47.720 --> 0:23:50.760 the secret super secret dacoder rings, so you can decode 0:23:50.760 --> 0:23:53.040 all that stuff that's on your computer and you can 0:23:53.119 --> 0:23:56.720 use it again. These days, the money is typically demanded 0:23:56.720 --> 0:24:00.080 in the form of digital currency like bitcoin, or in 0:24:00.240 --> 0:24:05.119 prepaid cards like money Pack, which, by the way, and 0:24:05.200 --> 0:24:08.639 one of the stories I was reading was misspelled with 0:24:08.680 --> 0:24:12.480 a typo calling it monkey pack, and I wish it 0:24:12.600 --> 0:24:16.960 was monkey Pack, but monkey Pack is a brand of backpacks. 0:24:17.000 --> 0:24:21.040 It is not a method of cash transfer, unless you 0:24:21.080 --> 0:24:23.399 were to stuff a monkey pack filled with money and 0:24:23.400 --> 0:24:26.120 then hand it to someone, then technically it is cash transfer. 0:24:26.480 --> 0:24:29.280 But I'm pretty sure that the the author of the 0:24:29.359 --> 0:24:37.200 article meant money Pack. More's the pity. So using Bitcoin 0:24:37.359 --> 0:24:42.320 or these prepaid options it allows hackers to maintain their anonymity, 0:24:42.520 --> 0:24:45.200 as opposed to giving you an address, like a physical 0:24:45.240 --> 0:24:48.160 address to send money to, which you know you could 0:24:48.160 --> 0:24:50.639 just hand over to authorities who would then stake it 0:24:50.680 --> 0:24:53.320