Get in text with technology with tech Stuff from how stuff works dot com. Hey there, and welcome to tech Stuff. I'm your host, senior writer John in Strickland right for how stuff works dot com. It's a groovy website. You've never been there. You should go check it out. You've been listening to tech stuff all this time and didn't know there was website. Work on your listening skills. I love you how stuff works dot Com. Check it out.
So today I thought take a look at a tech story that happened not too long ago as the recording of this podcast. I'm recording it on ma It is publishing much later than that, but not too long ago from today. A virus emerge that really caused a lot of headaches, particularly in the UK and a lot of other countries. Not so much in the United States, but a lot of other ones. And it's called Wanna Cry.
It's the Wanna Cry ran somewhere virus. It really became big news starting on May twelve, sen That's where when it went viral for the first time and spread the thousands of machines. Uh. The account goes anywhere between two hundred thousand and four hundred thousand computers, depending upon what authority you're looking at. I want to cry was exploiting a vulnerability in a protocol used by the Windows operating system. But I'll explain all of that a little bit later. First,
let's talk about what ransomware is and where it came from. So, to put it simply, ransomware is a subset of malware, and malware stands for malicious software. Um. You might also hear it described as a computer virus. That's largely because in the early days of personal computers there are really only two major types of malware, and those were viruses and worms. Uh, and so we've often used computer viruses
shorthand for malware. But there are a lot and lots of different kinds of malware out there, and so using a term like virus is not as specific as most people would prefer. But what the heck is a virus and what the heck is a worm? Well, a virus is some malicious code that a programmer designs that inserts itself into another program. They're typically part of some sort of executable file, so e x E in the Windows operating System world or DOSS. Even the virus does not
activate until the computer runs the respective file. So you can have a computer that has a virus on it, but the virus is inactive. It is dormant because you have not yet run that file, and as long as you don't run that file, the virus will remain dormant. It will be inert. But once you run the file, it activates the virus and it ends up replicating itself. Sometimes it will use other programs to spread itself to
other machines. In the old days, before you had networked computers, it would essentially replicate itself over and over again in order to overwrite everything on the computer and essentially jam everything up. You couldn't end up saving anything to the computer. Everything would be overwritten by this virus, essentially rendered your
computer useless. Uh. It's pretty nasty stuff. The worm, on the other hand, is a self propagating piece of code that does not rely on another file, and typically the programmer depends upon some sort of trick like social engineering to get people to execute the worm and start that self propagation process. Now, both viruses and worms are part of a larger classification of malware, and ransomware is a specific type of malware that as the name suggests holds
a victim's computer for ransom. It doesn't break into their house and steal it and then put a gun to the monitor and say pay up or it gets it. Otherwise you would just need a particular set of skills to go after those folks, as we learned in the documentary Taken. Typically, malware that as ransomware will do one
of two things. The most common version on desktop machines and laptops is that it will encrypt the victims computer, so that means it will encode your computer so that none of your files will be readable or even you know, you won't even be able to locate them because they're all renamed. Under this nonsense encryption approach, that can end up causing your computer to be useless or at least
give make it your information inaccessible. The goal is to get the victim to fork over some cash and in return, the hackers will decrypt the computer. They'll give whatever the password is or the methodology to decrypt all the information and turn it back to the way it was before it was attacked. Now, uh, there's the second variant of ransomware that doesn't encrypt a computer. Instead, what it does is locks people out of a device. This is the
locker version of in somewhere. It's most frequently seen in Android based devices, so mostly mobile sets like handsets, tablets, that kind of thing. And essentially hackers full of victim into downloading and installing a malicious app, and then the app will then activate this software that locks the victim off from accessing their device. They won't be able to use it, essentially bricks it until you are to pay
up a ransom. You might get like a little screen that demons that shows you, you know, until you pay x amount to why you won't have access to this device. So you are told that you have to pay the hackers in order to regain access to your device. And in either case, ransomware is not pretty. Now. This is similar to, but distinct from, another scheme that some hackers
employ over the last few years, which is blackmail. Hacker groups like rex Mundy have targeted large corporations with a goal of infiltrating their systems and dealing as much data as possible, including customer data. That's one of the big targets. So having that customer data is a very powerful tool. Companies do not want their customers to lose confidence in them.
So if a hacker group is able to get hold of a huge amount of customer information from a company and then say, hey, if you don't pay up, we're going to release this information or we're gonna sell it off. Uh, it's bad news and it's very hard to recover as a company if you've suffered that kind of data breach. So it's similar to blackmail, but not exactly the same because with ransomware, the hackers might not even be interested at all in what's on the computer systems they target.
They don't care if there's customer information or if it's internal systems that that doesn't matter. What they want to do is affect as many critical computers as they possibly can with ransomware, because if it's a critical device, if it's something that's very important for the operations of a larger organization or company, then that puts a huge amount of pressure on the company to pay up the ransom so they can get access to that critical hardware. Again, um,
that's the whole point of ransomware. They don't they don't care if it's you know, what the nature of the stuff is, as long as it's important because they're not after the data itself there after money. They just want to lock down those computers as much as they can and then convince people to pay them so that they
can unlock them. Now, the first recorded instance of ransomware was called the AIDS trojan and it was designed by Joseph L. Pop p O p P. That particular attack falls under the category of the trojan horse, which is of course named after the legendary gift to the city of Troy that secretly housed invading soldiers that were from Greece. A trojan horse is malware that that looks like a
regular program. It fools someone into thinking they're using some benign piece of software, but in reality they're essentially handing over some critical part of their computer systems to the whims of a hacker. So a lot of trojan horse programs these days are programs that look like they're innocent. You run them, and then it allows a hacker to get a back end, like a back door entry into your computer, usually administrative level control, and from there they
can do lots of different things. They can lock you out of a system, They can allow you to continue using a system so that you don't know that they're even there. They can spy on what you're doing. They can even redirect your computer to send traffic to a target machine as part of the distributed denial of service attacks. So this is a very common ploy that hackers will
use in order to build bot nets or computer armies. Now, the AIDS trojan virus predates the World Wide Web, so this was not a virus that was spread over email. It wasn't spread over a compromised website. It was distributed actually on floppy disks, good old floppy disks, and they were sent over the postal service. Most of the recipients were from other parts of the world, not the United States. Here in the US, we really didn't have an issue
with the AIDS trojan virus directly. These were the targeted systems were mostly in other places in the world, like Europe, in Africa, in uh Asia, that kind of thing. So the target for this attack happened to be companies and agencies that were either in education or healthcare, and they were concerned with educating people about the AIDS virus. The disc was posing as educational software that was to teach you about the AIDS virus. So it's pretty insidious that
it was. It took on this form. The software on the disc included an actual survey that would tell the taker what their odds were of contracting the AIDS virus based off their responses. So, for example, it might ask if you take intrivinous drugs and if so, do you share needles? That sort of thing, and as you would answer it, it would give you the odds of you contracting the AIDS fires. So on the surface, it seemed
like actual educational software. What you didn't realize as you ran this software on your computer is that in the background code was running so that it would infect the computer, and after a predetermined number of reboots to the system, the software would encrypt all of your files. So, in other words, it would set up as kind of a doomsday clock, except instead of time, it was in reboots.
So every time you shut down your system and turned it on, you were one step closer to activating this worm, and eventually you would hit that threshold old and the next time you turned on your computer, all of your files would get encrypted by this by this malware. The only thing you would see when you would reboot that system that last time would be a message that says
turn on a printer. So essentially you'd have to have a printer connected to the affected computer and when you turned it on, it would send a print command to the printer and print on a sheet of paper with the instructions to pay the ransom, which is kind of interesting, a little primitive, but obviously you didn't have bitcoin or anything like that back in those days, so the ransom note would print out once the computer was activated or
connected to an activated printer. The note directed victims to send one eighty nine dollars to a post office box located in Panama. After doing so, uh Pop, who of course was not identifying himself as the perpetrator, promised that he would send the decryption program to unlock the contents of the victim's computers. In the UK, where the virus was first reported, some medical institutions began to delete data
rather than pay the ransom. They were worried that their systems have been totally compromised and that a hacker had access to all of that data, so as a result, they started the leading stuff, and in fact other parts
of the world were following a similar strategy. The Independent reported that there was one organization in Italy that lost a decade's worth of AIDS research as a result of this, because there was a panic that uh, the compromised data could be otherwise changed or altered, UH, which I guess is repetitive or redundant, but at any rate that they were worried that this vulnerability was worse than what they
were already seeing. So there were people who who lost years and years of work as a result of this ransomware attack. Now I mentioned earlier, we know who made this virus. So knowing who made it, what exactly happened? How did this story unfold? It's a bit strange, to be honest. So let's give you some background on the man who had programmed the virus in the first place.
Joseph L. Pop had graduated with a PhD from Harvard University, and he was in the field of evolutionary biologies, not in the field that you would immediately associate with someone who's programming the world's first ransomware virus. UH. He was actually not an enemy to AIDS research. That was his field.
He was consulting with the World Health Organization in the area of AIDS research over in Kenya, so why would he design a computer program that locked away computers used by people who were trying to research AIDS and provide education for at risk populations. Well, that depends upon whose story you believe. So story number one came from Pop's lawyer, who said that Pop's plan was to shake things up. He wanted to change the the whole model of how
AIDS research was going about. He thought it was two regimented, he thought it was off base. According to the lawyer, uh and that Pop's plan was to use the ransom money that he would get from people paying this d dollars a pop to fund alternative AIDS education programs. So you could argue that if this is actually the case, this was a protest against the establishment and their approach to AIDS research. So you would think of Pop as
some sort of crypto activist or crypto anarchist. But the judge in the case actually disagreed with this and said that Pop just wasn't even fit to stand trial, and this was because his behavior had become something pretty strange and erratic. He was the reason he was caught in the first place. I mean, he could have just gotten away from Europe and and no one would have ever
known it was him. The reason he was caught was that he was in an airport in Amsterdam and he wrote the sentence doctor Pop has been poisoned, which I think would make a great title for an album, but he wrote it on another passenger suitcase. It's pretty strange already.
Apparently he had been um acting somewhat unusually as the stress was getting to him about trying to get out of Europe while this story about the AIDS trojan virus was making headlines over there, so he was feeling a lot of pressure, and according to some stories, at least
he cracked well. The authorities saw that he was writing stuff on other people's suitcases and took him aside for questioning, and they searched his baggage, and when they did, they found evidence that he was the one behind manufacturing and distributing all those discs that had the malware on them. So, while he was waiting for trial in the UK, his behavior grew increasingly strange, and eventually Judge Jeffrey Rivlin dismissed the case because he said that Pop was unfit to
stand trial. Pop was released and essentially got off scott free. He eventually would open up a butterfly conservatory in upstate New York. So you can go see Joseph L. Pop's butterfly Conservatory and see the the conservatory built by a guy who built the first ransomware in the world, which is a little unusual. There is another theory about what pops motivations were that have nothing to do with crypto
anarchist tendencies or erratic behavior. It's not nearly as grand an act as all that, it's not as strange as all that. The theory states that Pop was actually just
seeking revenge. He had been passed over for a position with the World Health Organization, so some theories say he got very upset that he wasn't picked for this job, and as a result, he designed and then unleashed the software targeting organizations that he felt he should have been taking a larger role in, but because he got passed over,
he didn't have that opportunity. And he even had a digital diary that contained evidence that he had been planning this attack for more than a year and a half, so it was a premeditated act, not something that was done spontaneously, at least according to that digital diary. Ah. So, there are some people who say that he was just bitter about not getting that job, and that was the motivation he had for building the first ransomware. But whatever the reason, he didn't serve any time for his crime.
And his encryption scheme was relatively simple to reverse. It was symmetric encryption, and it wasn't particularly robust, so after some time, experts were able to figure out how to reverse engineer it, essentially using brute force to decrypt the affected computers. So uh, it really wasn't as bad as it could have been, or as it later would turn to be, as future ransomware hackers would create more robust
means of of putting your data off limits. So one thing that Pop also set into motion was this tendency for hackers who have developed ransomware to target healthcare organizations, whether it's hospitals or organizations that are related to healthcare, that's a prime target for ransomware. And the reason is the information inside those computers is critical, literally critical to
the lives of human beings. So by targeting these very critical systems that have a high sense of of urgency about the data that they contain, the hackers are maximizing the chance that people will give in and pay their demands.
So two different trends that he started. He started the ransomware trend and he started the targeting healthcare trend, both of which are pretty odious, I would say, But yeah, the more valuable and urgent the information is, the more likely you are to pay up when something gets locked away. Now we'll talk more about early ransomware in just a minute, but before we jump into that, let's take a quick
break to thank our sponsor. So early ransomware attackers would originally they were building their own encryption codes to convert files into seemingly meaningless gibberish. So what's going on with encryption in the first place? What does that actually mean? I used the term a lot. You've probably heard it a lot, and some of you are probably very familiar with the whole concept of encryption. But in case you are not, and you're wondering, what does that even mean?
I mean, I get that it turning my files into stuff that I can't read, but what is actually happening? I thought I would give a very very basic explanation of what encryption is. Now, keep in mind, this is at its most basic level encryption involves using a key to encode data in a way that makes it meaningless to an outside observer who does not also possess that key. So this is just making codes essentially, It's what it
boils down to. It's just using a very advanced algorithm in order to do it, and using a huge number of potential of variations on that so that you make it very very difficult for people to reverse engineer the strategy you use to encrypt the information, thus making it safe. Uh, if you use a very simple set of rules, then obviously your data isn't that safe. All it takes is someone to notice what the rules are and then they
can reverse it that way. So if you've ever used a substitut tuition cipher, you're you've experimented with an extremely simple version of encryption. So you might decide with a buddy that you're going to shift all the meaning of letters one over from their actual place on the alphabet, so that when you write your to a message encode to your buddy, a B is an A, and a C is a B, and so on and so forth.
That's a very simple one shift substitution cipher. When you receive a message, you use that key, which in this case is just that very simple rule to decode the message, and then you read it, and then later that night you'll probably TP someone's home, because that's the kind of thing we allows the kids used to do before there was an Internet and Nintendo switches and whatnot. Obviously, computers are using much more robust encryption techniques than a simple
substitution cipher. The goal is to create a method of encryption that is so sophisticated that it would take someone years or even decades before they could decrypt the information without the use of a key in others, to use brute force. Brute force is essentially when you just tele computer, I want you to work through every variation of this particular approach until you find the one that works. And the more approaches there are, the longer that will take
a computer to accomplish. So your goal is to make the encryption process difficult enough so that a computer doesn't have any hope of solving it by brute force in any reasonable amount of time. The earliest forms of computer encryption used a fifty six bit key. Now remember a bit is a single unit of information. It is either a zero or a one. So if you have fifty six bits, how many different combinations will that get you.
The answer is it's around seventy quadrillion possible combinations. That sounds like a lot, seventy quadrillion, but as it turns out, modern computers can brute for us that fairly quickly, quickly being a relative term. But it's not impossible to use brute force and break that kind of encryption, so it's not safe. So today you would use a much higher uh bit for your encryption, like two fifty six bit encryption, which gives you way more potential combinations, exponentially more combinations.
So to decrypt without brute force, if you're not going to try and just force all those different variations through, you need that key. The key is like a secret dacoder ring. So if you get hit with ransomware, what the hackers are actually offering you is the decryption key. In exchange for money you pay them, they give you the secret super secret dacoder rings, so you can decode all that stuff that's on your computer and you can
use it again. These days, the money is typically demanded in the form of digital currency like bitcoin, or in prepaid cards like money Pack, which, by the way, and one of the stories I was reading was misspelled with a typo calling it monkey pack, and I wish it was monkey Pack, but monkey Pack is a brand of backpacks. It is not a method of cash transfer, unless you were to stuff a monkey pack filled with money and then hand it to someone, then technically it is cash transfer.
But I'm pretty sure that the the author of the article meant money Pack. More's the pity. So using Bitcoin or these prepaid options it allows hackers to maintain their anonymity, as opposed to giving you an address, like a physical address to send money to, which you know you could just hand over to authorities who would then stake it out and try and catch the people who are responsible. Using the digital approach, it's a lot harder to do that.
Since ransomware has become a more popular method to attack computers, and it really took off once the World Wide Web matured and upon the launch of the smartphone industry as well.
The Internet Crime Complaint Center or I SEE three says that between two thousand five and two thousand sixteen they received reports of more than seven thousand, six hundred ransomware attacks, and by comparison, the i C three says it received more than six thousand reports of data breaches, so ransomware actually outnumbers data breaches the information you tend to see in the US, at least, you see these big stories about companies that had their systems compromised and people stole
a lot of information. That's a data breach. The big Sony data breach from a few years ago is a great example. Um not that it's great, but it serves as a great example. Ransomware actually happens way more frequently than those big data breaches because again, you don't have to care about what information is in the system. You
just want to make it unreachable. So all you have to do is fool someone into executing some malicious code, and depending upon the nature of the malware, you might be able to infect an entire system just through one point of entry. You don't have to try and navigate a complex and potentially very secure system of computers in order to look for specific information, because again you don't care what the information is, You just want them to
have no access to it. Now, in the mid two thousands, there are a lot of different types of malware in the ransomware category that debuted that included stuff like gp code, Archivas, Crotton, cry Zip, may Archive, and troj Dot ransom dot A and these were using tougher algorithms that were harder to crack. Arcives was one of the first, and it used our essay encryption and demanded that users visit specific websites to make purchases and are to buy a password to remove
the lock on their files. So you would get a message saying you need to go to this pharmacy's website and you need to buy x amount of drugs from this pharmacy, and after you do, we'll give you the password. Pretty aggressive marketing scheme for that pharmacy, if you were to ask me. Obviously it was a front for these hackers, but pretty nasty stuff. And more and more frequently hackers began to use off the shelf solutions as time went on.
Rather than build their own encryption codes, they began to use stuff that a couple of people had developed and then had released out into the wild for others to use at their own discretion. So this did two things. It increased the sophistication of the encryption algorithms that the hackers were using, and it lowered the barrier to entrgue for hackers to the point where if you are willing to pay the money, you and get very simple hacker
tool kits that are easy to run. Like they are they are made to be user friendly for the hacker UM and you don't have to know how they work. You just have to use them. It's like using any other program on a computer. You don't have to know how it works in order for it to work. And that makes it much more dangerous because it suddenly makes ransomware a more viable option for a larger group of people and thus put more computers at risk. It's a pretty ugly cycle. So you also saw websites began to
get compromised and that became an issue too. UM and you also started to see malware that would copy notifications from trusted sources to fool people into installing malicious software. So you've probably encountered something like this in the past.
You may have gone to a website that was not secure, it was maybe a compromised website, and you might get a pop up window that says, hey, you need to update your flash, so that you can watch this content, or you might get a notification saying, hey, the FBI is looking at you right now, so you need to follow this this link. But in in general, these are
not legitimate things. These are actually phishing attempts to try and get you to click on stuff to download and install the malware so that you compromise your own computer. So don't do that, and don't go to that website anymore. It's been compromised. It is not a nice place for you to go visit. Go outside, get some fresh air, or if it's on your phone, turn your phone off. You know, just be careful. Over time, the demands from hackers have increased as well as the sophistication of the
hacking program. In the mid two thousand's, the typical demand for payment is hovering somewhere around three hundred dollars, typically between two hundred and four hundred bucks. And this is where the economies of scale come into place. A three hundred dollars in the grand scheme of things is not that much money. Now, it's not cheap. Three dollars is significant. I mean, I'm not gonna just drop three hundred bucks
and walk away without a care. In the world. That's it's a significant amount of money, but it's not an enormous ransom. It's not like the sort of stuff you see in movies where a character gets kidnapped and then the the kidnappers demand a million dollars in ransom money.
It's three hundred bucks. However, you also have to remember that ransomware typically if it's being really successful, is infecting hundreds or thousands of computers at three hundred bucks of pop. Assuming that people are playing ball, that ends up adding up pretty quickly, so it ends up being uh an effective way to extort people out of money. Today, the price is closer to five dollars on average, so it's gone up. It's no longer around three hundreds, around five.
And again, just through sheer number alone, you can see the potential for hackers to make lots of money using this methodology. And also a lot of the software today comes along with a deadline, so it's not just that your information is locked away, but that you have a limited amount of time before UH something worse happens to you. So you've gotta like pay up before the end of
the month, or we'll start deleting your information. We'll start deleting your files so that not only are they not accessible to you now, you'll never be able to access them again because we're gonna completely delete and overwrite them. So it becomes that kind of level of extortion. You know, you've got a nice, uh database, only it sure would be a shame as someone out though encrypted it and then stead deleting it piece by peace. That's the sort
of message that the hackers are sending. So it's definitely gotten more sophisticated, more expensive, and more um malicious over time. However, ransomware does tend to change very quickly. You don't tend to see one type of ransomware dominate for longer than
say a year or so. Kaspersky Labs, which is a computer security company, reported that the most prominent ransomware between two thousand and fourteen and two thousand fifteen was a program called crypto Wall, which accounted for more than half
of all the ransomware examples found in the wild. Something like fifty eight percent of all ransomware was crypto Wall or some variation of crypto Wall, and according to the FBI, the hackers behind crypto Wall made eighteen million dollars from their victims, and crypto Wall was one of the earliest types of ransomware to spread over compromised websites, and earlier ransomwarely relied on other methodology too for distribution, but crypto
wall went through compromise websites and email attachments and affected a lot of targeted computers. It used a two hundred fifty six bit key to encrypt specific types of files, so it would look for files that had uh specific extensions like a dot d C file, a dot A document file. It would look for those sorts of files and encrypt them using this two d fifty six bit key. Then it would use a two thousand, forty eight bit r s A key to encrypt the two fifties six
bit key. This double encryption made it much more difficult for you to figure out how to reverse the process. But the following year saw crypto wall reduced to just five point one of all ransomware, so it went from fifty eight percent to five point to one percent in the span of one year. The new heavy hitter was a piece of software called Tesla crypt, and the hackers behind that malware frequently demanded their ransoms in Bitcoin and
other forms of digital payment. Ransomware attackers continued to aim at the healthcare industry for the reasons I mentioned earlier. Hospitals have been affected by various types of ransomware UH. Some of them include Los Angeles Hollywood Presbyterian Medical Center, the Los Angeles County Department of Health Services, Ottawa Hospital, Kentucky Methodist Hospital, and lots and lots of others. A
ton of them are in California. In fact, in some cases, hospitals paid the ransom in order to regain control and access of their systems, but in other cases, savvy tech professionals were helping to quarantine affected computers to disconnect them from the network so that they wouldn't spread the malware
further into the system. And then they worked to UH to reboot the systems using old backups, so essentially going to the backup files and you know, you lose some stuff because chances are you generated some data since the last backup, but it meant that they got back these systems UH and didn't have to pay the ransom in several cases. Now, sometimes hackers have a real flair for
the dramatic UH. There's the team that's behind the Jigsaw ransomware, Jigsaw taking its name from the villain in the Saw series of films. The malware not only locked the victim's computer, but displayed an image of the puppet that was used by Jigsaw, Billy, the puppet from the Saw series, And there was a message there that would state that rather than just a regular deadline, Jigsaw would delete files as time passed, like every hour that passed would mean more
files deleted. So the longer you waited, the more information you would lose. That gave that sense of urgency to pay off the hackers. H And also if you turned off your computer, it was even worse really, because the next time you booted your computer, one thousand files would be deleted from your computer. It was an incentive to not turn your system off, um, because once you turn it on again, you would lose a thousand times what
you would lose every hour. It's pretty evil. By fourteen, hackers were designing locker based ransomware for Android systems, and one of those was Saiping, which used fake Adobe Flash update messages to commence users to install the malware that would lock you out of your Android device until you paid a two D dollar ransom using money packs. Those
are those prepaid charge cards. So what happened is when you try to activate your phone, instead of getting the screen to unlock your phone, you've got a message saying you had to pay this amount of money uh in money packs to this particular account or you would not get access to your phone again. A similar piece of ransomware was called Coal or ko l e R or Color if you prefer, which claimed that the holder of the phone was being investigated by law enforcement and then
they were being fined as a result. So this is playing on people's fear, right Like if you send them a message saying, hey, you're in trouble and unless you follow this link, you're gonna go to jail, that gives people a big incentive to try and figure out what's going on. A lot of people are going to click that link, not thinking that, hey, the FBI probably doesn't reach out through websites to let you know that you're in trouble. They probably come door to door for that
kind of thing. But uh, it's the sort of thing that's meant to instill panic. And when we panic, we make bad decisions. We make very quick decisions. We don't think we don't use critical thinking. So that's the whole method of attack in this type of ransomware. So this one also added a nasty additional kick. It was a locker worm type of all where that would then send messages to anyone in the context list of a compromised device.
So if you got me with that, if you send me a message saying, hey, we're the FBI and your totes in trouble brow and I fell for it and I clicked on it, then it would the malware would not only lock me on my phone, it would go through my contact list and send a message out to everyone in my contact list with a similar message in the hopes of catching even more people. So this way
you allow the virus to propagate across the network. All you have to do is in fact a couple of well connected people, and chances are you're going to see a lot more infected devices as a resultant that becomes like a ripple effect that keeps moving out from the source. Uh, people who are savvy to it will ignore it, but that doesn't help all the people who don't ignore it.
It's pretty nasty stuff though. By two thousand fifteen, enterprising programmers began to create ransomware as a service or are a a s now. These were the people who had designed the tools that other folks would actually use. So you might have programmers who have no desire to actually use ransomware themselves. They're not directly going to put it
to use. Instead, they'll sell it to hackers who do want to use it, but who don't have the ability to program or design these algorithms or these types of malware, and so you'd sell it for like a thousand to three thousand dollars. There's a lot of money, but when you factor into the account the fact that you can demand five h bucks per locked computer, and if you're
hitting thousands of them, three thousand dollars is nothing. A lot of these ransomware as a service providers also demand a certain percentage of the profits, like ten, but still you're still talking huge amounts of money, So it doesn't take very many victims to play ball before you recapture your costs, and it makes ransomware even more prevalent. One ransomware attack that made headlines in the United States happened on November That was the Friday following the US holiday
of Thanksgiving, which is also known as Black Friday. For those who don't know what Black Friday is, that's a day. It's called that because a lot of stores will open up with special sales and it's all in an effort to sell enough stuff to make an overall profit for the end of the year, to go in the black. As they say, if you're in the red, that means that you're operating at a loss. If you're in the black,
you're operating at a profit. That's why it's called Black Friday. Well, that's a very popular day for people to go out shopping, and it means it's also a popular day to to just get outside and travel. So the hackers had targeted San Francisco's municipal transportation system also known as MUNI, M You and I, and on that day they were able to infect the ticketing and bus management system for MUNI
with a ransomware attack. They demanded one hundred bitcoin for the antidote for the the key to decode everything uh and at that time a hundred bitcoin was worth about seventy three thousand dollars. But instead of paying the ransom, MUNI decided to offer free rides to passengers while they worked on a solution. So for two days you could ride Muni absolutely free. You didn't have to have a
ticket or anything. You could just get on um. But then once they were able to reboot the system and restore from backup the it was back to normal operations. So it was only a temporary downtime for Muni. It was very you know, it was still damaging because that's two days without any revenue, but it showed that the city of San Francisco and Muni in particular, was not
willing to play ball by the hackers standards. Now, there are dozens of other variations that have appeared over the years, but I think it's a good time too now look over at the want to Cry virus, because that is the most recent version of ransomware as of the recording of this episode, and I'm gonna jump right into that topic right as when we take another break to thank
our sponsors. One of Cry is an aggressive, coordinated ransomware attack, one of the biggest ransomware attacks in history, and it's affected hundreds of thousands of computers, many of which are part of the health care industry. Its main method of compromising a machine is to exploit vulnerabilities that are in an old build of the Service Message Block Protocol, which is part of a larger block of protocols that Windows
machines used for file sharing. Specifically, the virus could attack computers that had inbound SMB communications on ports one, nine or four forty five, and then there were some later variants that aimed at different ports, but the initial one was looking at those two. All you have to do to protect yourself against this, by the way, is updating your computer to the latest Microsoft security patch. It removes
the vulnerability. Now, once the computer is infected, the malware could sort of put out feelers across the local network. So if this infected machine is on a local network with other machines, it could then use that to send the malware to the other devices on that local network,
so it could spread really fast. All it takes is that one compromise device on a system to have it spread throughout the entire system, and it made it particularly dangerous for these interconnected devices that weren't up to date on security patches. Now. Before it made its debut, Want to Cry was published as part of a large group of documents stolen from the n ess A by a group of hackers. So among those documents was a list
of twenty three hacking tools that targeted indoors vulnerabilities. One of those hacking tools was codenamed Eternal Blue, and that is what would become Wanna Cry. So Wanna Cry started off as an n S a identified and targeted vulnerability in Windows operating systems. This raises some tricky questions about intelligence agencies and how they intersect with computer vulnerabilities that I will get to in just a moment. But nearly a month went by without want to Cry becoming a
public menace. So it was released by this group of hackers into the wild. Anyone who went to tour and went to this particular site could or really file sharing area could get hold of these documents. But for about a month nothing really happened. Then on May twelve, two thousand seventeen, at eight forty two a m. London time, and I love how precise we can be with this, the virus was unleashed and the first attacked attack lasted for most of the day and it compromised hundreds of
thousands of machines. But it wasn't as bad as it could have been because it got sidelined when a British cybersecurity analyst found a u r L embedded in the Wanna cry virus attack. That led them to a kill switch for the virus. So this was something that the hackers had built into the system, or really you could argue the n S a built into the system so that you could shut it off remotely. So they did.
They flipped the kill switch and it stopped the spread of the virus right there, So it could have been much worse than it was if it had left been left unchecked. The hacking group that was responsible was called the Shadow Brokers Um. They sent out a message on May sixteenth claiming to have many more exploits for sale if hackers wanted to subscribe to their services. So they were saying, hey, you see how much mess we made with want to cry? We have a whole lot more.
Just become a subscriber and then we'll share our tools with you. Meanwhile, affected computers were causing huge headaches for thousands of people in the UK. Several hospitals sent out messages that some appointments and operations would be postponed while they were working on fixing these compromise systems. They said, it just wasn't safe. It was putting people's health at risk to try and maintain appointments and operations without having
those computer systems in place. Experts were work working really hard to restore systems from backups, but that's a pretty slow process, and just the sheer number of affected computers across multiple companies and multiple countries meant that there was no coordinated effort. Right Like, you had all these individual little islands that were affected by this virus, and each one had to respond to it in its own way, in its own time, So there was no coordinated, major
effort to overturn the virus. It was just pockets of that throughout the world. The same was true for others systems all over the world. In all, fifty countries were affected by the Wanna cry virus. That being said, according to zd net, despite the fact that the virus was pretty widespread, only zero point one percent of the victims have opted to pay the ransom. As of the zd net report, the hackers had raised about a hundred eight thousand dollars total, which, considering the size of the attack
and the number of systems that were compromised. Is actually a pretty small amount of money. Hundred eight thousand dollars. It's a lot of money to me, But if you're talking about the payoff for a massive attack on that scale, it's a fraction of what those hackers were hoping for. I'm sure of that. Uh. Now here are some takeaways
from the Wanna Cry experience that I think are really important. First, let's talk about the n s A. And I'm gonna try and maintain my composure because I have very strong feelings about this particular issue. So this is my own personal opinion in This is not the opinion of how stuff works. It's just Jonathan Strickland's opinion. I find it unconscionable that an intelligence agency would identify and design an exploit for a vulnerability in software rather than informing the
respective parties about the vulnerability. So, in other words, instead of going to Microsoft and saying, hey, we we discovered this vulnerability that's in your software. You should patch it or else someone else might create an exploit for it, they said, hey, there's a vulnerability in Windows. Let's create our own exploit for it that we might end up
using for intelligence purposes. In the future. Never mind the fact that this puts everyone at risk, as is evidenced by the fact that the want to Cry virus is an actual thing. So the company Microsoft had no knowledge
of this vulnerability. They weren't aware that it existed. It wasn't until the shadow brokers published those n s A hacking tools that Microsoft found out about it, and then they got to work creating a security patch to cover and change that exploit so that it wouldn't work anymore. And then they made the security patch available, so if you installed it, you were fine. Your security patch was
up to date. Then the at least the initial attack of want to Cry wouldn't affect you because the vulnerability had been patched up. So I say shame on the n s A for identifying and then building a tool to exploit such a vulnerability for their own purposes. As we've seen this particular case, it can result in someone else getting those same tools and using them to cause
a great deal of trouble. But it was also possible that just by sitting on this information and not sharing it with Microsoft, the n s A could have given other parties the chance to discover that same weakness and develop their own exploits for it, which would have been even worse because Microsoft wouldn't have known about until after
people had been actively affected by that exploit. So, in other words, even if the NSA had never had their hacking tools stolen, let's say that the hackers never were able to get hold of eternal Blue and turn it into want to cry. Even if that had never happened, someone still might have discovered that Microsoft vulnerability and exploited it. Meanwhile, the n s A had known about it the whole time. I really maintain that it was their responsibility to share
that information with Microsoft considering the potential for destruction. And I find it really troubling that an intelligence agency can act in such a way that puts hundreds of thousands of computers and people, because we're talking about the health care industry at risk. I don't know that any intelligence is worth that. Again, that's my own personal opinion. So
that's the Jonathan bias to be perfectly blunt. But another takeaway is that in order to practice good security, you need to make sure your operating system is patched and current. Now I'm just as guilty as other people at putting off installing updates if you ever get that message like you need to install some updates, chances are you've gotten on the computer to do something specific and you don't
really want to put that off by installing updates. You want to get to whatever it is you need to do, and so you might just put it off, and you might keep putting it off until your computer forces you to do it. But really the better plan is to go ahead and install those security patches when you get them, so that you can make sure that your computer is not vulnerable to these sort of attacks. Plus, you know what often means that your system is just running more
effectively if it's patched properly. So just be sure you're installing legitimate updates to your system, not falling for some fishing scam. Typically you can do it because if it's the system itself that's prompting you to update, and you're not in any browser or anything, you're probably pretty safe. You're either pretty safe for your computer is already compromised, in which case you know it's too late anyway. And finally,
back up your data. Use some sort of system to back everything up, whether it's an external drive a cloud based system, back up your information that way. If worst comes to worst, if you cannot retrieve your information because of a ransomware attack, you can bite the bullet, wipe your system, install the operating system again, go to your backups,
and restore from your backups. Now, that probably means that you're gonna lose some stuff, because chances are you've generated some data since the last time you did a backup. Unless you're doing backups very frequently, that's always going to
be the case. But it's better to lose some data rather than lose everything or be forced to pay into a ransomware attack, because every time someone pays the hackers, you are sending the message this is a way you can make money, and you're inspiring other people to take the same pathway as the hackers did, whether they're designing their own or using and off the shelf ransomware as
a service approach. So don't negotiate with the hackers. Instead, use backups, patch your security, have up to date antivirus software, running practice, good web browsing and email hygiene so that you're not inviting these sort of attacks into your life. And if you do that, you really minimize the chance that you will fall victim to this kind of attack.
It no, no system is ever going to be perfect, no system is ever going to be full proof, but you reduce those odds drastically, and if you are backing up your information, then you can at least you know again, wipe your machine and start over again without worrying about enabling some hackers into and inspiring future generations of hackers to do the same thing further down the line. And that's it. That's all I have to say about ransomware and want to cry for this episode. I might end
up having to do another one in the future. The story is still playing out as I record this episode, so who knows. But if you guys have any suggestions for future episodes of tech Stuff, whether it's a topic you want me to cover, or someone you would like me to interview, or perhaps a guest host you would love to see on the show, send me a message. The email address for the show is text stuff at how stuff works dot com, where you can drop me
a line on Twitter or Facebook. The handle for the show at both of those is text Stuff hs W. And finally, you can watch this show stream live on Twitch. I record I live stream all my recordings. You get to see me make mistakes chat with folks in between segments. So if you want to be part of that, want to be part of the community, go to twitch dot tv slash tech stuff. You'll be able to see the show page and the schedule. And I would love for you to join me someday in one of these podcast dreams.
I have a lot of fun chatting with everyone there and just kind of geeking out over technology. So join me, won't you, And I'll talk to you guys again really soon for more on this and thousands of other topics because it how staff works dot com