Darknet Diaries - 73: WannaCry
Episode Date: September 1, 2020It is recommend to listen to episodes 53 “Shadow Brokers”, 71 “FDFF”, and 72 “Bangladesh Bank Heist” before listening to this one.In May 2017 the world fell victim to a major ...ransomware attack known as WannaCry. One of the victims was UK’s national health service. Security researchers scrambled to try to figure out how to stop it and who was behind it.Thank you to John Hultquist from FireEye and thank you to Matt Suiche founder of Comae.SponsorsSupport for this episode comes from LastPass. LastPass is a great password manager but it can do so much more. It can setup 2FA for your company, or use it to monitor what your users are doing in the network. Visit LastPass.com/Darknet to start your 14 day free trial.This episode was sponsored by Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and when signing up with a new account use code darknet2020 to get a $20 credit on your next project.
Transcript
Discussion (0)
Hey, it's Jack, host of the show.
Listen, you might not be ready for this episode.
There's a few prerequisites I recommend you do first.
First, we're going to be talking about the Shadowbrokers in this episode, and I already
covered them in episode 53.
So I highly encourage you to check that episode out first, which is just called Shadowbrokers,
before this one.
Second, I made episodes 71, 72, and 73 to be listened to in that order.
And since this is episode 73, maybe check out the two episodes before this first.
Of course, you don't have to.
This episode still stands on its own anyway, but that's my recommendation.
Okay, so with that out of the way, let's jump right into it. My name is Tony Bleatman.
I'm an emergency physician. And in 2017, I was working as a freelance senior emergency physician in a number of hospitals in the UK.
So why did I take up this physician's precious time to come on a show which talks about hacking?
Because he was at the center of one of the biggest ransomware attacks in history.
The date was May 12th, 2017, which is a date Dr. Bleatman
will remember for a long time. I remember pitching up for a shift at a hospital in London
at about noon. And as I walked into the office, the WannaCry screen had come up on
the computers. Specifically, the computers in the hospital were stuck on a red screen which said,
Oops, your files have been encrypted.
Send $300 worth of Bitcoin to this address to decrypt them.
This is a typical ransomware message.
See, if your files get encrypted and you don't have the key to decrypt them,
your files are no longer readable.
Some hacker gained control over the hospital's computers and was demanding Bitcoin to unlock them.
Now, this ransomware which was encrypting the files was called WanaCrypt, spelled W-A-N-A.
But people quickly just started calling this ransomware WanaCry.
I just walked into the situation and within a very short time, people understood
that this was a cyber attack affecting the health service and communication between friends and
hospitals confirmed that. This WannaCry ransomware not only took over the computers in this hospital,
but was hitting other hospitals in UK's NHS,
their National Health Service. And my take on this is quite simple, that when the technology
lets us down in any circumstance, we have to fall back on old fashioned, well worn,
well proven basic medical techniques. And we just had to rely more on clinical judgment
and rely a lot less on information systems.
The NHS had to make a lot of adjustments to stay operational.
If you think about the process of a patient
attending an emergency department,
someone has to register them,
someone has to order blood tests.
And someone has to order x-rays and CT scans.
Someone has to communicate with their own family doctor once they've finished.
And one has to transfer information around the hospital.
So when that's all missing, you have no computerized registration of patients.
Your IT package that tells you where patients are at any
time is not working. So we had to compensate for all these things by doing old-fashioned things.
When a patient came in, they were registered on paper. And we had a big whiteboard on the wall.
And so we could write down the names of patients and identify their location within a rather large department.
Because we didn't have computerized blood results from blood tests from the lab, every
half an hour we sent a runner to the labs to have a manual printout of the blood tests
and deliver them to the department by hand.
We had to look at x-rays on portable machines because we couldn't see them on computers.
And things that involved high-tech interventions were suspended, or we found old-fashioned alternatives. Now, this ransomware was targeting Windows computers, specifically Windows computers
that were connected to the network. Not all Windows computers in the hospital are actually part of the network, partly because
of this exact reason. So some systems like CT scanners were just not plugged into the network
with like an Ethernet cord or anything like that. Well, one of the things that we learned is that
when your computers are not networked, I mean, a CT scan had its own internal hard drive.
So we relied on that.
And it was limited to a certain amount of memory every day.
So we had to restrict the number of scans that we ordered.
What it meant was because we had to fall back on machines that were not connected to the network.
So standalone diagnostic machines that were not connected to the network. So standalone diagnostic machines
that were not connected to the network were unaffected. So we could run some basic blood
tests on isolated machines and we could run CT scans on machines that were not affected by
the virus. So it was quite useful if machines are autonomous and not connected to the wider network,
which we used to think was a hindrance and a problem.
It actually saved their function because they were not taken out by the WannaCry virus.
The NHS had to cancel 6,912 appointments because of this.
But as of right now, it doesn't look like anyone died due to this attack.
While battling with this problem, the hospital was learning how widespread this was.
We switched on the news and we spoke to friends in other hospitals and it was obvious very,
very early on that this was a national, if not international problem across the country.
And some of the things that we relied upon, trauma centers were temporarily closed.
So we had to deal with any trauma cases coming in because the surgeons in the trauma centers were unhappy to operate without CT scans that they could see in the operating room. For a short while, trauma centres weren't receiving patients, or some of them weren't.
And heart attack centres were also not receiving patients because they were computerised as well. The BBC was playing an interview with Amber Rudd, the Home Secretary of the UK. Here's a clip.
We're working very hard to make sure that we help the NHS put their systems back in order.
And so far, we've had reassurance from them that no patient
data has been compromised. The National Cyber Security Centre is working with them to end the
disruption, to contain it, and to make sure that we learn lessons from it. Can you give us the
figures, as you understand them at this stage, about how many hospitals, how many trusts are
affected? Well, we understand that 45 have been affected out of several hundred,
and most of them are being very cautious about this.
Some of them are making changes, some of them aren't.
Some of them are managing to carry on with their daily work
despite these difficulties.
But can I also just point out that this particular attack,
this cyber attack, hasn't been particularly focused on the NHS.
It's been a worldwide attack.
It's affected 100 countries, different organisations.
But it's just in the UK that it's been particularly impacted on our NHS.
The WannaCry ransomware that was unleashed on the world was ripping through thousands of computers, causing destruction everywhere.
This is the moment that all IT and security teams both fear and prepare for.
These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Darknet Diaries.
This episode is sponsored by Delete.me.
I know a bit too much about how scam callers work.
They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete Me. Delete Me is a subscription service that finds and removes personal information from
hundreds of data brokers' websites and continuously works to keep it off. Data brokers hate them
because Delete Me makes sure your personal profile is no longer theirs to sell. I tried it and they
immediately got busy scouring the internet for my name and gave me reports on what they found.
And then they got busy deleting things. It was great to have someone on my team when it comes to my privacy.
Take control of your data and keep your private life private by signing up for Delete Me. Now
at a special discount for Darknet Diaries listeners. Today, get 20% off your Delete Me
plan when you go to joindeleteme.com slash darknetdiaries and use promo code Darknet at checkout. The only way to get 20% off is to go to
joindeleteme.com slash Darknet Diaries and enter code Darknet at checkout.
That's joindeleteme.com slash Darknet Diaries. Use code Darknet.
Support for this show comes from Black Hills Information Security. This is a company that Thank you. I'm sure they can help. But the founder of the company, John Strand, is a teacher. And he's made it a mission to make Black Hills Information Security world-class in security training.
You can learn things like penetration testing, securing the cloud, breaching the cloud, digital forensics, and so much more.
But get this, the whole thing is pay what you can.
Black Hills believes that great intro security classes do not need to be expensive.
And they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range, which is great for practicing your skills and showing them off to potential employers.
Head on over to BlackHillsInfosec.com to learn more about what services they offer and find links to their webcasts to
get some world-class training. That's blackhillsinfosec.com. Blackhillsinfosec.com.
Okay, so what do we know at this point? It's May 12th, 2017, and the world is being hit by a huge
ransomware campaign.
The NHS is one of the bigger networks to be hit by this.
The news is reporting on this.
Now, when something hits the world on a scale like this, it gets the attention of a lot of security researchers.
The whole security community is buzzing about this.
So, for instance, FireEye was one of the companies that began researching WannaCry.
My name is John Holquist. I'm the Senior Director for Intelligence Analysis at FireEye.
FireEye is a threat intelligence company.
They spend all day, every day, investigating emerging threats.
And they provide many tools and services
to help companies detect and respond to cyber attacks.
FireEye is a major player in this space
and have been called to investigate many high-profile cases.
Now, by this time, Twitter was going crazy talking about this.
This was a huge attack, hitting companies all over the world.
And while companies like FireEye can't investigate every new piece of malware, this one was big enough to pay attention to.
Yeah, I think that there was good evidence to believe that this was hitting several organizations simultaneously.
We had reason to believe it was going to hit even more of our customers.
And usually in circumstances like that, we spin up a community of protection event.
That's where we basically bring all the power of FireEye, all the different divisions together,
literally into like a single chat room.
And we start trying to break down the problem as fast as we can.
One big piece of that with this was getting,
you know, getting our hands on the malware
and starting to, you know,
have the reverse engineers start ripping it apart
to look for clues as to what was going on.
Because we thought that this was, you know,
this was ransomware. We didn't know who it belonged to. was going on, because we thought that this was ransomware.
We didn't know who it belonged to.
We were trying to figure out why it was moving so quickly at some point.
And we were essentially asking a bunch of questions that took us a while to answer.
Now, FireEye wasn't the only group looking into this.
When something like this hits, a lot of companies have to investigate.
For instance, this was looking like it was hitting Windows machines specifically.
So Microsoft would absolutely have to investigate this too. But think about all the antivirus companies or threat detection systems that are out there. These companies would all pay attention to
an attack like this so that they can find a way to detect and block stuff like this from happening
to their customers.
So dozens of major companies were all scrambling to get a copy of the WannaCry ransomware.
And on top of that, you have a lot of independent security researchers who are good at reverse engineering who also tried taking a look.
So this was an exciting time for the security research community.
This was something brand new, and it was hitting hard and spreading fast.
It's exciting, like when your favorite author publishes a new book,
or a favorite video game launches a new level to try.
There's this magical moment in time where there's just no blog posts about this,
there's no news stories, and nobody understands what's happening.
And so people everywhere are racing to get some answers.
And since nobody knows anything about this malware, everyone has to start from square one. And you might be the one who finds the hidden key that unlocks this whole mysterious malware.
It's adventurous and exciting to be part of the investigation, even if you're just an
independent researcher. Now, another person who was researching this was Matt Swish.
My name is Matt Swish, and I'm the founder of Comet Technology.
It's a small startup
focused on incident response.
Back in
May 2017, like
most of people
in InfoSec,
we all saw that there was
a ransomware that was targeting a bunch of
companies and people were posting
screenshots all over
Twitter. And then the first like thing everyone was trying to do was to get samples of that
ransomware. Matt is a French security researcher, also an entrepreneur. He's developed a few
companies at this point, but the one he's building now is called Comey. It specializes in memory
forensics. So this new ransomware interested Matt,
and he grabbed a sample of the malware and began investigating.
Well, so the thing to keep in mind for like malware and especially ransomware,
they're very easy to analyze because they're like very redundant.
What they do is always the same thing.
Most of the time there is no obfuscation.
So you can get a clear idea of what malware or ransomware
is doing fairly quickly, like around an hour.
So it's not like you have to analyze a road kit
or anything like this.
So you can get a very good idea of the big picture
of what they do.
So the idea was just trying to understand what it was doing
to be able to write a short write-up because
everyone was panicking around it and usually when it's something like this especially as a small
startup you know it's interesting to release something before like everyone else because
large companies will not be able to like publish book blog posts as quickly because they have their own internal cycles
for publishing anything.
So that one, the idea was first to analyze what it was doing,
how it works, kind of like what it was doing.
Now, malware like this is pre-compiled,
which means if you look at the program itself,
it just looks like gibberish.
It's machine code.
A computer understands what to do with it, but it's not human readable.
So you have to use a reverse engineer tool like IDA Pro or Ghidra to convert it to assembly language, which is human readable, but it's very rudimentary.
Like put this data in the memory, then move it from here to there, and then remove the data from the memory.
You don't see if else statements and things that make sense.
So because it's so low level, it requires a lot of skill
to know how to reverse engineer a program to figure out what it does,
which in my opinion is pretty hard to do.
But Matt's good at this.
So he dove into the code and saw something remarkable.
So on the exploitation part, so what was like pretty interesting is, and I think like even before like analyzing it, people had a strong suspicion around it anyway, is oh, it was using like the double person eternal blue that was leaked like a few months before by the shadow brokers. The exploit this malware was using was EternalBlue.
Now, let's back up a second.
One month before this WannaCry outbreak,
the shadow brokers gave the world EternalBlue.
You remember shadow brokers, right?
If not, go check out episode 53.
But the story goes that someone hacked into the NSA
and stole hacking tools and exploits the NSA uses,
then slowly released these tools to the public.
Now, what's strange here is a month before Eternal Blue was released, Microsoft patched it.
We're not sure if NSA warned Microsoft or if Microsoft found it themselves.
Regardless, the patch came out and then shadow brokers gave this exploit to the world to use however they want.
Now, we still don't know who the shadow brokers were, but they would send messages sometimes.
At one point, they called out malware Jake for being part of Equation Group or NSA.
But there was more to that tweet. It read,
The shadow brokers is not in habit of outing Equation Group members, but had made exception for Big Mouth.
So it was to Malware Jake.
And then it was saying, keep talking shit, mswish, you're next.
Yeah.
The Shadowbrokers had mentioned Matt by name in the very tweet they practically doxed Malware Jake as being part of Equation Group.
Was this also saying Matt was part of equation group was this also saying matt
was part of equation group i mean that one you know i was laughing because like i was like well
it's kind of flattering but i'm french you know like uh so matt is not former nsa or equation
group and he didn't even have to explain this since the shadow brokers later clarified this
in a tweet saying yeah they know he's not ex-NSA since he's French-born.
So why were the shadow brokers talking about him? Well, it's kind of a mystery, actually. First of
all, Matt was really fascinated with the shadow brokers and what they were releasing to the world.
So he was screenshotting everything the shadow brokers posted and was blogging about it a lot.
And during the whole shadow brokers ordeal, Matt gave a talk at Black Hat about them.
So before we start, please raise your hand if you have never heard of the Shadowbrokers.
On top of that, Matt has a fairly large Twitter following. So it's possible the
Shadowbrokers were just seeing what people were saying about them and they saw Matt's post
and liked him. I was flattered though about it because it's like, oh, it's kind of cool that
they're mentioning me because it means they're reading all my blog posts, all the analysis I did of all their release, you know, because that's how they would know me.
Otherwise, there is no way they would have mentioned me.
And even at some point, they were kind of like saying, you know, they're calling me like friends.
Oh, yeah, because I gave a keynote at black cat the same year was kind of like giving an
overview of what the shadow brokers were doing and i was saying like oh like uh you should come
we should have a beer it's like uh it's like oh i would only come like if you speak at a devcon
i would be on the first row uh you know so like you know still part of me still do think that uh you know
they're still like us-based and not like russian but it's kind of hard to prove uh but yeah they
were kind of like friendly you know they're like oh like uh swish seems to be like a friendly guy
so they were definitely very entertaining.
Also, a lot of the way they speak,
because the grammatical mistakes,
you can tell they're completely fake.
Well, the way they type might be a fake accent or something,
but the Shadow Brokers releasing Eternal Blue to the world
was not fake.
It was a very serious vulnerability,
which exploited the way Windows file sharing works, or SMB.
If you have a vulnerable version of SMB running on your computer,
a person could easily take remote control of that computer.
And so, exactly one month after Eternal Blue was released,
WannaCry was launched, which used that exploit.
Which is one reason why this ransomware infected so many machines.
Because it was using a wicked good exploit that just came out not too long ago.
What's more is that this ransomware was a self-propagating worm.
When it would infect one computer,
it would then look to try to infect every other computer in that local network.
This meant if it could just get a small foothold in a network,
it could then spread to a large amount of computers inside your network. A worm like this,
using a vulnerability like that, is going to spread quickly. And it did. Now, again,
this exploit was patched in Windows about two months earlier, so anyone who had automatic
updates on or were installing the latest security patches for Windows were not affected by this. But as it turns out, a lot of Windows computers in the world
don't update as frequently as they should. And this creates a problem.
Yeah, I mean, it's really interesting. So there were patching issues, right? People hadn't
caught up with the patching cycle. There's no doubt about that.
But there are some places that were targeted or not necessarily targeted, but that were hit that
patching was difficult. I think that probably the most well-known target was the NHS in the UK.
And people who work in the medical arena will tell you there's a lot of
equipment there that is just old and it can't be patched or can't be patched because it simply
will not function correctly. So, you know, it's not always as simple as it's just patch.
And in fact, this got so big and impacted so many old computers that Microsoft released even
more patches. Like at this point, Windows XP was no longer supported by Microsoft and they stopped
making security patches for it. But a few days after WannaCry came out, Microsoft released a
patch for XP, which is very, very rare for them to release patches after they stopped supporting
that version entirely. Now, when ransomware hits your computer,
it encrypts all the files on it and asks you to pay to unlock them. And some victims were paying
the $300 or $600 in Bitcoin to get their files back. But there was a problem. This didn't seem
to work. A lot of people were reporting they paid but didn't get a valid key to decrypt their files.
And in fact, if you analyze the malware,
it just didn't seem to contain the proper methods for restoring the files at all.
So these victims who were paying were getting burned twice.
Now at this point, security researchers were starting to think,
maybe this isn't ransomware.
Maybe this is disguised as ransomware and really has other intentions,
like destroying a target or a network or something.
A lot of questions were starting to rise up.
Do you have some general tips for if someone gets hit with ransomware like this?
I think every situation is different.
It's important, if possible, to have a sense of who's doing that, right? In this case, you know, it was pretty,
it looked like nobody was going to get their machines unlocked.
And, you know, obviously the tip in that case is don't pay
because it would be an absolute waste of money.
But there are, you know, a handful of operators that we know pretty well, and I think they all behave differently.
And you have different prospects based on who you're dealing with and what your specific situation is.
So usually the advice is consult an expert on your specific situation.
So were there any of your customers that were trying to consult you
that were kind of like big companies that were getting hit?
Oh, absolutely.
And I think at the time we were advising them that this is not something that,
you know, a criminal actor that we're familiar with.
And there didn't seem to be a payment,
like the payment mechanism didn't seem fully operational.
At this point, John's team had developed a way to detect and block this activity in their clients' networks.
They understood this malware fairly well, but they still had more to figure out.
I think, you know, at that point, we were, I mean, from my side, I'm the intelligence guy.
We were really trying to determine who's doing this what's the motive behind this is this you know is this a uh a
state actor is this you know destructive attack can we find some sort of breadcrumbs that will
take us back to other incidents that's usually what we're looking for right we're trying to take
your your one single incident and connect it to a cluster and hopefully we can learn from like
a cluster of other incidents right usually sometimes they've made mistakes in their other
incidents they've taught us something about them um you know they've not they've used infrastructure
that maybe we recognize there and we it would be time back even further.
So we're working diligently to find those clues.
So while John and his team were busy trying to figure out who did it,
Matt got to work trying to figure out how to recover computers that got encrypted.
And he was making some slow progress on ways to decrypt hard drives
that got infected. But after the break, we'll hear how another security researcher came in
and saved the day. Stay with us. spy cloud with major breaches and cyber attacks making the news daily taking action on your
company's exposure is more important than ever i recently visited spycloud.com to check my dark
net exposure and was surprised by just how much stolen identity data criminals have at their
disposal from credentials to cookies to pii knowing what's putting you and your organization
at risk and what to remediate is critical for protecting you and your users from account Thank you. your company's exposure from third-party breaches, successful phishes, or infostealer infections, get your free Darknet Exposure Report at spycloud.com slash darknetdiaries.
The website is spycloud.com slash darknetdiaries.
Another security researcher named Marcus Hutchins was looking at the malware and saw something that's fairly unusual for ransomware.
He found that upon infecting a machine, one of the first things this ransomware does is try to go to a specific URL, a website.
It's a 40-character long URL, which just looks like gibberish.
WannaCry would check if that URL exists.
And if it did, it would stop
running immediately. It would not encrypt the computer. It would not try to propagate. It would
just halt. This is called a kill switch. Whoever made this ransomware wanted a way to stop it if
they had to. And I can imagine a scenario where this could be useful. Suppose whoever wrote this
malware was working for a nation state. And if they released this to the world and it accidentally infected their own country,
what a mess they'd have. So if that started happening, the hackers had a way to halt the
entire thing worldwide by just making that URL active. But when Marcus Hutchins found this URL
in the code, he did a Whois lookup on it to see who owned it, and the domain was not registered.
This was odd.
You would think that whoever wrote this malware would have registered the kill switch in case they needed to use it.
But it wasn't owned by anyone.
So what's Marcus do?
He registers the domain himself and makes the URL active.
Instantaneously, the ransomware stopped infecting machines worldwide.
Because as soon as a new computer would be infected, it would check to see if this domain was up.
And if so, it would stop.
Any computers that were already infected were still infected.
And any computers that couldn't get to the URL would still become infected.
But the number of new computers getting their hard drives encrypted almost completely stopped.
Registering this kill switch turned off this attack.
Marcus single-handedly stopped one of the largest ransomware outbreaks in history.
He saved the world from hundreds of thousands more infections
and billions of dollars more in damages.
He became a bit of a legend for doing this.
Here's Marcus in an interview with The Telegraph a few days later.
I've had people sort of inundating me with messages thanking me,
saying that I'm a hero.
I mean, I sort of just registered this domain for tracking
and I didn't intend for it to like sort of blow up and me to be all over the media.
I was just sort of doing my job and I don't really think that I'm a hero at all.
So quite suddenly, all this stopped.
The malware completely lost its teeth and was just fizzling out quite abruptly.
But a few days after that, a new variant of WannaCry started spreading, infecting one computer after another and spreading in the same manner the first variant did. And Matt Swish immediately jumped on this version.
I got this sample from Benco, analyzed it, and it takes like less than a minute because,
you know, once you're familiar with the malware, it's quite a straightforward thing.
Matt had a hunch that in order to start this ransomware back up, all they would have to do
is just change the domain name of the kill switch,
and it would start working again.
This would be easy to change.
You wouldn't even have to recompile the code.
Just change one character in the binary.
So this was one of the first things Matt looked for,
whether the kill switch was there, and what domain was it using.
And sure enough, the kill switch was there,
but this time it had a new domain name,
still a long 40-character string, but just a couple letters had changed. Well, Matt checked
to see if that domain was registered, and to his astonishment, it wasn't. So he quickly got to work.
Extract the domain name and registered it, and then I started to also build a platform around it to be able to collect data on the infection.
Very quickly, he started seeing computers hitting his domain, checking if the kill switch was on or not.
So he began collecting data on this, which gave him a firsthand look of what this malware was doing,
where it was infecting machines and how big it was getting.
It is quite cool. But the thing is is that one was not the main one.
So even though it kind of like
got registered like very early,
no major infection happened.
You know, I think it was like
between even below like 100
at that point, you know,
it was like in the low 100
infection hit.
Because Matt was paying
close attention
and knew where to look in the code,
this malware didn't have a chance
to spread exponentially.
Matt stopped it before it did
any significant damage.
But two days after that, another
variant was released, and this time
it was a security team at a company called Checkpoint
that saw the Nuke Hill switch
and nobody had registered that domain either,
so Checkpoint registered it. Quite quickly, too, which meant not many machines got infected with that version either. And then a few days later, a fourth variant showed up, and this time
it did not have a kill switch, which meant there was no easy way to stop it. This one had the
potential of ripping through millions of computers and infecting them. But I don't think this one was very aggressive
because we didn't really see it do anything.
It never really got in the wild and spread.
I guess by the time this variant was released,
antivirus companies had already detected it
and put out signatures for it
and people were patching their computers more
or at least close that port on the network.
So even without a kill switch,
this new variant did not have a substantial impact.
And since then, this malware has significantly died down.
So we have the people who found these kill switches
and registered them to thank
for stopping this from engulfing
a large portion of the internet.
But that kill switch,
I kept for around a year.
And it had like a few million hits pretty easily.
And after a while, I was kind of like, well, I don't really want to just manage it on my own,
because there's the platform and everything.
I was like, well, I'm not really sure what to do with this data anymore at this point,
because I don't think it's of any interest for anyone.
So I reached out to Microsoft, the Mystic team,
and I was like, oh, like, do you guys want that kill switch
from WannaCry?
I think it would be in better hands if it's with you, you know,
just so you can, like, keep archiving it or something, you know.
And they were okay for it.
Actually, they had to step back and say,
well, the legal department says it's too much of a risk.
We cannot take it.
So at the end of the day, they didn't take it.
And the people from Chronicle Security at Google
accepted to take it and just gave it to them. But I thought it was quite funny that Google accepted to take it and I just gave it to them.
But I thought it was quite funny that Microsoft could not take it because of legal, you know.
The estimate is that WannaCry infected 230,000 computers in 150 countries.
And how many of those infected people paid up?
330.
Which added up means whoever did this made $140,000 worth of Bitcoin.
So who did this?
Well, let's listen to a statement given by the U.S. Department of Justice.
We have unsealed criminal charges against a North Korean computer programmer
for participating in a conspiracy that conducted sophisticated
cyber attacks around the world on behalf of the North Korean government.
Members of the conspiracy are responsible for some of the most damaging and most well-known
cyber intrusions in history, including the cyber attack targeting Sony Pictures, the
cyber heist of Bangladesh Bank,
and creating the WannaCry ransomware.
There you go.
North Korea did this.
And specifically, they're charging the same person for the Sony hack,
Bangladesh Bank hack, and this WannaCry ransomware.
Park Jin-hyuk is the person named in the indictment.
And in fact, he's now one of FBI's cyber's most wanted.
As people investigated this further,
they found there were earlier versions of WannaCry that hadn't been effective
because they weren't using EternalBlue, which hadn't been released yet.
But on May 9th of 2017, a company called RiskSense
published a proof of concept using EternalBlue as an exploit.
They even included source code and explained how to use it.
Three days later, the new version of WannaCry with EternalBlue was released.
And it looks like the same code was used in this malware.
So it seems to me that someone in North Korea saw the blog post by RiskSense,
copied the code from it into their existing WannaCry ransomware,
and released it on the world three days later.
It's hard to point fingers here.
Yeah, North Korea is who pulled the trigger on all this.
Okay, but they may not have done that
if they didn't see the blog post by Risk Sense.
But Risk Sense wouldn't have published that blog post
if it wasn't for the shadow brokers releasing Eternal Blue to the world
but shadow brokers wouldn't have released Eternal Blue
if it wasn't for the NSA creating it to begin with
and Eternal Blue would have never existed
if Microsoft just would have caught the bug
during development and testing
so it's a weird series of events
that led up to this massive ransomware campaign
but then was ultimately stopped
because they forgot to
register the domain of the kill switch. The Department of Justice showed how they found
artifacts in the different variants of the WannaCry malware, which led them to believe it was
launched by someone in North Korea. But I'm willing to bet that they're leaving out some
key evidence which squarely points to North Korea behind this. The thing is, if the U.S. shows what
evidence they have, it might burn their spy channels into North Korea. So they have to be
very careful on how much they reveal. The indictment reads like a typical digital forensic
analysis. You see IP addresses, malware analyzed, user agents, and so many more details that they
were able to collect. When the DOJ followed all these threads, it led them to North Korea.
So who's this Park Jin-hyuk guy in the indictment? Well, a journalist for ZDNet,
Kathleen Kumpan, really helped me understand this better, because he mapped it out and started
connecting the dots. This guy Park went from North Korea to China in 2013 to study programming,
specifically Java, PHP, and Visual C++. At the time, Park was working for a company called Chosin
Expo Joint Ventures, which is supposedly a company handling e-commerce and lottery services for North
Korea. In 2014, Park returned to North Korea, and shortly after his return, North Korea launched a
bunch of hacking campaigns. Not to mention, most of the malware used in North Korea. And shortly after his return, North Korea launched a bunch of hacking
campaigns. Not to mention, most of the malware used in North Korea was written in the same
programming language Park had studied in China. Now, to carry out these attacks, the hackers had
to get servers to use for command and control. Obviously, they didn't want to use a server in
North Korea, so they rented a server from somewhere else in the world. Now to rent a server, you had to have an email address. So the Department of Justice began
submitting warrants to figure out what email addresses were registering these servers.
On top of that, there were some phishing attacks, which also used emails. The DOJ was able to get
these details and compile all these email addresses during their investigation. Let's
take a look at these email addresses.
I count 30 different email addresses in the indictment.
Most of them are Gmail accounts, with the few being Hotmail and AOL.
Well, since Google is a US-based company,
the DOJ can get a warrant and then ask Google for information about these Gmail accounts.
And from there, they're able to see what accounts they were connected to
and what IP addresses were logging into them
and what browsers were used and all this kind of stuff.
Six of these accounts had used the name Kim Hyun Woo.
And as you dig into that, you start seeing connections to Park.
Like both Kim and Park's accounts had access to the same files
and sent mail between each other.
The DOJ saw enough evidence to believe that Kim Hyun-woo was an alias of Park Jin-hyuk.
And so Kim wasn't even a real person.
Then, when they followed the clues, they saw that Kim was the person who registered so many of these servers and sent phishing emails.
They know this because they see commonalities in IP addresses and access to those Gmail accounts
and the browsers used to access them and connected accounts.
All these things together make it clear that the same person owned all these email addresses.
So it seems that over the course of four years, during which Park used 30 different email addresses,
he made a few mistakes where he accidentally connected his real name to his fake persona,
and that's how the feds figured out who was behind this. The FBI also followed the money, all that Bitcoin. Where did
it go? Well, it was held in a crypto wallet at first and then transferred to a Bitcoin exchange.
I'm assuming the FBI got logs from the exchange, which showed them that whoever accessed the
wallet was running Firefox version 52 on Windows 7.
At the Bitcoin exchange, they transferred the Bitcoin to Monero,
which is another type of cryptocurrency,
and this has extra security features,
like the amount of coins sent are hidden,
and a random one-time address is created for each transaction.
So once the money is converted to Monero,
it's extra hard to track, if not impossible.
So what else do we really know about these North Korean hackers?
Well, it's hard to get any good information out of there since it's so secluded.
But I looked into this and found some extra stuff.
First, the Intelligence Agency of North Korea is known as the Reconnaissance General Bureau.
This is a military branch that conducts clandestine operations.
Now within the Reconnaissance General Bureau is another branch called Bureau 121.
And Bureau 121 is where we believe North Korean hackers are working from.
And people in the security community call the North Korean hackers the Lazarus Group.
There are a couple North Korean defectors that have helped us understand what goes on there in pretty good detail.
First is Kim Kwan-hwang. He was a professor at the university at the capital. He says students study computer hacking in the school and then are handpicked to go to work at
Bureau 121. And there's also a defector named Yang Si-yul. He went to school to study computer
science at the same college where Bureau 121 recruits people from. He says Bureau 121 has
about 1,800 people working in it, and those people are considered
elite members of the military. They're trained just like any other hacker would be. They learn
how different operating systems work, how to program, how to use attack tools, and everything
in between. North Koreans' main attack targets seem to be South Korea, Japan, and the United States.
But as you heard, they have no problem unleashing huge
attacks in other parts of the world. Now when North Korean hackers wage their attacks, they
often physically travel out of North Korea to do it. They'll go to Nepal, India, Kenya, Mozambique,
or China to wage their attacks. Because the internet in North Korea is pretty locked down,
and there's so many people watching what goes in and out of North
Korea. So stuff can just be easily tracked if they do anything from there. So they physically get out
of the country, then proxy around from there. And there are actually quite a few North Koreans who
are able to leave the country. I mean, North Korea competes in the Olympics and has a whole cheering
squad and everything. North Korea attends United Nations meetings.
North Korea has dozens of embassies all over the world.
And North Korea also sends hackers to other countries to hack.
Currently, India seems to be the preferred place from which to launch their attacks.
North Korea always fascinates me,
which is why I wanted to do this three-part series on them.
And at the same time, I think places like the U.S. are trying to hack into North Korea too,
mainly to see how advanced their weapon systems are and to monitor that.
But it's just so weird to think about the differences of why the U.S. hacks North Korea and why North Korea hacks the U.S.
Like, the U.S. is hacking into North Korea to keep an eye on their intercontinental ballistic missiles.
But North Korea hacks into the U.S. to try to stop a movie from being made, which makes fun of North Korea.
And whenever we see a cyber attack, the hackers usually fall into one of three categories.
It's either hacktivism, like doing it for a bigger cause, cybercrime, which is doing it to make money, or nation-state hacking, like doing it to spy.
But the motives for North Korea seems to fall squarely in the center of all three of these.
The Lazarus Group are hacktivists, criminals, and spies.
But I think this is the perfect military strategy for North Korea.
I mean, they've made millions of dollars from their
hacking activities, and they've gotten away with it, and they cause lots of damages to their enemies.
I mean, look at how much damage they did to Sony, all without firing a single bullet or missile,
and the whole time they can deny they did anything. Hacking seems to be the perfect
weapon for North Korea, since they can do it all remotely, hide under the
cover of the internet, face a lot less consequences for their actions, and do it all at a fraction of
the cost of kinetic warfare. In July 2020, the European Union imposed sanctions on North Korea.
The report specifically mentioned that the Lazarus Group is who carried out the attacks on Sony, did the Bangladesh bank heist, and conducted WannaCry.
And it says that there's now a travel ban in effect because of that, as well as some assets being frozen.
This is the first time ever that the EU has imposed sanctions on another country because of a cyberattack. And while I think it's totally insane what North Korea has done trying to steal billions
of dollars, trying to threaten the free speech of a movie studio, and trying to destroy a large
number of computers with WannaCry, I actually think this isn't peak crazy for what North Korea
might do next. My guess is that I think we'll see even more destructive attacks that may even result in loss of life.
They obviously have the capability to cause some serious destruction,
and they never seem to have any remorse for the damage they cause.
And we know they can be provoked to carry out physical attacks.
So I think it's just a matter of time before we see them unleash some kind of cyber attack
that causes major physical havoc.
2017 was a busy year for information security professionals.
To go from the shadow brokers releasing Eternal Blue,
then seeing WannaCry use it like this,
and then the very next month in June is when NotPetya hit Ukraine,
which also used Eternal Blue,
and the month after that, Equifax was breached.
Hopefully, these major attacks help us wake up to the dangers that many companies face while doing business online.
And hopefully, we all learn from this and take our security a little bit more seriously,
because we never know how crazy the hacker might be on the other end of that connection.
A big thank you to Dr. Tony Bleatman for coming on the show and telling us his story.
Thanks John Holquist, the Senior Director for Intelligence and Analysis at FireEye.
And thanks Matt Swish, CEO of Kome. You can find links to these people and what research they've done in the show
notes or at darknightdiaries.com. Please remember, a lot of time and energy goes into making these
episodes, and I bring them all to you for free. If you're getting value by listening, please
consider donating to the show through Patreon. By supporting the show, it ensures we have enough
resources to continue to bring you more great content. Oh, and as a thank you, if you join Thank you. visit discord.gg slash darknetdiaries. This show is made by me, the slow coder, Jack Re-Sider.
Sound design and original music was created by the always encrypted Garrett Tiedemann.
Editing helped this episode by the devilish Damien.
And our theme music is by the raucous Breakmaster Cylinder.
And even though when I meet up with my other tinfoil hat wearing friends,
I secretly use aluminum foil.
This is Darknet Diaries.