The guy who stopped it wasn't anonymous for long. He tweeted about how tabloids doxed his friends and blackmailed them to get his address, phone number etc. He said it was the worst experience of his life

adding that kill switch is like mad scientist putting a big self destruct button on a giant evil robot

"Cyber-security whack-a-mole." Made my night.

Can we discuss for a moment that our hero was doxed by british tabloids? Real shitty way to treat someone who prevented extreme infrastructure damages.

Microsoft should have said in the update "NSA did a goof, now there's a gaping hole in your security and this update fixes it."

I remember when WannaCry hit, I was doing contracted dev work for Telefonica, and they were a real pain to deal with. Got the week off work, 10/10 would recommend.

"What operating system does it use?" "It's... erm... Vista!" "WE'RE GOING TO DIE!"

Seems obvious to me that NSA should pay for this, and then some. Teach them to snoop around.

Here's the thing though, when software companies consistently release patches or updates that make the software worse for end users, like adding more advertising, placing additional restrictions, changing UI, or generaly pushing unwanted "features" (I'm looking at you, Skype), I can't say I totally blame people for being reluctant to update.

"Having a kill switch is an amateur mistake": Viruses are usually things you have no control over, releasing a virus is a risk for your own computer as well.

Just want to say this....Love you scishow :)

Or, was it Microsoft saying "Hey, Update or else!!!"

XP wasn't among the infected computers, the only confirmed infections of XP was researchers infecting it by hand. Windows 7 was the main infected OS. As for the "kill switch" it's most likely a sandbox detection thing, not a killswitch, but it was badly implemented.

The killswitch exists because in a lot of virtual machines unregistered domain names will return an IP address (and unused local network IP address) so it is used as a method of detecting if the malware has infected a VM system, which is usually not worth encrypting for ransom.

the vast majority of affected users were using Windows 7

This has already probably been said, but the prevailing theory on why the kill switch domain was in the code was to make it harder for people to analyse the virus. A general practice in malware analysis is to put the virus in an environment where it cannot do much harm or get out. These environments also usually just respond to any requests the program makes with fake data, so it thinks it is getting out but it is not. The kill switch worked by the thought that if it gets anything back from the fake website, it must be due to it being studied. Obviously this did not work as planned, but that at least says what they wanted to do.

I love the portrayal of the ransom payment system here--it assumes the hacker actually intended to restore anyone's files after they paid.

And I just clicked "later" on an update as this video was starting 😂

Wait, Shadow Brokers? You mean, Mass Effect's most infamous information trader is real?

Watched many videos on the WannaCry attack but this one is the best and concise video available on the whole youtube!

seems like wanna cry was a distraction, but could've been something a lot more... troublesome.

Shadow brokers? Didn't know we were in Mass Effect 2.

I'm 25th! I'm so happy I wannacry edit: by 25th I meant 25th comment btw but I appreciate the birthday well wishes. I'll try to remember them when I turn 25.

Thank you, SciShow, for reminding me to update my backups. I'll have to get on that tomorrow.

To be honest, the only reason I don't update is because sometimes new things are added and maybe new filters on the screen or something is added which I don't want and can't remove. So updating to protect myself from a virus is not worth it if my computer is going to be near unusable in the first place.

A small hospital near me had to pay the ransom (something like $40,000 USD) because they had no backups they had no choice but to pay

I wouldn't mind updating if Microsoft didn't hide windows 10 ad generators or spyware programs in the updates

I was reading on Ars Technica that Xp wasn't an infection vector for the attack because in XP the attack on the SMB caused the system to crash before the files could be encrypted. This overwhelmingly affected windows 7. 10 was never vulnerable to the SMB issue afaik.

The kill switch system makes sense. They can set up a their local networks to lead to a 'intranet' page whenever that URL is entered from within it. They might have been scared of accidentally infecting themself

I always update and backup almost everything I have on my PC. Gotta keep my memes safe!

it is well known why the "kill switch" existed - for vm detection ...and the hackers made $0 from the attack because the bitcions are NOT anonymous

The hospital I work in didn't get infected as we use Windows 7 but we shut everything down as a precaution, that caused chaos as we're one of a few NHS trusts to be completely electronic. The hospital I worked in last year got infected as they use operating systems/programs from the late 80's/early 90's in some instances!

It was actually not entirely true. The number of Windows XP computers affected by WCry was very very low. It would simply BSOD on them. The bulk of affected computers were running Windows 7 x64 bit.

For anyone wondering, the suspected reason for the inclusion of a killswitch was an attempt to delay people trying to crack Wannacry's code. From what I have read, when the virus is loaded into a simulator, the gibberish URL would read as registered and then immediately pull out of that system so that the virus could not be "tested". However, since they hardcoded the URL, it was much simpler to just register that URL so that it would keep pulling out of any system it infects.

thx for another gr8 vid john green

The kill switch was probably a way for the malware to detect if it was being studied in a lab. This is quite common, malware writers often try to make it so that their malware will behave differently when it is being studied (ie, debugging software, virtual machines etc).

If the NSA used the exploit, then when it was leaked why didn't they use their resources and update all the machines vulnerable. It's a national agency, they do unconstitutional stuff all the time anyway.

Mass overhauling an os for a large scale is actually incredibly difficult, because doing it all at once can often leave the whole system down and needing to replace large amounts of things all at once and it takes out the operations for way too long. If trying to do it in parts, the parts of the system are usually interconnected, so taking one part offline to change it basically wrecks anything adjacent that relies on it. We had this issue in a big store chain i worked at. Our inventory system was incredibly inefficient and relied solely on human knowledge. We carried a large array of things from just about everywhere, our inventory was different every single day. And i dont just mean season to season, we basically had no set inventory, think thrift store. So if you needed info on an item, you had to call someone who just knew roughly where it belonged to check the prices. People basically generally knew what types of things we carried and what the price was likely to be and how to estimate one if needed. You gained that knowledge simply by working there long enough to get a feel for how we did things. Obviously this was incredibly inefficient and reliant on competent workers. But to overhaul it would have meant changing absolutely everything. The way we sort, how we scan, all our equipment. It was possible to set it up as automatic for sure, but for an extremely busy store in a worldwide company the effort would have been enormous. Basically they decided that having an inefficient human powered system was still cheaper and less hassle than overhauling it. That's the thing, just because there is a better option, doesn't mean its actually more suited. If all you need is to work with word documents, using a supercomputer isnt actually more useful than an old beat lappy. Yeah, you could make dog leashes out of kevlar sting, but nylon is more than enough. In factories many processes could be done by robots, but they still hire just a ton of people to do rote repetitive tiny work, because, especially for smaller orders its STILL cheaper to just pay people to basically just be a biomechanical arm. Upgrading to win 10 when xp is already doing exactly what you need is a waste of time and resources. Unfortunately stuff like this pops up occasionally.

Lol, it seems like everyone forgets Win8. Still my favorite operating system. After a few slight mods, it runs way better than 7 or 10.

I’m a computer gamer... Who just happened to not be on my computer for 80% of 2017. Including those days. Wow. Soooo lucky.

"Haha take that Windows" said apple looking for its lost 300 dollar earpods

I'm late to watching this video, but I just wanted to comment and say thank you for the explanation that was easy to understand. I don't know much about computers, but you explained this in a way that I could grasp.

Maybe this was a test?...

I'm pretty sure I've only not heard of this because I don't use windows, one main reason is that it's just like "ok, time to update, I'm closing your stuff, bye, see ya in an hour or two!" And you can't stop it

We should be mad at the NSA

Who knew having my PC disconnected saved me from this ransomware

In MARCH, Microsoft released a patch. Vast majority of machines infected by WannaCry, were Windows 7 machines still supported by Microsoft. Why is it, people seem to think avoiding patches is a game? Every major computer outbreak in recent times it's the same story, a patch to fix the hole/bug/exploit was released months if not years before the major exploit of it. We've gotten to the point you can no longer blame the software, it's the space between the keyboard and the chair that's the problem. (The User) To the argument a patch breaking your software, I'd rather deal with a scheduled software break than an unscheduled software attack.

Wannacry was actually somewhat kind to people. They were like in 6 moths they will have an event where you can get your files back if your to poor to buy them back.

There are a few problems with this video. Windows 10 was never in danger. The exploit didn't exist on Windows 10. Also, a security patch (the first in 3 years) was released for Windows XP, despite being out of support. WannaCrypt affected Windows XP, 7, 8, and the related server versions, all of which have now received patches (assuming the update has been installed).

I recently had an IT interview with the NHS, they assured me that it was impossible to hack their systems - I didn't get the job, but I came away laughing at them, not their patients who were the ones who really suffered.

Windows updates tend to break the OS. I'm never eager to update. EVER.

thank you for making this

shadow brokers? Mass Effect, anyone?

As Hank said, all the MRI machines and other such things needed specific software to run and upgrading would cost time and money and require re-calibrating which would've added long waiting times. And the Government didn't give enough funding to NHS IT departments which is so desperately needed.

Plot twist: SciShow launched the attack just to make this video.

Microsoft actually did release a patch for Windows XP to fix the SMB bug, which kind of surprised all of us in the IT field. But there was a bug in the WannaCry code that actually stopped it from being able to infect XP. Also the theory about the kill switch is that it was put there in order to help the Malware detect if it was in a sand box, which would mean a security researcher was testing it. Their mistake was to not just randomize the domain name it checks (ie random characters with a .com on the end).

they still havent released a patch for window 95 im pissed.

I think a lot if not most ppl don't realize most updates you get, java, windows, adobe, etc. are specifically to patch security holes.

Hey there, SciShow! I have a personal request for the topic of cerebral aneurysms! I experienced a rupture when I 19 and the suddenness and severity of them would make for a good informative video for the public! Thank you!

At my dad's hospital (he works in IT, and is married to an IG manager) they shut down all of the computers, so they couldn't be infected, but then they still couldn't access the data...

And this is a clear example of why businesses should update there systems.

Thanks for the upload

let me cleat something - in the industry nobody cares about the latest OS if it is practically the same and doesn't bring any benefit for the money paid. the lasers in our factory will forever run on XP, because there is no point in updating it. the software runs perfectly, so why bother?!

The "Kill switch" was only used as a way to determine whether it was sandboxed. A sand boxing application would have returned something to the program, so it didn't get suspicious. However, knowing that it was a garbage URL, wannacry would stop in it's tracks, because it would know it was sand boxed. It wasn't a kill switch, but a clever tactic to see if it was running on a live system or sand boxed.

3:19 You're welcome in advance.

The kill switch was added to check if the malware was run on a simulated network (this is a technique often used in virtual environments by malware analysts to emulate network traffic without actually having to let the malware wander around the internet)

2:19 bruh

Thanks again Hank!

The kill switch was far from a amateur mistake. It was designed so that when the malware was being studied in a computer laboratory to find out how it worked the worm would instantly realise it was being studied and immediately terminate all of its processes

THANK YOU SO MUCH! im doing presentation on this soon and this explained everything so much better

did hank say 'only' about $100,000 that's more than some people make in 2 years

Well I’m never gonna skip another update again

Young Brit girl: "I'm on me mum's computer...v-room v-room." Her mum: "Get off me computer!" Young girl: "Awwww."

"As long as you didn't reboot your computer"??? BRUH, that's like the first thing I always do! XD

This is NOT TRUE. The NHS was not up and running again within a day of the attack. Staff were sent home for days after because they could not work on the computers.

I thought the point of the killswitch domain was so that the virus could tell whether it was running in a sandboxed environment. If it was running on a security researcher's computer and checked to see if the domain was registered, it would come back positive inside the sandbox and the virus wouldn't install, but in the real world, the gibberish domain was intended to remain unregistered so the virus would spread.

That URL kill switch was a bait. This was just round one. Prepare for the second wave.

You'd think the NSA would be held accountable for their blunder.

hospitals need to get their computers off of windows

i love this dude taught me chemistry on youtube.... great teacher

*[overeager conspiracy theorist voice]* So NSA did WannaCry. Got it.

And this is why many big companies are turning off SMBv1 in their network, I work in IT support and get calls about this constantly, unfortunatelly the type of support I give requires SMBv1 to be enabled, either that or do a very expensive upgrade.

Nope. Lesson from this story is "Install those Leenuux and never revert to shitty proprietary OS'es again".

the thing with wannacry is... for it get onto your network in the first place, someone had too open an email, download an attachment, run it, and allow it to make changes

My girlfriend ransomware. I wannacry

Registering the domain was not exactly a signal. When WannaCry attacks a computer, it refers to a certain domain address to see if it is up. If the domain is running, the virus is still inside the computer, it just doesn’t encrypt the file system

I used Linux.

The reason the kill switch was implemented was to prevent testers from experimenting and containing WannaCry. Typically, when trying to see how a virus works, it is placed in an isolated computer environment that is set to automatically answer any request an infected computer would make to the internet. If you try to test WannaCry, it trys to get a response from that bogus url. If it gets a response, it knows it is in a test environment, shuts down, and tries to delete itself. When that person registered that domain and put a server on it that responded to WannaCry, the ransomware destroyed itself.

NSA triggered it due to what they were allowed to do while Obama knowingly stood by and let them loose. Thanks, Obama!

Thank god I update it every month or so

Or, here's a thing, don't use a crappy OS

4:03 "It's not clear" - no, actually it's well known why. This is done to detect if you are running in a virtualized environment(maybe a research team analyzes the application), if it is, then you disable the functionality so it is not detected. Actually it was not only 1 domain, there were multiple.

That's why I love my MacBook.

Supposedly the kill switch is there to defeat people from studying the virus in virtual machines. In a virtual machine, all domains will appear to exist, so if the program checks for a domain that *shouldn't* exist and it comes back positive, it can tell it's in a virtual machine and stop working so it can't be studied. It's a nifty idea but easily defeated once figured out.

"As long as you haven't rebooted your computer", that's very useful.

The fact that you have to explain it, and the fact next to no one has ever even heard of it, along with the fact that it was discovered and stopped, only proves that's it's not "a big deal."

I blame: 1. All of the companies full of technologically-literate white-collar employees who are trusted to make decisions worth thousands or millions of dollars every year, but aren't given administrator privileges on their computers and need to spend 2 hours arranging for an IT guy to do a 5-minute task. 2. All of the companies who would rather bear the cost of their employees being half as productive than bear the cost of new computers every once in awhile. I know what Hank said about the hospitals, but sometimes they're already using the software on the newest OS, but drag their feet on getting all employees up to speed.

Apparently the killswitch was to try to stop the virus running on security researchers 'sandboxed' virtual machines. This would mean that it would be hard to run the virus in a security controlled environment and see what the ransomware was up to. I say 'apparently' as I can't work out why the sandboxed machine would have the wierd domain name accessible. Maybe the idea was good, but the hackers messed up the implementation?

Eternal green: *chuckles* ... I’m in danger

For those trying to understand why the attackers built a kill switch - Its basically an anti-analysis mechanism where by the malware kills/deletes itself before a security researcher can get access to its code in a sandbox environment. The sandbox environment is designed to intercept communication between the malware and any internet address. This is done to figure out what exactly is the malware communicating with that internet address even if the address doesn't exist in the real world. Basically once a malware gets into a system there are two things that can happen: 1) Its a normal computer. It tries to reach a non existing address and if the malware doesn't get a response as expected, it assumes its safe to operate and wreaks havoc 2) Its a researchers sandbox. It tries to reach a non existing address but the sandbox responds to the malware's probe hoping to snoop in on the communication. The malware expecting no response from this address but receiving one makes it realize its on a security researcher's sandbox so it deletes itself before the researcher can gets his hands on it to reverse engineer and disable/release a patch for it.