Cyber Attack - The Day the NHS Stopped

Download Subtitles

Transcript

2:52:24 > 2:52:26On the morning of May 12th,

2:52:26 > 2:52:30NHS staff were about to be confronted by a major outbreak...

2:52:34 > 2:52:38..as an epidemic swept like wildfire across the country.

2:52:43 > 2:52:47But the disease didn't infect patients, and it wasn't biological.

2:52:49 > 2:52:53Instead it attacked the central nervous system of the NHS itself.

2:52:58 > 2:52:59Across the country,

2:52:59 > 2:53:03computer systems were knocked out by a highly contagious computer virus.

2:53:05 > 2:53:07Hello, can I speak to IT, please?

2:53:07 > 2:53:10It became known as WannaCry.

2:53:10 > 2:53:13There's a message on my screen, it says my files have been encrypted.

2:53:13 > 2:53:15This is the story of a uniquely challenging day

2:53:15 > 2:53:18for the National Health Service.

2:53:18 > 2:53:21A day when the NHS itself became a patient.

2:53:21 > 2:53:25It was attacked by a particularly vicious piece of computer code

2:53:25 > 2:53:26which took down its networks,

2:53:26 > 2:53:29its computers and anything attached to them.

2:53:29 > 2:53:32And that meant patient record systems, CT scanners,

2:53:32 > 2:53:34even MRI machines,

2:53:34 > 2:53:37putting not just data but also patients' lives at risk.

2:53:39 > 2:53:42The surgeon looked very forlorn and very sorry,

2:53:42 > 2:53:46and that was when he then told me that he couldn't do the operation.

2:53:46 > 2:53:48We were unable to book appointments,

2:53:48 > 2:53:51we were unable to see who would be coming in tomorrow,

2:53:51 > 2:53:56so we were really paralysed and at a loss of what to do.

2:53:56 > 2:54:00Horizon unpicks the science behind the recent widespread cyber attack

2:54:00 > 2:54:02that hit our National Health Service.

2:54:03 > 2:54:07And, in his first television interview, we meet the 22-year-old

2:54:07 > 2:54:11cyber security specialist who stopped it in its tracks.

2:54:11 > 2:54:13I checked the message board.

2:54:13 > 2:54:17There were maybe 16, 17 reports of different NHS, sort of,

2:54:17 > 2:54:19organisations being hit.

2:54:19 > 2:54:22And that was sort of the point where I decided, "My holiday's over,

2:54:22 > 2:54:24"I've got to look into this."

2:54:24 > 2:54:30The outbreak exposed a vulnerability at the heart of the NHS.

2:54:30 > 2:54:33I am a doctor, and all of this is a worry.

2:54:33 > 2:54:36I want to know what happens, I want to know why it happens,

2:54:36 > 2:54:39and I want to know how I can protect my patients

2:54:39 > 2:54:42from this new strain of infectious disease.

2:55:02 > 2:55:05I found out about the attacks the way most people did,

2:55:05 > 2:55:07through news reports.

2:55:07 > 2:55:10Now, mercifully, the hospital that I work for wasn't affected,

2:55:10 > 2:55:13but as details emerged, it became clear that colleagues all

2:55:13 > 2:55:16over the NHS were getting into work that day,

2:55:16 > 2:55:19setting up their computers

2:55:19 > 2:55:22and being greeted with a screen that looks like this.

2:55:22 > 2:55:25Now it's very polite - it tells you what it's done, it's encrypted

2:55:25 > 2:55:28all of your data, tells you what you have to do, which is pay some money,

2:55:28 > 2:55:31and it tells you that if you pay the money now,

2:55:31 > 2:55:32you won't have to pay quite so much.

2:55:32 > 2:55:35Otherwise you're going to lose everything.

2:55:38 > 2:55:44On 12th May 2017, the cyber attack wrought havoc across the NHS.

2:55:44 > 2:55:46It hit many hospital trusts,

2:55:46 > 2:55:50and some A&E departments even closed their doors to ambulances.

2:55:50 > 2:55:52Operations were cancelled.

2:55:52 > 2:55:54Patients were diverted.

2:55:55 > 2:55:58But the story of the virus itself

2:55:58 > 2:56:01goes back far further than the events of that day.

2:56:26 > 2:56:30With all outbreaks, there's always a point of origin.

2:56:30 > 2:56:33A moment when the virus first emerges.

2:56:41 > 2:56:44DRAMATIC MUSIC PLAYS

2:57:07 > 2:57:10Down! Down! Hands on your head!

2:57:10 > 2:57:12Down, down, down!

2:57:13 > 2:57:15Cuff him!

2:57:21 > 2:57:22For over 20 years,

2:57:22 > 2:57:26Harold Martin worked as a contractor for US government intelligence.

2:57:35 > 2:57:38On the day of his arrest, agents found stolen drives

2:57:38 > 2:57:42containing more than 50 terabytes of classified data...

2:57:44 > 2:57:47..allegedly including top-secret hacking tools

2:57:47 > 2:57:50stockpiled by the National Security Agency.

2:58:00 > 2:58:03Harold Martin's arrest followed a tweet

2:58:03 > 2:58:06by a mysterious group calling themselves the Shadow Brokers.

2:58:10 > 2:58:13They were offering National Security Agency hacking tools

2:58:13 > 2:58:18to anyone prepared to pay the 580 million asking price.

2:58:20 > 2:58:22According to reports,

2:58:22 > 2:58:24once they found out about the Shadow Brokers' demands,

2:58:24 > 2:58:28the NSA triggered an internal investigation and,

2:58:28 > 2:58:31just a couple of weeks later, Harold Martin was arrested.

2:58:31 > 2:58:33Now, there's no evidence at all

2:58:33 > 2:58:36that he passed on information to the Shadow Brokers,

2:58:36 > 2:58:39but, interestingly, on the hard drives in his home,

2:58:39 > 2:58:42was found the hacking tool, Eternal Blue.

2:58:42 > 2:58:46Now, Eternal Blue is a kind of key that allows you to prise open

2:58:46 > 2:58:49the Windows 7 operating system, and it is that which allowed hackers to

2:58:49 > 2:58:56cause havoc across organisations all over the world, including the NHS.

2:59:02 > 2:59:03When it comes to attribution,

2:59:03 > 2:59:06in other words identifying the true source of attacks,

2:59:06 > 2:59:11the world in cyber is a lot more difficult than,

2:59:11 > 2:59:14say for example, physical, because, you know, you can make your attack

2:59:14 > 2:59:16appear to come from anywhere in the world.

2:59:17 > 2:59:20So, Shadow Brokers is an anonymous entity,

2:59:20 > 2:59:22we don't really know who's behind Shadow Brokers.

2:59:24 > 2:59:27It's generally assumed in the security research community

2:59:27 > 2:59:32that the Shadow Brokers are, in effect, an arm of the Russian state.

2:59:40 > 2:59:4235 days before the cyber attack,

2:59:42 > 2:59:44it was business as usual across the NHS.

2:59:47 > 2:59:51But at this moment, the Shadow Brokers made a fateful decision.

2:59:52 > 2:59:54With no buyer coming forward,

2:59:54 > 2:59:59they dumped their trove of stolen cyber-weapons online, for free.

3:00:01 > 3:00:04They were now available for anyone to use.

3:00:08 > 3:00:13Cal Leeming is someone with unique insight into the cyber underworld.

3:00:13 > 3:00:16He taught himself to hack, and he started young.

3:00:16 > 3:00:18When I was about nine years old,

3:00:18 > 3:00:22my grandparents got me my first computer.

3:00:22 > 3:00:23A proper computer.

3:00:23 > 3:00:27My eyes were opened when I started using these chatrooms

3:00:27 > 3:00:29and started talking to this wider audience.

3:00:29 > 3:00:34People were talking about being able to share PlayStation games.

3:00:34 > 3:00:37They were sharing credit card information.

3:00:37 > 3:00:40Attracted to free games as an escape from his hard upbringing,

3:00:40 > 3:00:44he soon graduated to something more serious.

3:00:44 > 3:00:45There wasn't much money at all.

3:00:45 > 3:00:51So I found myself using credit cards that I had got from hacking

3:00:51 > 3:00:53to send food deliveries to the house.

3:00:54 > 3:00:58So it was a mixture of 50% just utter curiosity

3:00:58 > 3:01:00and wanting to learn more,

3:01:00 > 3:01:02and the other 50% survival.

3:01:04 > 3:01:07At the age of just 12, Cal was arrested.

3:01:07 > 3:01:11He became the UK's youngest ever cybercriminal.

3:01:11 > 3:01:12It was very, very traumatic.

3:01:12 > 3:01:14And they sat me down and said,

3:01:14 > 3:01:18"Cal, do you understand what you have done was against the law?"

3:01:19 > 3:01:23My answer to them was, "All I've done was typed on a keyboard."

3:01:23 > 3:01:25Because that's my mind-set, at the time.

3:01:25 > 3:01:27I was like, "Why is it that I'm typing on the keyboard to

3:01:27 > 3:01:30"survive and I'm now getting arrested?"

3:01:30 > 3:01:33And I thought that was very unfair at the time.

3:01:33 > 3:01:36Cal continued to hack until 2005,

3:01:36 > 3:01:40when he was caught again for using over 10,000 stolen identities

3:01:40 > 3:01:45to purchase goods worth £750,000.

3:01:46 > 3:01:51Eventually, when I was 18, I handed myself in,

3:01:51 > 3:01:55and the arresting officer in my case gave me a chance

3:01:55 > 3:01:58to turn my life around in exchange for going to prison

3:01:58 > 3:01:59for a little bit.

3:02:00 > 3:02:02I owe that guy a lot.

3:02:05 > 3:02:09After serving a 15-month jail sentence, he changed sides,

3:02:09 > 3:02:12and now runs a cyber security firm.

3:02:14 > 3:02:17Why do hackers do what they do? Why do hackers hack?

3:02:17 > 3:02:21People have their own motivations for wanting to get into hacking.

3:02:21 > 3:02:24Sometimes it is financial, other times criminal,

3:02:24 > 3:02:26and sometimes it's just pure curiosity.

3:02:26 > 3:02:31Right now we don't know who started this attack, at least not for sure.

3:02:31 > 3:02:34Do you think, at any level, the people who carried out this attack

3:02:34 > 3:02:38would have felt slightly appalled that this attack spilt over

3:02:38 > 3:02:40into the National Health Service?

3:02:40 > 3:02:43That's a difficult one to answer,

3:02:43 > 3:02:46because it's not a single group that does all hacking in the world,

3:02:46 > 3:02:48it's lots and lots of very tiny groups,

3:02:48 > 3:02:50sometimes a single person, sometimes lots of people,

3:02:50 > 3:02:52and with each group, within each environment,

3:02:52 > 3:02:54you have your own set of rules,

3:02:54 > 3:02:57conditions and social etiquette and all these things.

3:02:57 > 3:03:01So, in some cases, yes, there are going to be some people

3:03:01 > 3:03:04that are outraged, even on the criminal side, that they've...

3:03:04 > 3:03:05That it went this far.

3:03:05 > 3:03:08And in other cases, they might have purposefully wanted it

3:03:08 > 3:03:12to go that far. It depends on the individual.

3:03:14 > 3:03:19Whatever their motivation, what we know for sure is that someone

3:03:19 > 3:03:23did use the alleged NSA exploit Eternal Blue

3:03:23 > 3:03:25to create a devastating cyber-weapon.

3:03:26 > 3:03:29Within four weeks of Eternal Blue being released,

3:03:29 > 3:03:31the attack was ready.

3:03:31 > 3:03:35Eternal Blue was mashed together with other pieces of malicious code

3:03:35 > 3:03:38and then unleashed on the world, and it was given a name.

3:03:48 > 3:03:51A security patch against Eternal Blue

3:03:51 > 3:03:54had been made available by Microsoft.

3:03:54 > 3:03:57But on the night before the cyber attack,

3:03:57 > 3:04:02any machine that hadn't installed the update was still vulnerable...

3:04:02 > 3:04:04including many in the NHS.

3:04:09 > 3:04:12Infection was now just a matter of time.

3:04:21 > 3:04:23On the morning of the cyber-attack,

3:04:23 > 3:04:2822-year-old Marcus Hutchins was in the middle of his holiday.

3:04:28 > 3:04:30If there was any surf, I might have been surfing.

3:04:30 > 3:04:34It's so dynamic, the waves are never the same on two days.

3:04:35 > 3:04:40Marcus works remotely for an LA-based cyber intelligence company.

3:04:40 > 3:04:43I track malware. I track malicious code that affects users,

3:04:43 > 3:04:46and I find ways to track and stop it.

3:04:47 > 3:04:48And despite being on leave,

3:04:48 > 3:04:52he was still monitoring the global malware outbreak.

3:04:52 > 3:04:55I woke up, I checked the message board, there were a couple of

3:04:55 > 3:04:59reports of ransomware infections, but I didn't think much of it.

3:04:59 > 3:05:00From his home in Devon,

3:05:00 > 3:05:05his curiosity would play a crucial role as the day's events unfolded.

3:05:09 > 3:05:11In London, Patrick Ward had spent the night

3:05:11 > 3:05:14in St Bartholomew's Hospital.

3:05:15 > 3:05:16Like thousands of others,

3:05:16 > 3:05:19in operating theatres across the country,

3:05:19 > 3:05:21he was in for planned surgery,

3:05:21 > 3:05:24in his case to correct a serious heart problem.

3:05:24 > 3:05:26They woke me at six o'clock,

3:05:26 > 3:05:29as they do in hospital,

3:05:29 > 3:05:36and one of the nurses came round and shaved my chest, ready for,

3:05:36 > 3:05:38obviously, the opening of the chest cavity.

3:05:39 > 3:05:43I was nervous, but I was very excited, very...

3:05:43 > 3:05:49confident about the operation and what was going to happen.

3:05:49 > 3:05:52I'd...yeah, mentally got myself in the right place

3:05:52 > 3:05:55to have open heart surgery,

3:05:55 > 3:05:57and was, yeah, fantastic, ready to go.

3:05:57 > 3:06:00PHONE RINGS

3:06:00 > 3:06:04The condition I have is hypertrophic cardiomyopathy,

3:06:04 > 3:06:08which is an enlarged heart.

3:06:08 > 3:06:10It means I struggle to do normal things, - walk,

3:06:10 > 3:06:13I can't do any sporting activities, lifting heavy objects

3:06:13 > 3:06:16obviously puts a big strain on the heart.

3:06:16 > 3:06:19It makes me feel extremely useless.

3:06:19 > 3:06:24I've had some very dark moments over the last couple of years,

3:06:24 > 3:06:27so I'd like to, yeah, get back to leading

3:06:27 > 3:06:30a normal fit and healthy life.

3:06:30 > 3:06:34But before surgery could start, Patrick needed some tests.

3:06:34 > 3:06:36They wanted to check out my arteries,

3:06:36 > 3:06:40so they sent me down for a cardio angiogram in the morning.

3:06:40 > 3:06:43So after having the angiogram and some drugs, I was very...

3:06:43 > 3:06:48I was even more relaxed and ready for the afternoon operation.

3:06:50 > 3:06:52While Patrick waited for theatre,

3:06:52 > 3:06:57in Devon, Marcus was keeping an eye out for global cyber-attacks.

3:06:59 > 3:07:04I checked the message board. There were maybe 16, 17 reports

3:07:04 > 3:07:07of different NHS, sort of, organisations being hit.

3:07:07 > 3:07:11And that was the point where I decided my holiday is over.

3:07:15 > 3:07:17By late morning, the attack had begun.

3:07:17 > 3:07:21Somehow, a worm had got into the NHS.

3:07:21 > 3:07:22And on the other side of the world,

3:07:22 > 3:07:25somebody was tracking the progress

3:07:25 > 3:07:26of the outbreak.

3:07:29 > 3:07:33Marcen Kochinski runs a cyber security firm in California.

3:07:33 > 3:07:37Their software is installed on machines across the world.

3:07:37 > 3:07:41Every time we disinfect a machine, it pings that information back

3:07:41 > 3:07:44to the labs teams. Real-time information was streaming in,

3:07:44 > 3:07:46regarding these specific attacks.

3:07:46 > 3:07:49We were able to actually create a live map,

3:07:49 > 3:07:53where the infection is spreading. Very similar to a human infection

3:07:53 > 3:07:57spreading worldwide. We were able to do that from a computer perspective.

3:07:57 > 3:07:59So, we started detecting the attack.

3:07:59 > 3:08:03Actually, our first detection was, according to this, Thursday.

3:08:03 > 3:08:06We call that, kind of, day minus one, day one.

3:08:06 > 3:08:10And one of the first computers that we disinfected was in Russia,

3:08:10 > 3:08:12which was very interesting for us to see.

3:08:17 > 3:08:19But then, you look at Friday and Saturday

3:08:19 > 3:08:22and through the rest of the weekend,

3:08:22 > 3:08:24the map just completely explodes.

3:08:24 > 3:08:28We see infections all over the world, predominantly in Europe,

3:08:28 > 3:08:32but also in the US and they do not relent.

3:08:34 > 3:08:37They were witnessing the largest and fastest-spreading outbreak

3:08:37 > 3:08:40anyone had seen in recent years.

3:08:41 > 3:08:42The threat spread so quickly

3:08:42 > 3:08:44that we actually would have to go

3:08:44 > 3:08:45down to the milliseconds

3:08:45 > 3:08:46to see when it first appeared

3:08:46 > 3:08:47in the UK.

3:08:47 > 3:08:49We think it is sometime Friday morning.

3:08:51 > 3:08:52But we really have to slow this down

3:08:52 > 3:08:55and look at the millions of data points we have here to isolate

3:08:55 > 3:08:57the day we saw it in the UK first.

3:08:58 > 3:09:01The first outbreak Marcen detected in London

3:09:01 > 3:09:05showed up in the afternoon at 18 minutes past one.

3:09:09 > 3:09:12Across the country, hospitals like this found themselves

3:09:12 > 3:09:15either in the grip of the attack or desperately trying to switch off

3:09:15 > 3:09:19systems in an attempt to prevent possible infection.

3:09:19 > 3:09:22One of London's largest, most capable hospital trusts,

3:09:22 > 3:09:24St Bartholomew's and the Royal London,

3:09:24 > 3:09:27found itself amongst the most severely affected.

3:09:27 > 3:09:30So, NHS staff put into place contingency plans,

3:09:30 > 3:09:33working tirelessly to keep everything running.

3:09:33 > 3:09:35But there were consequences.

3:09:38 > 3:09:41The surgeon, he had been to see me, to say, "Pat, I'll be with you

3:09:41 > 3:09:44"at one o'clock-ish, after I've done my rounds."

3:09:44 > 3:09:48He then came back again and said, "How are you doing? Everything OK?"

3:09:48 > 3:09:51I said, "Yeah, fine. I'm here, ready and waiting.

3:09:51 > 3:09:54"I'm not going anywhere." And he said, "Great. We're all ready.

3:09:54 > 3:09:56"Everybody is getting organised for you down in theatre.

3:09:56 > 3:09:59"The team are there, they are looking forward to meeting you."

3:09:59 > 3:10:01This was 10 o'clock, 12 o'clock

3:10:01 > 3:10:02and then, at half past one,

3:10:02 > 3:10:09he turned up again and looked very, yeah, forlorn

3:10:09 > 3:10:12and very sorry. And that was when he then told me

3:10:12 > 3:10:14that he couldn't do the operation.

3:10:15 > 3:10:18With computer systems down, the surgeon was unable to access

3:10:18 > 3:10:21Patrick's angiogram and blood results.

3:10:21 > 3:10:24Without them, the operation could not go ahead.

3:10:25 > 3:10:29I was numb. It is the only way I can describe it.

3:10:29 > 3:10:32Yeah, I just felt nothing. I was absolutely...

3:10:32 > 3:10:35I couldn't believe it. I was just absolutely flabbergasted.

3:10:39 > 3:10:41It wasn't until the Monday, really,

3:10:41 > 3:10:45that the realisation of "What do I do?"

3:10:45 > 3:10:48I didn't have any idea as to whether I'd have to wait another year

3:10:48 > 3:10:52for the operation. There was just no information available.

3:10:52 > 3:10:54It's very frustrating.

3:10:54 > 3:10:58Speak to my wife, she will tell you how grumpy I have been

3:10:58 > 3:11:01since the operation was cancelled. Not having a date,

3:11:01 > 3:11:06something to aim for. So it was extremely, extremely frustrating.

3:11:09 > 3:11:11This is what makes me angriest about this whole thing.

3:11:11 > 3:11:15This cyber attack isn't about an abstract piece of technology,

3:11:15 > 3:11:17it's not about ransoms or ransomware.

3:11:17 > 3:11:21It's not about firewalls or patches. It's about people and their lives

3:11:21 > 3:11:24and how it affects them. It is about being forced, as a doctor,

3:11:24 > 3:11:27to look someone like Patrick in the eye and to let him down

3:11:27 > 3:11:29at the worst possible moment.

3:11:32 > 3:11:33And Patrick wasn't alone.

3:11:33 > 3:11:36The cyber attack had become national news.

3:11:36 > 3:11:40The NHS is the victim of a major cyber attack.

3:11:40 > 3:11:44At least 25 hospital trusts and GP surgeries have been affected.

3:11:44 > 3:11:47Routine operations at some hospitals are being cancelled,

3:11:47 > 3:11:50ambulances diverted and patients sent home.

3:11:53 > 3:11:55I went out to lunch. I got back.

3:11:55 > 3:12:00I then saw lots of reports from different sectors of the NHS.

3:12:00 > 3:12:02They were all just simultaneously saying, "We're being hit."

3:12:06 > 3:12:08I thought, "This one thing is hitting all these sectors,

3:12:08 > 3:12:10"so it's got to be something pretty big",

3:12:10 > 3:12:12so I went and I looked into it.

3:12:15 > 3:12:17I asked a friend of mine in the industry if he had a sample

3:12:17 > 3:12:19of the actual malware that was going around

3:12:19 > 3:12:21and he sent it to me.

3:12:21 > 3:12:24I use virtualisation software, which basically makes a computer

3:12:24 > 3:12:28within your computer, so that it wouldn't affect me

3:12:28 > 3:12:29and I saw what it did.

3:12:33 > 3:12:34Marcus wasn't alone.

3:12:36 > 3:12:39Cal, too, set to work examining the malware.

3:12:41 > 3:12:45I wanted to find out from him what made this cyber attack

3:12:45 > 3:12:46so ruthlessly effective.

3:12:49 > 3:12:51So, what we've got is a machine

3:12:51 > 3:12:54that is going to effectively act as patient zero.

3:12:54 > 3:12:58We've got a second machine to reconstruct how this

3:12:58 > 3:13:03particular variant of WannaCry spreads across multiple machines.

3:13:03 > 3:13:08In here is what I have dubbed, "The internet in a box."

3:13:08 > 3:13:12To make the malware reveal itself, we have to make it believe

3:13:12 > 3:13:15these computers are connected to the real internet

3:13:15 > 3:13:20and this box provide the necessary dummy signals, whilst protecting

3:13:20 > 3:13:21the outside world from harm.

3:13:22 > 3:13:27What we're going to do now is run the WannaCry ransomware.

3:13:32 > 3:13:33There you go.

3:13:33 > 3:13:34And that's the screen of doom.

3:13:36 > 3:13:39- So, this is this machine out of action.- Exactly.

3:13:44 > 3:13:45With the files locked up,

3:13:45 > 3:13:47the clock is ticking.

3:13:49 > 3:13:51But as the victim decides whether or not to pay,

3:13:51 > 3:13:53the malware is already planning its next attacks.

3:13:55 > 3:13:57This particular strain has two components.

3:13:57 > 3:13:59It has the ransomware itself,

3:13:59 > 3:14:01which is what we see here, and it has the worm component,

3:14:01 > 3:14:05which was taken from Eternal Blue,

3:14:05 > 3:14:09which is a government weapons-grade exploit.

3:14:09 > 3:14:12This machine here is actually giving us a bit of insight.

3:14:12 > 3:14:15And what this is showing us is that it is trying

3:14:15 > 3:14:17to spread across the network.

3:14:17 > 3:14:21You don't really think about it, do you? All the output from

3:14:21 > 3:14:23a machine isn't just what you see on your screen.

3:14:23 > 3:14:26- There is a lot of silent chatter going on in the background.- Exactly.

3:14:26 > 3:14:29If you imagine a big room of people and you shout out, "Who's here?!"

3:14:29 > 3:14:31And everyone puts their hand up. That is effectively what

3:14:31 > 3:14:34these machines are doing. It shouts out and says, "Who's here?!"

3:14:34 > 3:14:38and then, the machines reply. What it then tries to do is it hit

3:14:38 > 3:14:42each of those machines with this payload. This worm is now spreading

3:14:42 > 3:14:45out across the network and in an instance where you have got...

3:14:45 > 3:14:50- There we go.- And as you can see, it's now spread onto this machine.

3:14:54 > 3:14:58Eternal Blue had been expertly designed to silently move

3:14:58 > 3:15:03from one machine to another across a local area network or LAN.

3:15:03 > 3:15:07Groups of computers joined together inside a business or a hospital.

3:15:09 > 3:15:12With the LAN infected, it spread to the internet.

3:15:16 > 3:15:20If you imagine you have got your big internet cloud down here

3:15:20 > 3:15:23and each dot represents a machine and there is billions

3:15:23 > 3:15:27of these machines, OK? And what it does is

3:15:27 > 3:15:30the attack will make a direct connection to your machine

3:15:30 > 3:15:35and if you are exposing this port to the internet, someone could

3:15:35 > 3:15:41infect your machine without needing to have local access to it

3:15:41 > 3:15:43or be on the same network.

3:15:43 > 3:15:47What is even more disturbing from there is,

3:15:47 > 3:15:51if you look at the research tools that actually analyse the internet,

3:15:51 > 3:15:54you can go and query today, right now, how many of these machines

3:15:54 > 3:15:57on the internet have got this vulnerable service open.

3:15:57 > 3:16:00Through the internet, anyone can go and try and exploit them

3:16:00 > 3:16:03and there are hundreds and hundreds and hundreds of thousands

3:16:03 > 3:16:05of these machines.

3:16:07 > 3:16:09The malware sought out these weaknesses

3:16:09 > 3:16:11and wormed its way into all manner of networks.

3:16:11 > 3:16:16From companies like Nissan in the UK to Renault in France,

3:16:16 > 3:16:20from a postal service in Russia to a German railway operator.

3:16:24 > 3:16:29And to be clear, this does not depend upon any human interaction?

3:16:29 > 3:16:34It's automatic propagation. There is no human interaction here required

3:16:34 > 3:16:39at all. And that is why the ransomware itself was

3:16:39 > 3:16:43relatively low-key, to be fair. There wasn't anything particularly

3:16:43 > 3:16:47special about it, but when combined with

3:16:47 > 3:16:53a government weapons-grade exploit, the impact has been devastating.

3:16:57 > 3:17:01No-one needed to click on a link or open a dodgy e-mail.

3:17:01 > 3:17:04The worm spread all by itself,

3:17:04 > 3:17:08exploding across networks in a matter of hours.

3:17:20 > 3:17:24Across the country, the surprisingly virulent attack meant that

3:17:24 > 3:17:26several hospitals were beginning to struggle.

3:17:26 > 3:17:29And wherever the ransomware was found, they would switch off

3:17:29 > 3:17:32machines in an attempt to contain the outbreak.

3:17:32 > 3:17:36Nevertheless, some of those networks went dark.

3:17:36 > 3:17:38Now, even that was not a complete disaster,

3:17:38 > 3:17:40because in the NHS, we have contingency plans

3:17:40 > 3:17:43for almost every conceivable emergency,

3:17:43 > 3:17:46from power outages, terrorist attacks,

3:17:46 > 3:17:48even a cyber attack of this kind.

3:17:52 > 3:17:56So, what was it that forced some accident and emergency departments

3:17:56 > 3:18:00to close their doors that day? A&E relies upon support

3:18:00 > 3:18:05from state-of-the-art technologies and specialities.

3:18:05 > 3:18:08And these were some of the hardest hit,

3:18:08 > 3:18:11among them, doctors and their systems in radiology.

3:18:11 > 3:18:14It is packed with the latest kit.

3:18:14 > 3:18:19X-rays, MRI scanners and CT machines that allow doctors

3:18:19 > 3:18:23to investigate the hidden extent of injury inside the body.

3:18:23 > 3:18:26When time is critical, such as with a stroke,

3:18:26 > 3:18:30radiologists like Navin Ramachandran help us to make quick, accurate,

3:18:30 > 3:18:32life-saving decisions.

3:18:34 > 3:18:36When a patient comes in,

3:18:36 > 3:18:38they turn up with typical symptoms,

3:18:38 > 3:18:41you can see they may not be able to feel an area, they may not be able

3:18:41 > 3:18:42an area, they may not

3:18:42 > 3:18:44be able to speak. That gives us an idea that there is something

3:18:44 > 3:18:47going on in the brain, but it doesn't necessarily tell us

3:18:47 > 3:18:49what the underlying cause is.

3:18:49 > 3:18:51So, it could be, if we look at this case,

3:18:51 > 3:18:56where a vessel to a part of the brain has got blocked off

3:18:56 > 3:18:59by a clot and that area is the part that has been

3:18:59 > 3:19:02- deprived of blood currently. - The treatment is to give

3:19:02 > 3:19:04a clot-busting drug as fast as possible,

3:19:04 > 3:19:08but there is jeopardy involved. You have to be sure precisely

3:19:08 > 3:19:10what type of stroke you're dealing with.

3:19:11 > 3:19:14The one thing you have to be aware of is that, once in a while,

3:19:14 > 3:19:16patients that come in with exactly the same symptoms,

3:19:16 > 3:19:19they are getting the same symptoms not because of the blocked vessel,

3:19:19 > 3:19:22but because of a bleeding vessel. In this case, this vessel

3:19:22 > 3:19:26has bled. With this patient, if you give them the clot-busting drug,

3:19:26 > 3:19:30that is catastrophic and can lead to death.

3:19:30 > 3:19:33And these two patients would look very similar at presentation?

3:19:33 > 3:19:36Without doing these scans, you really wouldn't know the difference?

3:19:36 > 3:19:39Exactly. The only thing that makes it possible is having access

3:19:39 > 3:19:42to these scans, to allow others to triage people into the right

3:19:42 > 3:19:45- treatment pathway. - The same is true for the whole

3:19:45 > 3:19:49of emergency medicine, from car accidents to cancer.

3:19:49 > 3:19:51Radiology is an essential front line asset.

3:19:53 > 3:19:55The whole department relies on computers.

3:19:55 > 3:19:58They run the scanning machines, display the images

3:19:58 > 3:20:00and send them on to doctors in A&E.

3:20:01 > 3:20:03If these computers were infected,

3:20:03 > 3:20:08hospital managers would have little choice but to close A&E.

3:20:08 > 3:20:09It simply wouldn't be safe to stay open.

3:20:11 > 3:20:14We were very lucky in that it didn't hit our services at all.

3:20:14 > 3:20:18We have had fully digital systems for over 10-15 years,

3:20:18 > 3:20:21whereas most of the rest of the hospital still uses paper.

3:20:21 > 3:20:23But we were completely unaffected.

3:20:23 > 3:20:25No change to the day.

3:20:25 > 3:20:30Some hospitals, like mine, UCLH, got away unscathed,

3:20:30 > 3:20:33but for those unlucky enough to be affected,

3:20:33 > 3:20:36there was still enough flex in the system to compensate.

3:20:36 > 3:20:38Nevertheless, patients were on the move,

3:20:38 > 3:20:41being transferred from hospital to hospital.

3:20:44 > 3:20:47The infection continued to spread

3:20:47 > 3:20:51and began to show up in GP surgeries across the country.

3:21:00 > 3:21:03So, this is one of the consulting rooms we are going into now.

3:21:03 > 3:21:07Dr George Farrelly is a GP working at a surgery in Tower Hamlets.

3:21:07 > 3:21:10This is our standard desktop PC and so on.

3:21:10 > 3:21:12Each consulting room has one of these.

3:21:15 > 3:21:17We have 15 machines. We do consultations with this.

3:21:17 > 3:21:21We access people's notes, we are able to make appointments,

3:21:21 > 3:21:24we send prescriptions to the chemist and plan care.

3:21:27 > 3:21:28So, this is our reception area.

3:21:31 > 3:21:36A lot happens here. This is like the information hub of the practice.

3:21:36 > 3:21:39We take our computer system a little bit for granted, I think,

3:21:39 > 3:21:40and only realised

3:21:40 > 3:21:43how reliant we are on it when we lose it.

3:21:51 > 3:21:53On Friday, 12th of May, we got a phone call

3:21:53 > 3:21:56from a neighbouring practice and they told us that they had been hit

3:21:56 > 3:21:59by some virus.

3:21:59 > 3:22:03So, we printed out the appointment for that day,

3:22:03 > 3:22:05which would give us some information, just in case

3:22:05 > 3:22:06we had the same problem.

3:22:10 > 3:22:14I was in a meeting with some colleagues discussing patients

3:22:14 > 3:22:19and the PC we were using suddenly blanked out.

3:22:23 > 3:22:27We had to shut all our computers down, to hopefully stop any more

3:22:27 > 3:22:30of them becoming infected.

3:22:30 > 3:22:31It was complete paralysis.

3:22:33 > 3:22:37Along with the hospitals, some GP surgeries were now struggling, too.

3:22:38 > 3:22:43They connect with the rest of the NHS via a network known as N3.

3:22:45 > 3:22:48N3 is the NHS's national broadband network,

3:22:48 > 3:22:51connecting all NHS locations

3:22:51 > 3:22:54and its 1.3 million employees across England.

3:22:56 > 3:22:58It's one of the largest networks in Europe,

3:22:58 > 3:23:01with in excess of 51,000 connections.

3:23:03 > 3:23:05N3 allows us to communicate with our colleagues

3:23:05 > 3:23:07who we share care with other people.

3:23:07 > 3:23:11For example, when we send e-mails to each other

3:23:11 > 3:23:14from our NHS net e-mail account, it's more secure.

3:23:14 > 3:23:19Our security antivirus and so on is done centrally,

3:23:19 > 3:23:21it's not something we worry about.

3:23:21 > 3:23:23We never have to do patches ourselves.

3:23:27 > 3:23:30They didn't know it at the time,

3:23:30 > 3:23:34but the N3 network was actually unaffected.

3:23:34 > 3:23:38However, Windows 7 machines without the patch WERE going down.

3:23:39 > 3:23:42So some teams disconnected their computers...

3:23:43 > 3:23:46..cutting off access to essential clinical systems,

3:23:46 > 3:23:48deepening the disruption.

3:23:50 > 3:23:52The people who've done this

3:23:52 > 3:23:54don't understand the implications of what they're doing.

3:23:55 > 3:23:58They hadn't thought them through.

3:23:58 > 3:24:01My guess is their project is to make money

3:24:01 > 3:24:04and they just send this stuff out and it lands wherever it lands

3:24:04 > 3:24:06and they don't give any thought to it.

3:24:10 > 3:24:13What they DID give some thought to is how they got paid.

3:24:16 > 3:24:19With the ransomware hitting thousands of computers,

3:24:19 > 3:24:23the hackers needed a secure, globally accepted form of payment

3:24:23 > 3:24:25that ideally would be untraceable.

3:24:27 > 3:24:30They decided to use Bitcoin -

3:24:30 > 3:24:34an entirely electronic form of so-called cryptocurrency.

3:24:36 > 3:24:38I've never used Bitcoin.

3:24:39 > 3:24:42But it's easy enough to buy some on a phone.

3:24:43 > 3:24:46And once loaded, you can spend it in all manner of places.

3:24:52 > 3:24:55- So, can I get a flat white and a mint tea, please?- Sure.

3:24:55 > 3:24:59I've come to a cafe in east London to meet Sarah Meiklejohn,

3:24:59 > 3:25:01an expert in Bitcoin,

3:25:01 > 3:25:05to find out why it's such an attractive currency for hackers.

3:25:07 > 3:25:11- Perfect. Can I pay with Bitcoin? - Sure.

3:25:11 > 3:25:15- OK. And I just... - £3.50, please. You just scan this.

3:25:15 > 3:25:17OK, I'll lean over and scan that.

3:25:18 > 3:25:22- That's it.- And it's as easy as that. - That's it.

3:25:22 > 3:25:24- Perfect, thank you very much. - Thank you.- Thank you.

3:25:24 > 3:25:25Marvellous, right.

3:25:27 > 3:25:29Explain to me, then, as a complete non-initiate,

3:25:29 > 3:25:32what Bitcoin is and how it works.

3:25:32 > 3:25:36Right, so, Bitcoin is basically a purely digital form of currency.

3:25:36 > 3:25:40So it's just a currency, like the dollar, the pound.

3:25:40 > 3:25:44The main differences are that it's not backed by any government,

3:25:44 > 3:25:47there's no central bank involved in generating Bitcoins

3:25:47 > 3:25:50and you don't need a bank account to use it.

3:25:50 > 3:25:52If I want to use Bitcoin, you know,

3:25:52 > 3:25:54I want to send people Bitcoins,

3:25:54 > 3:25:56I'm going to download a piece of software,

3:25:56 > 3:25:57and in doing that,

3:25:57 > 3:26:00I'm going to join Bitcoin's peer-to-peer network.

3:26:00 > 3:26:04So this network is basically collectively responsible for

3:26:04 > 3:26:06playing all the traditional roles

3:26:06 > 3:26:08that we're used to in traditional banking.

3:26:08 > 3:26:11The recent WannaCry attack, which affected many organisations,

3:26:11 > 3:26:14including the National Health Service,

3:26:14 > 3:26:19was conducted using Bitcoin as the currency of ransom.

3:26:19 > 3:26:21Why did they use Bitcoin?

3:26:21 > 3:26:24Opening a Bitcoin wallet, saying we're open for business,

3:26:24 > 3:26:27we can accept Bitcoins, takes very little time and effort,

3:26:27 > 3:26:31and then getting paid in Bitcoin equally takes very little effort.

3:26:31 > 3:26:34If I want to pay someone on the other side of the world,

3:26:34 > 3:26:35I can do that using Bitcoin

3:26:35 > 3:26:38and they'll get the payment instantaneously.

3:26:39 > 3:26:43It's the convenience and speed that makes it easy for hackers

3:26:43 > 3:26:44to gather their ransom.

3:26:44 > 3:26:49But as cyber security expert Mikko Hypponen explains,

3:26:49 > 3:26:53Bitcoin also offers a certain level of anonymity.

3:26:55 > 3:26:57The only thing we can see is that someone is sending money

3:26:57 > 3:27:01from one address to another address, and these addresses are

3:27:01 > 3:27:04these long lists of numbers and letters which look really random.

3:27:04 > 3:27:09They are tied to a user, but we have no idea who these users are.

3:27:09 > 3:27:13What was invented to ensure an individual's privacy

3:27:13 > 3:27:16had unforeseen consequences.

3:27:16 > 3:27:21So we very quickly started seeing Bitcoin being used in online crime.

3:27:21 > 3:27:23First, in online drug trade,

3:27:23 > 3:27:25cos when you're buying illegal drugs online,

3:27:25 > 3:27:27you don't want to use your credit card

3:27:27 > 3:27:31because the credit card will lead back to you and Bitcoins don't.

3:27:31 > 3:27:35And then we started seeing ransom attacks.

3:27:35 > 3:27:37Ransomware has been around for years and years,

3:27:37 > 3:27:39way before Bitcoin.

3:27:39 > 3:27:41But the megatrend which really made ransomware

3:27:41 > 3:27:44such a big problem is cryptocurrencies, like Bitcoin.

3:27:44 > 3:27:48By allowing transactions to take place between pseudonyms

3:27:48 > 3:27:50rather than real identities,

3:27:50 > 3:27:53Bitcoin became the go-to currency for cyber crime.

3:27:56 > 3:28:00But it turns out that the details of Bitcoin's original design

3:28:00 > 3:28:03could, for some criminals, actually be their undoing.

3:28:05 > 3:28:09Bitcoin was invented by a figure called Satoshi Nakamoto

3:28:09 > 3:28:11around six years ago.

3:28:11 > 3:28:14It's based on an innovation called blockchain,

3:28:14 > 3:28:19and blockchain basically means a public ledger of transactions.

3:28:20 > 3:28:23When a transaction is made between two Bitcoin users,

3:28:23 > 3:28:27the details of that transaction are locked into a permanent ledger,

3:28:27 > 3:28:30known as the blockchain.

3:28:31 > 3:28:35And the blockchain data isn't kept on a single computer or server -

3:28:35 > 3:28:38it's distributed across the entire network.

3:28:40 > 3:28:43Which means, even if an individual machine goes down,

3:28:43 > 3:28:45it can never be erased.

3:28:47 > 3:28:51So the entire history of every Bitcoin transaction

3:28:51 > 3:28:55is accessible to all users now and for ever.

3:28:56 > 3:28:57Until this point,

3:28:57 > 3:29:00what I understood by Bitcoin was that it was fully anonymous

3:29:00 > 3:29:03and therefore it's the perfect currency

3:29:03 > 3:29:06in which the underworld can operate.

3:29:06 > 3:29:07Is that not true?

3:29:07 > 3:29:09No, it's definitely not true.

3:29:09 > 3:29:13Bitcoin exchanges are what's responsible for trading Bitcoin

3:29:13 > 3:29:16with traditional, government-backed currencies.

3:29:16 > 3:29:19But the second you send your Bitcoins to this exchange,

3:29:19 > 3:29:24you've created a link between your activities in the Bitcoin network

3:29:24 > 3:29:27and your identity as a real person.

3:29:27 > 3:29:30The second I know that a given pseudonym

3:29:30 > 3:29:32belongs to a criminal or belongs to anyone,

3:29:32 > 3:29:36I can then start trying to understand what that user

3:29:36 > 3:29:37has done with that money.

3:29:37 > 3:29:39We've seen in the past

3:29:39 > 3:29:41that attackers have stolen Bitcoins

3:29:41 > 3:29:44and then they've sat on them for years,

3:29:44 > 3:29:47probably because they don't really know what to do with them next.

3:29:47 > 3:29:49Attribution is hard,

3:29:49 > 3:29:51this could have been anybody in the world

3:29:51 > 3:29:52carrying out this attack.

3:29:52 > 3:29:54If you're looking for my opinion,

3:29:54 > 3:29:56it's some script kiddie in a basement somewhere,

3:29:56 > 3:29:58not a government agency.

3:29:58 > 3:30:00And if he's got any sense whatsoever,

3:30:00 > 3:30:04he'll take his hard disk, smash it up with a sledgehammer

3:30:04 > 3:30:06and burn it in a bonfire.

3:30:06 > 3:30:08And he will not, whatever he does,

3:30:08 > 3:30:11go and try spend of those Bitcoins that ended up in his wallets,

3:30:11 > 3:30:14cos if he does, there's quite a number of governments

3:30:14 > 3:30:16would like to offer him some hospitality

3:30:16 > 3:30:18for quite a long period of his life.

3:30:23 > 3:30:26As the ransomware continued to spread,

3:30:26 > 3:30:29thousands of people faced the same dilemma -

3:30:29 > 3:30:32should they pay the ransom or not?

3:30:34 > 3:30:38It's a question that Moti Cristal has given a lot of thought.

3:30:44 > 3:30:47I'm a negotiator, by profession.

3:30:47 > 3:30:49I started my career in the political negotiations

3:30:49 > 3:30:51between Israel and the Arab world.

3:30:51 > 3:30:53And later on, I do hostage negotiations

3:30:53 > 3:30:55in high-intensity conflicts.

3:31:02 > 3:31:04In a hostage situation, you negotiate with a person

3:31:04 > 3:31:07but if you have the opportunity

3:31:07 > 3:31:11to talk him to come to the window and then shoot him in the head

3:31:11 > 3:31:14because he just killed three kids, you will do it,

3:31:14 > 3:31:17and without any moral hesitation.

3:31:17 > 3:31:21But in the cyber world, you cannot do that.

3:31:21 > 3:31:24The reliance on talk is

3:31:24 > 3:31:27significantly more important.

3:31:27 > 3:31:30Extortionists, like the people behind WannaCry,

3:31:30 > 3:31:35are increasingly abandoning the real world and moving online.

3:31:35 > 3:31:38It's lower risk and more profitable.

3:31:38 > 3:31:40But whilst the setting may have changed,

3:31:40 > 3:31:43Moti's job remains the same,

3:31:43 > 3:31:47and much of his work is now in cyber crime.

3:31:47 > 3:31:50There's always a human being behind the keyboard.

3:31:50 > 3:31:53So at the end of this ransomware attack,

3:31:53 > 3:31:57there are people that have feelings,

3:31:57 > 3:32:00logics, emotions...

3:32:00 > 3:32:02There's always a human being

3:32:02 > 3:32:05to whom you can, and you should try to, connect.

3:32:08 > 3:32:12No-one has been able to reach out to those behind WannaCry.

3:32:12 > 3:32:14But perhaps Moti can help shed light

3:32:14 > 3:32:18on how these criminal organisations think.

3:32:18 > 3:32:21In October 2015, he was called in

3:32:21 > 3:32:23to negotiate for a financial institution

3:32:23 > 3:32:26that had been attacked by another piece of malware.

3:32:27 > 3:32:30The hackers attempted to portray themselves

3:32:30 > 3:32:34as an arm of the Russian state, APT28.

3:32:36 > 3:32:38Moti reached out to them.

3:32:40 > 3:32:42You know, I teased them.

3:32:42 > 3:32:45I said, "Are you really APT28,

3:32:45 > 3:32:48"the Russian...proclaimed Russian team?"

3:32:48 > 3:32:49"Yes, correct."

3:32:49 > 3:32:52And I said, "If you are APT28,

3:32:52 > 3:32:58"why you start to do this low stuff of extortion

3:32:58 > 3:33:02"instead of the very fascinating cool government stuff?"

3:33:03 > 3:33:06Through this kind of engagement, over many months,

3:33:06 > 3:33:10Moti created a dialogue with the attackers.

3:33:10 > 3:33:12We already start moving towards a deal

3:33:12 > 3:33:14and they write to me.

3:33:14 > 3:33:17"The way we can do it..."

3:33:17 > 3:33:19Pay attention to the language -

3:33:19 > 3:33:22"the way WE can do it," we're already a team.

3:33:22 > 3:33:24"..is two equal payments.

3:33:24 > 3:33:29"After the first one, we tell you exactly how you were breached

3:33:29 > 3:33:32"and which systems are most vulnerable."

3:33:32 > 3:33:34So suddenly, after the first payment,

3:33:34 > 3:33:38they start actually to be my consultant, my advisers.

3:33:38 > 3:33:41They start to tell me how my system was breached,

3:33:41 > 3:33:43which is very valuable information.

3:33:43 > 3:33:46"This is something we never do.

3:33:46 > 3:33:50"But consider it as a gesture..."

3:33:50 > 3:33:52And then I immediately reply,

3:33:52 > 3:33:56"I never recommend moving forward

3:33:56 > 3:33:58"based on a virtual contract,"

3:33:58 > 3:33:59I'm telling them.

3:33:59 > 3:34:03"But with you, I feel we have this otnoshenya."

3:34:03 > 3:34:05The Russian word for relationship.

3:34:05 > 3:34:08To signal them that, "we are on the same page,

3:34:08 > 3:34:10"I do appreciate this."

3:34:11 > 3:34:15Though the ransom was paid, by negotiating with the hackers,

3:34:15 > 3:34:20Moti successfully ensured that the company's data were not released.

3:34:22 > 3:34:25But for those facing the ransom on the 12th of May attack,

3:34:25 > 3:34:28was paying the right thing to do?

3:34:28 > 3:34:32There are several costs involved when you pay the ransomware.

3:34:32 > 3:34:33And I do think, most important,

3:34:33 > 3:34:35is that you feel bad

3:34:35 > 3:34:38that, actually, you surrendered

3:34:38 > 3:34:40to this type of criminal.

3:34:40 > 3:34:43So if you pay, you feel bad.

3:34:44 > 3:34:46And there's another risk to paying.

3:34:46 > 3:34:49You open yourself up to further cyber attacks.

3:34:49 > 3:34:51I do believe, in the darknet,

3:34:51 > 3:34:53dark in the darknet,

3:34:53 > 3:34:55people do exchange lists

3:34:55 > 3:34:56of people who paid.

3:34:56 > 3:34:58Why? Because that's, again,

3:34:58 > 3:34:59a human pattern.

3:34:59 > 3:35:03If you've paid once, you might pay again and again.

3:35:13 > 3:35:17Ransoms paid in Bitcoin, hostage negotiators...

3:35:17 > 3:35:19It's all fine if you're a high-net-worth individual

3:35:19 > 3:35:21or a private mega-corporation,

3:35:21 > 3:35:24but none of that is going to work in the NHS.

3:35:24 > 3:35:25Even if it could pay -

3:35:25 > 3:35:27which it can't, because there's no money -

3:35:27 > 3:35:29it wouldn't be allowed to pay.

3:35:29 > 3:35:32The best you can hope for in that situation as a hacker

3:35:32 > 3:35:35is that you don't inadvertently kill somebody

3:35:35 > 3:35:38and, instead of the local cyber crime division,

3:35:38 > 3:35:41suddenly find the murder squad kicking down your front door.

3:35:43 > 3:35:45Those hospitals and GPs that had been infected

3:35:45 > 3:35:48had no option but to keep their computers off

3:35:48 > 3:35:51and hope that something could stop the spread.

3:35:53 > 3:35:56And incredibly, an answer was found,

3:35:56 > 3:35:59thanks to a bit of luck and Marcus's inquisitive nature.

3:36:06 > 3:36:07By late afternoon,

3:36:07 > 3:36:10he'd spotted something curious in the malware's code.

3:36:10 > 3:36:14It was trying to connect to one specific web address.

3:36:14 > 3:36:16A domain.

3:36:18 > 3:36:20I saw this domain was not registered,

3:36:20 > 3:36:24so my first idea was to just go and reserve it, just in case.

3:36:24 > 3:36:29By registering it, we could track the infection across the globe.

3:36:29 > 3:36:31Straight after registering the domain,

3:36:31 > 3:36:33we were seeing thousands of queries per second.

3:36:33 > 3:36:38Maybe 100,000 unique infections within the first hour.

3:36:38 > 3:36:40It was sort of, like, a bingo moment.

3:36:41 > 3:36:45He didn't yet realise it, but by registering the domain,

3:36:45 > 3:36:47at a cost of just 10,

3:36:47 > 3:36:49Marcus wasn't just tracking the infection -

3:36:49 > 3:36:52he was also preventing it from spreading.

3:36:52 > 3:36:55The plan was to track it and then look for a way to stop it,

3:36:55 > 3:36:58but it actually turned out the tracking it was stopping it.

3:37:02 > 3:37:05It was like finding a vaccine.

3:37:05 > 3:37:09For now, WannaCry could do no further damage.

3:37:11 > 3:37:13The NHS didn't realise it yet

3:37:13 > 3:37:16and were still relying on emergency systems,

3:37:16 > 3:37:19but the cyber attack was over,

3:37:19 > 3:37:22the malware defeated.

3:37:22 > 3:37:25"Kill switch" was, sort of, the term the media ran with.

3:37:25 > 3:37:27It sort of makes a lot of sense, cos it is a kill switch.

3:37:27 > 3:37:28It stops the malware.

3:37:28 > 3:37:31It seems silly that simply registering a domain

3:37:31 > 3:37:34would stop a global cyber attack, but it happened.

3:37:35 > 3:37:38In the days following the cyber attack,

3:37:38 > 3:37:40the NHS slowly came back online.

3:37:40 > 3:37:43Machines were given the patch,

3:37:43 > 3:37:47backup data was used to restore the encrypted files,

3:37:47 > 3:37:49and news of Marcus's cure spread.

3:37:49 > 3:37:51Well, as we've been hearing,

3:37:51 > 3:37:54the global cyber attack was halted almost by accident.

3:37:54 > 3:37:57It was a 22-year-old in the UK who checked the code

3:37:57 > 3:38:01and found a reference to an unregistered website name.

3:38:01 > 3:38:03With systems restored,

3:38:03 > 3:38:06Patrick finally got the news he was waiting for.

3:38:06 > 3:38:10I'd gone back to work, then I had a phone call to say

3:38:10 > 3:38:15that they had managed to get an operation date for me

3:38:15 > 3:38:18for next week, which...

3:38:18 > 3:38:22I was with a customer and I was, yeah, absolutely delighted.

3:38:25 > 3:38:29I can't describe the people who did the ransomware.

3:38:29 > 3:38:32I'm sure that wasn't in their thought process,

3:38:32 > 3:38:36to attack individual people,

3:38:36 > 3:38:40but that's the result of exactly what's happened.

3:38:45 > 3:38:47In a detached sort of way,

3:38:47 > 3:38:50you've got to have at least a bit of respect for the malware.

3:38:50 > 3:38:52As poorly constructed as it was,

3:38:52 > 3:38:54it still did a lot of damage.

3:38:54 > 3:38:57That's not unlike a real infection.

3:38:57 > 3:38:59Real viruses have a lot of flaws,

3:38:59 > 3:39:01and yet still go on to wreak havoc.

3:39:01 > 3:39:06Like a real infection, the malware was able to hide,

3:39:06 > 3:39:07evade natural defences,

3:39:07 > 3:39:10avoid surveillance, go dormant,

3:39:10 > 3:39:11and then go on to cause

3:39:11 > 3:39:13all of that chaos.

3:39:13 > 3:39:14But like a real infection,

3:39:14 > 3:39:16there was, in the end,

3:39:16 > 3:39:17a way to fight it,

3:39:17 > 3:39:19and so the NHS survived...

3:39:20 > 3:39:21At least this time.

3:39:33 > 3:39:36WannaCry soon disappeared from the front pages,

3:39:36 > 3:39:40but at a gathering of cyber security experts

3:39:40 > 3:39:44a fortnight after the attack, it was still making waves.

3:39:47 > 3:39:50WHISPERS: This is a long-planned cyber security conference.

3:39:50 > 3:39:53It predates the NHS cyber attack by many months,

3:39:53 > 3:39:56but it's clearly dominating the agenda here.

3:39:56 > 3:39:58Every single speaker has mentioned it.

3:39:58 > 3:40:01I wanted to know why, in this country,

3:40:01 > 3:40:04it was the NHS that seemed to bear the brunt

3:40:04 > 3:40:06of the ransomware infection.

3:40:06 > 3:40:11Thank you. I'm Kevin Fong. I'm a doctor in the NHS.

3:40:11 > 3:40:16We still can't quite understand how worried we should be

3:40:16 > 3:40:19or how vulnerable we continue to be.

3:40:19 > 3:40:21We had the person responsible

3:40:21 > 3:40:23for one of the trusts

3:40:23 > 3:40:27talking about her experiences and day-to-day life

3:40:27 > 3:40:29of running IT in the NHS.

3:40:29 > 3:40:34It really stuck with me and resonated that, actually,

3:40:34 > 3:40:39the amount of budget that she had to protect the IT

3:40:39 > 3:40:40was vanishingly small.

3:40:40 > 3:40:44They have one support person for 1,000 machines

3:40:44 > 3:40:45and things like that.

3:40:45 > 3:40:49That's just not a sustainable investment.

3:40:49 > 3:40:51I think the NHS really does need to think about

3:40:51 > 3:40:53its balance of investment.

3:40:53 > 3:40:55It must put more money into this.

3:40:55 > 3:41:01It's always a hard trade-off, to think patients versus IT,

3:41:01 > 3:41:04you know, but actually, you've got to have that infrastructure

3:41:04 > 3:41:07to be able to do a good job on the patients, I would say.

3:41:08 > 3:41:13Spending varies across the NHS, but it's been reported that in 2015,

3:41:13 > 3:41:18seven trusts spent nothing at all on IT security.

3:41:18 > 3:41:22If this is true, surely this needs urgent attention,

3:41:22 > 3:41:26now that weaknesses have been exposed by the WannaCry attack.

3:41:26 > 3:41:29I was shocked by what happened to the NHS.

3:41:29 > 3:41:32I think the shock is more in the vulnerability of the hospitals

3:41:32 > 3:41:36than it was in the way that the attack was executed.

3:41:37 > 3:41:40We are always afraid of the next attack

3:41:40 > 3:41:42hitting critical infrastructures,

3:41:42 > 3:41:47so now health care systems were hit,

3:41:47 > 3:41:51we are afraid that the electricity, the water departments,

3:41:51 > 3:41:56you know, those types of infrastructures being hit...

3:41:56 > 3:41:59That didn't happen, but it can happen,

3:41:59 > 3:42:02so I think that this is what we're kind of waiting for.

3:42:05 > 3:42:08I think there has to be a recognition that it's not an IT

3:42:08 > 3:42:11or a computer issue, this is about everyday life now.

3:42:11 > 3:42:14In a world where everything's online and where there are ever more

3:42:14 > 3:42:19online threats and where government agencies involved in security

3:42:19 > 3:42:22are much more interested in adding to the threat level

3:42:22 > 3:42:24than in adding to the defence level,

3:42:24 > 3:42:26there's an awful lot of conflicts there

3:42:26 > 3:42:28that we're going to have to manage.

3:42:30 > 3:42:34This attack affected Russian banks, Chinese universities,

3:42:34 > 3:42:38Spanish telecoms companies, even FedEx.

3:42:38 > 3:42:41The vulnerabilities were there for all of us

3:42:41 > 3:42:44across countries and continents, private and public sector,

3:42:44 > 3:42:46all walks of life.

3:42:46 > 3:42:50The NHS was simply one in a long list of casualties.

3:42:50 > 3:42:54Collateral damage in a global cyber war.

3:42:59 > 3:43:02The new reality is that we're all at risk.

3:43:02 > 3:43:04It's not only businesses and governments -

3:43:04 > 3:43:07anyone who's connected could be a target.

3:43:10 > 3:43:14As the world of network technology gets ever more complex,

3:43:14 > 3:43:17it opens up whole new realms of vulnerability.

3:43:19 > 3:43:23It's no longer just our computers that are at risk.

3:43:23 > 3:43:26Our homes and offices are now filled with devices

3:43:26 > 3:43:29that are online and ripe for hacking.

3:43:30 > 3:43:35- Which one are you pinning our hopes on being...?- The... Yeah, that one.

3:43:35 > 3:43:38Ken Munro leads a team of ethical hackers

3:43:38 > 3:43:42that test the security of internet-enabled household devices,

3:43:42 > 3:43:44the so-called internet of things,

3:43:44 > 3:43:46to find out where their weak spots are

3:43:46 > 3:43:48and to see how much havoc they could wreak.

3:43:48 > 3:43:52This is kind of the most fundamental aspect of hacking.

3:43:52 > 3:43:56You're in there at the nitty-gritty, at the level of the circuit board.

3:43:56 > 3:43:59Yeah, so that's what's different about the internet of things.

3:43:59 > 3:44:01Unlike, say, an eCommerce site,

3:44:01 > 3:44:04which is safely hosted in a data centre on a server somewhere,

3:44:04 > 3:44:07with the internet of things, you can go and buy the kit,

3:44:07 > 3:44:08you can dismantle it.

3:44:08 > 3:44:12You can find the chips and the hardware and then connect to it.

3:44:12 > 3:44:13So literally put logic probes,

3:44:13 > 3:44:15electric wires onto the circuit cables

3:44:15 > 3:44:18and then pull off the software and reverse-engineer

3:44:18 > 3:44:20how it works from 1s and 0s.

3:44:20 > 3:44:23Once you've got that, you can find security flaws.

3:44:25 > 3:44:30As Ken discovered, some devices are far easier to hack than others.

3:44:30 > 3:44:34This is your hackable shop of horrors.

3:44:34 > 3:44:36What have you got here?

3:44:36 > 3:44:39Probably the first one we look at, this is My Friend Cayla,

3:44:39 > 3:44:42she's an interactive kids' doll.

3:44:42 > 3:44:43She works over Bluetooth with an app,

3:44:43 > 3:44:46but the manufacturer forgot to put security

3:44:46 > 3:44:48on the Bluetooth connection, so, as a result,

3:44:48 > 3:44:50it means that someone could be sat on the street outside,

3:44:50 > 3:44:53could be listening to what's going on in the room,

3:44:53 > 3:44:54so snooping on your child,

3:44:54 > 3:44:57or potentially speaking to the child through the speaker.

3:44:57 > 3:44:58Our interest was we wanted to see

3:44:58 > 3:45:01if we could bypass her protection measures.

3:45:01 > 3:45:02You can't make her swear.

3:45:02 > 3:45:05But, of course, we discovered you could hack her,

3:45:05 > 3:45:06and she swears like a docker now.

3:45:06 > 3:45:10- RECORDED MESSAGE:- Hey, calm down or I will kick the shit out of you.

3:45:11 > 3:45:13Creepy, but it's a really serious issue.

3:45:13 > 3:45:15The German telecommunications regulator

3:45:15 > 3:45:19has now classified her as a covert bugging device

3:45:19 > 3:45:20and has banned her.

3:45:20 > 3:45:22It's illegal to own her in Germany now.

3:45:22 > 3:45:25All right, OK. So this is a wireless kettle,

3:45:25 > 3:45:29but I don't actually care if someone hacks my kettle.

3:45:29 > 3:45:31I mean, what can they possibly do with that?

3:45:31 > 3:45:32This is a Wi-Fi kettle, though.

3:45:32 > 3:45:35How else would you boil a kettle from the car home?

3:45:37 > 3:45:39So this is the scary bit. This is the Wi-Fi Module.

3:45:39 > 3:45:42We're going to show you how we managed to hack that.

3:45:42 > 3:45:44Imagine I'm outside your house.

3:45:44 > 3:45:46If I want to get your Wi-Fi key from your kettle,

3:45:46 > 3:45:47it's really surprisingly easy.

3:45:47 > 3:45:49All I need to do, I'm going to connect to it.

3:45:49 > 3:45:51I need to put a password in.

3:45:51 > 3:45:53You think, "Password - great security."

3:45:53 > 3:45:55Unfortunately, the password on these kettles is,

3:45:55 > 3:45:57believe it or not, six zeros.

3:45:57 > 3:45:59Once I connect to it, all I have to do is send one command,

3:45:59 > 3:46:02- and I can retrieve your wireless network encryption key.- No!

3:46:02 > 3:46:05That's the key that secures all of your traffic on your Wi-Fi network.

3:46:05 > 3:46:08So if I was a malicious hacker on your network,

3:46:08 > 3:46:12I can now intercept everything you do on your home wireless network.

3:46:12 > 3:46:15Online banking, your social media -

3:46:15 > 3:46:17everything you do, we can see,

3:46:17 > 3:46:19because we've got your wireless network key.

3:46:19 > 3:46:21I can see a thermostat over here.

3:46:21 > 3:46:24I think I have something similar in my house.

3:46:24 > 3:46:27What's the problem with a wireless thermostat?

3:46:27 > 3:46:29Unfortunately, we found some pretty shocking security

3:46:29 > 3:46:32on some brands of Smart thermostat.

3:46:32 > 3:46:34This one we managed to actually hold it to ransom.

3:46:34 > 3:46:37So just like you've heard with the NHS ransomware issue,

3:46:37 > 3:46:40holding critical devices to ransom, actually,

3:46:40 > 3:46:43we've found you can even hold your SmartStat to ransom,

3:46:43 > 3:46:47- to lock you out of heating unless you pay cash.- So...

3:46:47 > 3:46:49That would be quite unpleasant, but in the end,

3:46:49 > 3:46:51surely you just take it off the wall and reset it.

3:46:51 > 3:46:53I'm not so worried about that.

3:46:53 > 3:46:56What I'm more worried about is actually taking control

3:46:56 > 3:46:58of lots of Smart thermostats.

3:46:58 > 3:47:00Imagine you've got several hundred thousands of these

3:47:00 > 3:47:03and someone finds a way to compromise them, which we have.

3:47:03 > 3:47:06They could switch them on and off, synchronously.

3:47:06 > 3:47:08You can create unexpected power spikes

3:47:08 > 3:47:10using people's thermostats.

3:47:10 > 3:47:14So, in theory, you could knock out the grid on a bad day,

3:47:14 > 3:47:15if you wanted to.

3:47:15 > 3:47:17So, I mean, that's fascinating and terrifying.

3:47:17 > 3:47:20This is not about what it does to the individual.

3:47:20 > 3:47:23This is about what it might do to an entire nation's power grid.

3:47:23 > 3:47:24Damn right.

3:47:24 > 3:47:27Imagine you were a foreign power and you wanted to soften up

3:47:27 > 3:47:29a country on a particular day.

3:47:29 > 3:47:32I don't know, maybe an election day. You knocked out the power.

3:47:32 > 3:47:35That's going to influence the outcome of an election.

3:47:36 > 3:47:37All right.

3:47:42 > 3:47:46The internet of things has also arrived in health care.

3:47:46 > 3:47:49Devices that regulate drug dosages

3:47:49 > 3:47:52can now be operated over the internet,

3:47:52 > 3:47:56and some of the latest pacemakers are controlled by Bluetooth.

3:47:56 > 3:48:01A recent study revealed that there might be thousands of exploits.

3:48:01 > 3:48:05Do you think this fundamentally limits how useful

3:48:05 > 3:48:08the digital revolution might be in health care?

3:48:08 > 3:48:10Well, I think we've got things out of step.

3:48:10 > 3:48:14I think we've got amazing technical advances,

3:48:14 > 3:48:16fantastic technological steps forward, which are brilliant,

3:48:16 > 3:48:18which allow us to do cool stuff,

3:48:18 > 3:48:20that allows us much better diagnostics - brilliant.

3:48:20 > 3:48:23But we've got that out of step with the security.

3:48:23 > 3:48:24We're in a catch-up game.

3:48:24 > 3:48:28Once the security has caught up with the technological advances, great -

3:48:28 > 3:48:30we get fantastic medical benefits.

3:48:30 > 3:48:33But until then, it's all a little bit dangerous to me.

3:48:41 > 3:48:43We can't go back to the Stone Age.

3:48:43 > 3:48:46We need digital technology and all of its promise

3:48:46 > 3:48:49to push back the frontiers of medicine,

3:48:49 > 3:48:51so we have to learn how to protect ourselves.

3:48:51 > 3:48:53But there is hope.

3:48:53 > 3:48:56Hope, because there are people on our side in this fight.

3:48:56 > 3:48:57We've met some of them.

3:48:57 > 3:49:00Hope too because of all professions,

3:49:00 > 3:49:03medicine should be able to learn how to deal with this,

3:49:03 > 3:49:06because this is the feat of host immunity -

3:49:06 > 3:49:10of taking the hit from an infection, recognising it,

3:49:10 > 3:49:14and then continually evolving your defences until, eventually,

3:49:14 > 3:49:16you're impervious.

3:49:16 > 3:49:19Hope as well because, despite reports,

3:49:19 > 3:49:21the NHS never stopped.

3:49:21 > 3:49:25Yes, parts of its network were severely affected,

3:49:25 > 3:49:28but it kept doing what it always does.

3:49:28 > 3:49:32If the last few terrible weeks have taught us anything,

3:49:32 > 3:49:36it's that the NHS can take whatever you throw at it.

3:49:36 > 3:49:38It has a plan, it will learn

3:49:38 > 3:49:41and it will be ready for the next time.