Monday May 22 2017

WannaCry A health check for businesses?

Rahul Powar, founder and CEO of OnDMARC, takes a look at the WannaCry ransomware attack and what organisations can learn from it

WannaCry A health check for businesses?

Broken records are rarely a positive thing in the cybersecurity world. Earlier this month, in a matter of hours, thousands of people who had never heard of ransomware had become uncomfortably familiar with the largest ransomware attack in history.

Over 70 countries have been hit with WannaCry. At its core, it works in the same way as any other ransomware attack; it encrypts the contents of infected machines – in this case, those running a particular version of Microsoft Windows – and demands bitcoin payment in return for unlocking the file system and restoring access to the encrypted files.

But what has made WannaCry so successful? And what can it teach organisations about preparing better for the next generation of attacks?

How did this happen?

On April 14th, 2017, a group called the Shadow Brokers dumped a set of internal software tools from the NSA. These are tools that nation states create or purchase to exploit weaknesses in standard software used by individuals and corporations worldwide – all part of the ongoing digital arms race.

Somehow – and it’s unclear exactly how – the Shadow Brokers had managed to access some of these tools and posted them freely online – think of it as someone making off with weapons-grade plutonium and just giving it away.

Three groups of exploits were included in the dump. One group was a collection of documents and top secrete PowerPoint presentations. One group related to data from the SWIFT payment network – you might remember the extraordinary Bangladesh Bank heist from last year, which exploited weaknesses in the same system.

Finally – and most interestingly – the last group consisted of a package of exploits for Windows machines. Some of these exploits had never been seen before, and cybersecurity researchers immediately braced themselves for a new spate of attacks that capitalised on them.

Creating WannaCry

Enter WannaCry, which uses an exploit from the trove codenamed ETERNALBLUE & DoublePulsar to rapidly infect Windows machines on a network.

Microsoft actually released MS17–010, a security update to fix that particular vulnerability, before the NSA hacking tools were released to the public. However, as per standard commercial practice, the update was only released for the firm’s currently supported operating systems. Anyone running an older operating system – or being a bit lackadaisical about their software updates – remained unprotected.

The kill switch

However, as the infection broke, a “kill switch” was discovered. A kill switch is often used to ensure that the creator has some control after the infection is out in the wild. At the very least, they typically want to ensure they can control it while they are actively creating or testing the malware so they do not demolish their own computers. In this instance, the kill switch was discovered to be a website that the ransomware would check before it activated itself on an infected machine. Security researchers quickly purchased the domain and it stopped computers that had internet access from further infection. Meanwhile, Microsoft worked on releasing patches for the older, unprotected operating systems to stem the tide.

Problem averted, then? Not really. New versions of the ransomware have already been developed and released – and these feature different kill switches – or even no kill switches at all.

Back to basics

The process of breaking through an organisation’s firewall requires an initial backdoor into the system – and here, WannaCry used the oldest trick in the book. Phishing emails got the worm onto “patient zero” within a network – because too many organisations still have woefully inadequate email protections in place.

DMARC, for example, a tool that detects and prevents email spoofing, has been described by the National Cyber Security Centre (NSCS) as a fundamental security protection. Yet a recent review of domains belonging to around 200 NHS authorities and trusts revealed that just one has implemented DMARC – and even that is in the initial ‘reporting’ mode and receives no active protection from it.

In short, our hospitals are not only running unpatched, unsupported installations of the Windows operating system, they have practically no defence against other email-borne threats.

What next?

WannaCry and its newly forming variants are still spreading and organisations need to clean up. Some variants appear to be dormant but replicating, so it is safe to say that the true extent of the problem, as yet, is underreported.

US-CERT, the American Computer Emergency team, has been updating an alert on WannaCry and provides a section for Solutions and Recommended Steps for Prevention. It has made a number of recommendations – two of which, in my view, stand out as basic, actionable measures. First, upgrade your system with the latest Microsoft patches to stop the spread. Second, implement technology such as DMARC to prevent email spoofing and start reducing exposure to phishing.

Traditionally, DMARC has been complicated and expensive to deploy – potentially why the NHS has been so slow to get on board – but new cloud-based services are making it both faster and more cost-effective to implement.

No magic bullet

Even the US-CERT recommendations are by no means a magic bullet defence against threats like WannaCry. The reality is that email protection and recently patched operating systems are just two parts of a complex system of security tools and processes that need to be in play within organisations today.

Cybersecurity is now part of the cost of doing business, not just a procedure to be invoked when things go wrong. It’s the difference between treatment and vaccination — when possible, prevention is far preferable to cleaning up after the epidemic. This should be a wake-up call for businesses, governments, regulators and ordinary citizens alike.

"Business should implement technology such as DMARC to prevent email spoofing and start reducing exposure to phishing"
Rahul Powar

DISCLAIMER: The statements, opinions, views and advice expressed in this article are those of the author/organisation and not of ENTIRELY. This article should represent information correct at the time of publication however whilst every care has been taken to present up-to-date and accurate information, we cannot guarantee that inaccuracies will not occur. ENTIRELY will not be held responsible for any claim, loss, damage or inconvenience caused as a result of any information within this article or any information accessed through this site. The content of any organisations websites which you link to from ENTIRELY are entirely out of the control of ENTIRELY, and you proceed at your own risk. These links are provided purely for your convenience and do not imply any endorsement of or association with any products, services, content, information or materials offered by or accessible to you at the organisations site.

Entirely Tech Jobs

Senior Business Development Manager - Technology & IP

Central London

A dynamic and forward thinking international law firm have an exciting role at senior management level within their business development team.

Interim Management-Technology Recruitment

City of London

My client is a leading global search firm with an established interim management practice.

Interim Management-Senior Technology/Data Recruitment

City of London

My client is a leading global search firm enjoying impressive growth with an established interim management practice.

Researcher/Resourcer Executive Search Technology/PE/VC clients

Central London

My client is a division of a highly respected Executive Search firm focussing on the PE/VC marketplace.

PE Technology Executive search Director

Central London

My client is a division of a highly regarded global Tier 1 search firm specialising in the Private equity backed market place.

Accounts Payable Lead Technology

City of London

My client is one of the fastest growing VC-backed technology companies in Europe and is now changing the industry it specialises in with its leading technology.

Senior Technology Underwriter


The role This insurer has been providing insurance solutions to technology clients since 1994 and we have grown a substantial book of business to date.

Recruitment Team Leader for a leading Technology Brand!

South East London

Could you be our next ERP Recruitment Team Lead? You will; Manage and mentor your own recruitment team, train, develop and nurture new members.

IT Delivery Manager

City Of London

My financial services client is seeking a Technical Commercial Delivery Manager to join the Technology Department and join the Real Time Gross Settlements Programme, reporting both Technology and operationally into the Programme.

Lecturer in Creative Media Production and Technology (0.8)

South West London

Lecturer in Creative Media Production and Technology - Film Making & Visual Effects (0.

Talent Acquisition Manager - IT & Technology


We have a career-enhancing opportunity within a Global Multinational with close to 10,000 employees worldwide, and revenues in excess of $10 Billion p/year.

Assistant Tax Manager - Media & Technology - Top 10 firm


Do you want to work with interesting media and technology clients?Craving a role with a real mix of client facing advisory work?Do you want the autonomy of working from home? I am recruiting a great front end taxation role working closely with two excellent dynamic tax Partners on clients ranging from advertising, film makers, and music production to fin tech businesses.

International B2B Marketing Manager Technology/Product

Central London

International B2B Marketing Manager (Technology/Product) Minimum 3 months: £55000 - £75000 Client will consider candidates with up to 1 months noticeClosing date: Tuesday 13th August @ 9am  Reed Marketing & Creative is currently partnering with a globally recognised SaaS company who are recruiting an interim Senior Ma.

Sales Development Representative - Technology - Central London

City Of London

Sales Development Represenatative Technology Central London The role and companyAs a Sales Executive you will be required to generate opportunities for the field sales team.

Technology Sales - Cyber Security Sales

City of London

Technology Sales - Global Leading Cyber Security Firm - Sales Development Representative This is an exciting time within the cyber-security industry, with the ever-growing nature of cyber-attacks and the demand for safe and secure data greater than ever, the importance of this channel has never been bigger.

Principle Technology Partner - Data Exploitation


This is an opportunity for a skilled individual to enhance their current skillset and knowledge working in a dynamic environment.

Trainee Recruitment Consultant - Technology Recruitment

Central London

Are you looking to work at the very top of the Information Technology recruitment industry? Would you work for a company that is winning awards for its training and development programme? Does the idea of working on a high octane sales floor excite you?Would you like to work with international clients.


MYHSM Collaborates With Equinix

In a development which reinforces its position as a worldwide service provider, MYHSM Ltd., the global provider of Payment Hardware Security Modules HSMs as a Service, announces a collaboration with Equinix, the global interconnection and data centre company

Discover the latest Industry News & Opinions on Entirely

We transform your bright ideas into brilliant digital products.