PwC responds to the WannaCry ransomware attacks

Cybersecurity expert offers threat intelligence projections as well as immediate and strategic risk management measures

Hong Kong, 17 May 2017
- The global outbreak of the ‘WannaCry’ ransomware has affected a significant number of organisations world-wide since Friday, 12 May. Based on PwC’s analysis, the main infection vector is via unpatched remote code execution vulnerabilities in the Microsoft Windows implementation of the Server Message Block (SMB) protocol, although it is possible that the malware is also spreading via email attachments.

In response to the event, a PwC subject matter expert has offered new insights into the attack, threat projections and security measures that could minimise the impact of future malware attacks and contain financial losses:

Comments from Marin Ivezic, Partner, Enterprise Resilience, Cybersecurity & Privacy, PwC Hong Kong:

- The rapid and prolific distribution of the WannaCry campaign is unprecedented, exploiting vulnerabilities in unpatched Microsoft Windows operating systems. 

- The reasons why the WannaCry campaign was so successful and harmful is because of its ability to infect any accessible vulnerable systems within the same network, or even randomly on the Internet without requiring any action from the victim, as has been the case in all major ransomware attacks to date.

- The WannaCry campaign was so successful in its ability to spread because it effectively combined several malicious pieces of code – the WannaCry ransomware, EternalBlue exploit and DoublePulsar backdoor.

- The cyberattack proved proof of concept for a new approach to automated malware distribution. It is almost certain that cyber criminals will increasingly start using this approach. They will use similar exploits to bundle other types of malicious payload and attack at greater speed and scale, with potentially greater harm. Future waves of attacks could do further damage, such as stealing data or crippling business operations. There are already some initial reports of other exploits being prepared by cyber criminals to replace EternalBlue once it becomes ineffective.

- Attempts to spread their malicious payload automatically and at the WannaCry scale will become the new business-as-usual for cyber criminals.

- The ShadowBrokers hacking group that originally released the EternalBlue exploit used in the WannaCry cyberattack, has announced regular releases of new exploits starting from June. This further confirms our threat projection that attacks such as WannaCry, which uses wormable exploits, might soon become a norm.


Immediate actions

- To remediate the impact of WannaCry or reduce immediate risks, organisations should follow the advice of their Computer Emergency Response Team (CERTs), Information Sharing and Analysis Center (ISACs) and other reliable sources. Over the last few days, a few key immediate best practices have been defined and widely disseminated.

- In addition to these widely circulated immediate steps, organisations should keep in mind that the WannaCry campaign also deploys the DoublePulsar backdoor on infected machines that could offer attackers full control of the system even after encrypted files are decrypted and the system is restarted. Organisations should re-image all infected systems even if the files were successfully decrypted.

-  In light of recent reports of the next wave of exploits already being primed by cyber criminals, we recommend organisations to monitor externally-facing Windows systems with open SMB and RDP ports and confirm that vulnerabilities from the list below are patched or not applicable:

  • “EternalBlue” Addressed by MS17-010;
  • “EmeraldThread” Addressed by MS10-061;
  • “EternalChampion” Addressed by CVE-2017-0146, CVE-2017-0147;
  • “ErraticGopher” Addressed prior to the release of Windows Vista;
  • “EskimoRoll” Addressed by MS14-068;
  • “EternalRomance” Addressed by MS17-010;
  • “EducatedScholar” Addressed by MS09-050;
  • “EternalSynergy” Addressed by MS17-010;
  • “EclipsedWing” Addressed by MS08-067.

- If running Windows 2003 or Windows XP be on the lookout for “EsteemAudit” related out-of-support patches from Microsoft and apply other approaches to secure RDP connections.


Strategic actions

Security patching

The global scale of the attack is a powerful reminder for organisations to install security patches rapidly. Timely and rigorous patching continues to be one of the more operationally intensive activities for security. This is often overlooked due to the strain on cost and resources. As organisations face cyber threats of growing sophistication, improving security patching practices must be a priority investment to reduce vulnerabilities.

- China /Hong Kong respondents have reduced cybersecurity spend in 2016 (USD 7.3m), a reduction of 7.6% compared to 2015 (USD 7.9m). This comes after substantial budget increases in 2015, while cyber security budgets for global companies stayed flat in 2016.

Source: PwC’s Global State of Information Security® Survey 2017 (GSISS)



One of the lessons learned from the WannaCry campaign is that many organisations still do not back up systems regularly, if at all. This poor cyber hygiene is especially true regarding PCs. Mature backup and restore practices can significantly reduce impacts of ransomware campaigns such as WannaCry.



Where feasible, organisations should consider adopting virtualisation solutions that would allow rapid restoration of systems back to known clean state, if infected.


Network segmentation

Another widespread security deficiency that came to light with the WannaCry campaign, and that appears to be particularly prevalent in Hong Kong and China, is the use of flat networks. Networks of many organisations are structured in a single flat network which allows a single infected machine to in turn infect all other systems in the network. PwC advises organisations to apply industry practices and

segment the networks appropriately based on the organisational structure and/or the value of data in order to reduce the ability of malware to spread within the network and reduce malware impacts.


Competitive risk factors

In today’s competitive and connected market place, it is increasingly difficult to rule out cyberattacks motivated by competitors. In Asia, threat sources in China and Hong Kong are more likely to be attributed to competitors compared to the global average, according to PwC’s GSISS 2017.

PwC observed in the past the rapid adoption of new cyber threats by determined competitors buying cybercrime services in the cybercrime underground and targeting specific companies in the region. They are sometimes supported by paid insiders.

PwC advises organisations not to rely on just closing external doors (i.e. SMB and/or RDP ports) to these new threats, but to keep in mind that determined attackers or insiders could try to infect the initial system from within the network.

- 34% of China/ Hong Kong respondents experienced security incidents attributed to competitors –  markedly higher than the global average of 23%.

Source: PwC’s Global State of Information Security® Survey 2017 (GSISS)


Contact us

Julia In
Tel: +[852] 2289 8687

Follow us