Don’t be held to ransom: identifying exposure to WannaCry and ‘Petya’


Ransomware is in the news again this morning as another attack has hit major organisations around the world. This strain of the virus, being dubbed “NotPetya” by Kaspersky Lab, has even infected the Chernobyl power plant’s cooling system, say the BBC.

This follows another ransomware attack last month, where hundreds of thousands of computer systems and millions of users were affected by the WannaCry ransomware. Exploiting a flaw in the Microsoft Windows operating system, the malware locked users out of their system and demanded a Bitcoin payment to regain access.

While Microsoft had published patches for the vulnerabilities in March 2017, it took just one vulnerable machine to receive and spread the infection – the worm within both the WannaCry and Petya ransomware enables it to spread to other machines on the same network.

>See also: Multiple firms hit by major global cyber attack

Even those companies with established security update procedures in place were at risk, as machines that hadn’t been connected to the corporate network for some time were often left unpatched.

While the initial WannaCry storm has passed, one cybersecurity expert pointed to how once “the pain stopped, and many organisations did not complete patching their Windows. This shows the day-to-day fire drill that many IT teams work under and the reality that patching in many organisations is hard. Once they heard that WannaCry was stopped they moved on to other more pressing work.”

Many organisations were still in the process of patching when the NotPetya ransomware struck, which exploits the same vulnerability in Microsoft Windows. As we have seen, many organisations didn’t have the capacity or the visibility to patch all vulnerable versions of

Microsoft Windows leading to their exposure to this most recent attack.

Pushing out a patch is no mean feat in large organisations. IT teams can only patch those systems that they are aware of. More challenging still, how do they know if the machine has been restarted and the patch has even been applied? 

Understanding the extent of the risk

If there were ever a case to demonstrate how critical it is that organisations have visibility of the entire IT environment – with all the operating systems, software and SaaS solutions that are running  – these recent ransomware attacks is it.

With one vulnerable machine potentially leaving entire networks exposed, it is essential that organisations are able to account for all devices running the vulnerable operating system. For companies with extensive networks, this is no mean feat.

>See also: Ransomware attacks will continue to rise

At our UK customer event earlier this month, one Software Asset Management (SAM) manager explained how, as the wider IT team went into crisis mode to ensure that all devices were patched, the CIO stated that there were X number of computers running the Microsoft operating system that needed to be patched. The SAM manager was thankfully able to identify that the total number of machines running the operating system was in fact double, which enabled the company to effectively reduce its exposure.

Even once the machines running the vulnerable version of Microsoft are identified, IT and security managers often have no insight into whether the patch has been applied. When pushing out patches, devices often need to be restarted for the update to go ahead. Even if company-wide emails are sent instructing all users to do so, too often these emails are missed or ignored, and the message explaining the importance of restarting machines is lost.

Therefore, it is essential that IT teams have visibility into not only which machines are immediately at risk, but also those where users have unknowingly left their machines unpatched and unsecure. A good solution such as Snow can provide that crucial visibility so that IT teams can understand:

  • What machines on the network had been patched
  • What machines have had the SMBv1 communication protocol disabled
  • If a computer had been inventoried by a specialised script (that identifies the reach of the patch) – or not.

IT teams with the greatest intentions can leave their organisations vulnerable through one forgotten machine.

>See also: WannaCry is alive and well, and still causing massive problems

Visibility is key

Vulnerabilities are pervasive in software and operating systems, with Risk Based Security’s VulnDB database publishing 4,837 software vulnerabilities in the first quarter of 2017 of which more than 35 per cent had either publicly available exploits or enough information was available online about them to make the flaws easily exploitable. Software vendors are constantly producing patches for these known vulnerabilities. However, it’s down to individual organisations to ensure that the patch itself is applied.

IT teams need to ensure that they have full visibility into the software and operating systems deployed across the entire IT environment, so when patches are published by large vendors, IT managers can be confident that they are patching all vulnerable machines – not just those that they’re aware of.

After the WannaCry and NotPetya attacks, it’s clear that IT teams must achieve full visibility of their entire IT environment, so that patches can be effectively rolled out and reduce their risk ahead of the next ransomware outbreak.


By Erik Särnbrink, Head of Research & Innovation at Snow Software


The UK’s largest conference for tech leadership, Tech Leaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics