Malware Ransomware Hacking

What happened at WPP – a hacker's insight


By Lisa Lacy, n/a

June 27, 2017 | 5 min read

‘This is evolution, not revolution’

The cyber attack at WPP was likely a drive-by or an email campaign.

The cyber attack at WPP was likely a drive-by or an email campaign.

As havoc unfolds at WPP in the wake of an alleged cyber attack, reportedly impacting agencies like GroupM, MediaCom, JWT and Y&R, The Drum talked to the hacker known as RSnake to get his perspective.

RSnake said he doesn’t think WPP was targeted directly, rather it was hit with a drive-by, in which someone inside the WPP network became infected after visiting a website and downloading something, or there was an exploit in the browser that forced execution and it spread to the main controller. From there, the rest of the company – or someone at WPP simply clicked on an email, which downloaded malware.

That’s right: Just one person can cause all of this.

And while RSnake said the motivation “could be anti-American in some bizarre way”, he thinks it is 100% financial, adding this isn’t the start of something bigger, but rather the status quo as hackers get better and better, and their work is more difficult to reverse engineer.

“This is evolution, not revolution,” RSnake said.

What now?

In response to ransomware, RSnake said companies like WPP have three options:

  1. Rebuild from scratch
  2. Use backups if they exist
  3. Pay the ransom

RSnake called the third option “incredibly dangerous” because companies may end up paying for nothing, but also because they are “basically helping out a bad guy”.

And while he said backups are the #1 response, he said it’s also about making sure companies have their domain controllers completely locked down. Domain controllers are the machines inside of large networks that determine who is allowed to log in to what and if it gets compromised, it can execute commands on any machine in the network.

“Protecting the domain controller will help prevent rapid spread across the entire internal network,” RSnake added.

Another option: Hire hackers.

“I’ve taken out pretty much everything, or, if I haven’t, I know the guy who did,” RSnake said. “Guys like me can very easily walk into that network if we can spot that flaw.”

But RSnake noted hackers for hire work at what are actually called penetration testing companies.

“It’s certainly best practice to have someone who does this for a living look at your system,” RSnake said. “This is a huge industry – a multi-billion dollar industry. Penetration testing firms can help identify where the flaws in your architecture are, if people are vulnerable to drive bys [or there are] issues in the email system that allow malware to traverse… [they know about things like] password integrity and second factor authentication… [and can] limit an attack’s ability to move around. It’s definitely a very good idea to bring in someone who understands this stuff.”

‘I don’t think this is the Cyber 9/11’

And while this is a day WPP will likely rue for a long time, RSnake said this is “another example of bad things happening and people will scramble for a few days and some changes will be made and we will be a little more secure, but I don’t think this is the Cyber 9/11 or the Cyber Pearl Harbor”.

But RSnake also noted there aren’t many people with a totally holistic understanding of security, which includes physical security, browser security, mobile security, etc, and this is why companies need entire teams to protect themselves.

“There is a huge skills gap compared to the need. We’re [not] going to fill that skills gap any time in the super near future – the way to do that is automation,” he said. “As many things that a human can do, [you can] get a computer to do that for you. There’s a big push for AI and machine learning to identify the same kinds of things that a guy like me would find.”

And AI in security is “definitely growing fast”, he added.

In addition, RSnake said security is an ongoing effort, which is also why automation is valuable.

“Security isn’t a thing you do once and call it a day. You basically do it all the time," he said. "You can get a human being to test the network and they might do an insanely good job in finding all the nooks and crannies, but they only do it that once.

"If you have 1000 websites because it’s a big company, let’s say each one takes an hour – that’s 1000 hours and there are only 2000 man hours in a year – best case, they might get to it twice, which is not cutting it. You have to have a computer to speed up that process so you’re at least getting some coverage where a human is not touching it.”

Malware Ransomware Hacking

More from Malware

View all


Industry insights

View all
Add your own content +