WannaCry and MalwareTech: Critical lessons for university students

On Friday 12th May, 2017 a massive ransomware cyber-attack struck across the whole world, hitting nearly 100 countries around the world, including Russia, China, India, Ukraine, Spain, France and  the UK. The attack was totally indiscriminate in nature. It struck at individuals, small businesses and even large well-established organisation like the UK National Health Service (NHS), Spain’s largest telecommunications provider, Telefonica and the French carmaker Renault. Worldwide, governments scrambled to find solutions to this attack. Here in the UK, an emergency COBRA meeting was hastily convened. Basically, COBRA refers to the British Government’s emergency response committee set up to respond to a national or regional crisis.

By evening, however, a 22-year-old going by the online name MalwareTech had found a solution  that brought the rampaging ransomware to an abrupt halt. In so doing, MalwareTech moved from obscure anonymity to global fame. It was now the turn for journalists to discover who this previously unknown expert could be.  Sure enough, the hero’s name was soon all over the British media, and in no time packs of journalists from all over the world were besieging his doorstep in Ilfracombe, a remote seaside village in North Devon, England. For the entire weekend, and most of the following week, MalwareTech became a household name, the toast of social media, and a topic of conversation in local pubs – everywhere, that is, except in the hallowed corridors of higher education.

The media loves simple, high impact, easy to digest headlines, and they did just that in this case. The Telegraph ran with the headline “British 22-year-old jumped around in excitement after finding way to stop global cyber attack”; the MailOnline opted for “British cyber whiz hailed `accidental hero´ after stopping global virus”; and the Sun went for “NHS HACK HERO The NHS cyber attack hero Marcus Hutchins is a 22-year-old Brit computer genius who was once expelled from school for hacking.” What stuck in the public imagination were the term “accidental hero”, MalwareTech’s relative youth, and his affinity for pizza, and the fact that he is self-taught. I beg to differ. MalwareTech is no accidental hero, but an accomplished professional, and it is well-worth learning from him.

In this article I discuss some of the key aspects that I think have played a significant role in establishing MalwareTech as an expert in the field of cybersecurity.All these aspects are part of the bouquet of skills hardline computing and engineering aficionados in universities up and down the country derisively call “soft skills”. Clearly in MalwareTech’s world, these are not “soft skills”, but critical professional skills that underpin their expertise in cybersecurity.

  1. Take charge and invest in your own learning

Most students are dependent on teachers and lecturers to develop their own understanding of a subject area, and only pay lip-service to the advice that they should take responsibility for their own learning. Not so with MalwareTech. From the various newspaper coverages, it is apparent that MalwareTech has invested significantly in his own learning. He has built a state of the art computer security lab in in his own room.

MalwareTech’s professional blog site  suggests that he has been actively involved in  cybersecurity since when he was at least 18, or possibly earlier. His solution to the ransomware problem is not nearly as accidental as the newspapers put it. His blog, including the particular blog post in which he announced the solution to stop the ransomware, shows clearly that MalwareTech has built up a repertoire of expertise and contacts over the past few years.  It is this expertise and contacts database that made it possible for him to find the solution which the whole world was looking for.

  1. Be part of a community of practice

Even though MalwareTech lives in a remote location, he is not a hermit. He is well-connected with the cyber-security community across the world. A look at his blogposts shows that he engages in ongoing debates with colleagues around the world. Apart from maintaining an active presence on social media, MalwareTech also attends cybersecurity conferences, including DEFCON, the world’s largest annual convention for internet hackers.

  1. Engage in Peer Learning

In his blogs MalwareTech discusses what he is doing, and takes on board comments from respondents. In educational terms, we can say that MalwareTech and his colleagues are using social media to engage in peer learning with the clear objective of furthering their understanding of a rapidly evolving technical field.

A look at his blogsite indicates that some of MalwareTech’s articles are clearly intended to share views with colleagues who have comparable expertise as himself. Invariably, his postings lead to technical debates in the blog comments section, as well as on twitter.

  1. Share your expertise with novices and non-experts

Many students shy away from sharing their knowledge, or teaching, colleagues who also want to build up their expertise in their professional area. A look at MalwareTech’s blog shows up a number of blog posts clearly intended for novices and non-experts. This includes blogposts like Automatic Transfer Systems (ATS) for Beginners, How Cerber’s Hash Factory Works, and a three-part series on Bootkit Disk Forensics.

Just to underscore his immense contribution to his professional community, a  grateful novice had this to say:

Thanks for posting. I am following this bootkit series with interest to educate myself in methods to enumerate the device stack and find all function offsets.

  1. Be part of a team, and collaborate

Throughout the whole process of working out a viable solution, he worked closely with other colleagues, as the following quotes from his blog post indicate:

I was quickly able to get a sample of the malware with the help of Kafeine, a good friend and fellow researcher.

A few seconds after the domain had gone live I received a DM from a Talos analyst asking for the sample I had which was scanning SMB host, which i provided.

I contacted Kafeine about this and he  linked me to the following freshly posted tweet made by ProofPoint researcher Darien Huss, who stated the opposite.

So why did our sinkhole cause an international ransomware epidemic to stop? Talos wrote a great writeup explaining the code side here, which I’ll elaborate on using Darien’s screenshot.

MalwareTech never went to university, and in our modern-day world, with its obsession with academic credentials, it is tempting to cast him aside as a one-time wonder kid.   But we will be missing the point if we do so. As I highlight in this article, MalwareTech has ably demonstrated the importance of what we in the universities refer to as “soft skills” or “employability skills”.  As MalwareTech demonstrates, in the cold light of professional practice, these skills are, in reality, critical skills that every aspiring professional needs to master, regardless of whether they choose to go to university or not.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s