It’s been five years since the WannaCry ransomware attack spread like wildfire, encrypting hundreds of thousands of important and high-profile systems.
More than 200,000 devices across 150 countries were encrypted in just 24 hours on May 12, 2017, according to Digital Shadows. After files were encrypted, a ransom note appeared on compromised devices with a ransom of $300-600, albeit less than the average ransom demands at the time.
Several organizations were affected by the attack, including thousands of NHS hospitals and surgeries, leaving people in need of urgent care. The attack had a substantial financial impact worldwide, with Symantec estimating that WannaCry caused approximately $4 billion in damages.
Five years later, the techniques, tactics and procedures of ransomware groups have continuously evolved. However, several commonly exploiting attack vectors remain, such as phishing, weak or stolen credentials, insecure remote access, and software vulnerabilities.
Ransomware attacks also continue to make headlines and severely disrupt businesses and operations. The Cybersecurity and Infrastructure Security Agency reported in February 2022 that it is aware of ransomware incidents against 14 of the 16 U.S. critical infrastructure sectors.
But it’s not only that ransomware attacks have increased. Ransoms — both demands and payments — continue to go up, Unit 42 research revealed. Among the incident response cases reviewed in 2021, the average ransom demand approximately topped $2.2 million, representing a 144% increase from the average demand of $900,000 in 2021. The average payment from 2021 cases rose to $541,010 – 78% higher than the previous year.
Ransomware continues to be one of the most significant cybersecurity threats facing enterprises in 2022. Five years in, what was the impact, the lessons learned, and how can security leaders effectively combat ransomware attacks to prevent another WannaCry incident? Seasoned cybersecurity experts comment and offer takeaway lessons that still hold true today.
Matthew Warner, CTO and Co-Founder at Blumira:
Ransomware is a major focus for organizations today, but that wasn’t always the case. The WannaCry attack was arguably the first big uncontrolled outbreak of ransomware, and sparked real concern — as well as media buzz — that previous attacks hadn’t. WannaCry and its related offshoots, such as Petya (and NotPetya the wiper), helped organizations to realize the business impact of ransomware.
The time period around the WannaCry attack was tumultuous for defensive security. Most people remember that WannaCry was the first global shot across the bow for ransomware across the public, but it was not only exclusively driven by a leak of NSA hacking tools but also exposed a vulnerability in Windows that had existed since Windows 2000. In mid-2016, a group calling themselves The Shadow Brokers announced that they had stolen a large number of tools from an NSA-linked group called The Equation Group and would be auctioning them off. Over the next six months, The Shadow Brokers collected over 11 bitcoins and released a variety of information in tranches until April 2017, when they released a large number of new tools and exploits that contained ETERNALBLUE, a nation-state created SMB exploit, to the internet as a whole.
The technical impact of WannaCry has also lasted far beyond 2017. While Microsoft had released a patch for ETERNALBLUE in March 2017, many had not patched, and WannaCry utilized this exploit in May 2017 with great success. Unpatched MS17-070 can be found in internal networks with legacy applications today.
What WannaCry did was reinforce the need for evaluation of what the attack surface was for organizations. WannaCry was a reminder that exposing SMB to the internet was not necessary and helped ETERNALBLUE spread quickly. Similarly, WannaCry exposed the need for segmentation to prevent worms such as WannaCry from lateral moving laterally across networks.
Most importantly, the need for better IT hygiene, processes to build up security maturity, and the desire to prevent ransomware all require additional budget and buy-in from the organization itself. In 2017, (ISC)² estimated that there would be a 1.8 million worker gap by 2022, in 2021, the actual gap reduced from 3.12 to 2.72 million people. The industry, tooling, and need for skilled people have grown quickly across the last five years as it has globalized and improved. There is forward motion on security maturity across all sizes of organizations, but as Log4Shell proved in 2021, there is more work to do as we all grow together.
Tim Wade, Deputy CTO at Vectra:
WannaCry was among the first widely publicized recent ransomware events that alerted even non-technical, non-practitioner stakeholders of how dangerous and damaging this threat could become. Second, the weaponization of WannaCry could be traced directly back to leaked nation-state toolkits, demonstrating that sophisticated adversarial tradecraft was increasingly becoming commoditized among lower-tier operators. This was something of a wake-up call to security programs that were interested in continuing the status-quo and underscored the need for more proactive security measures – the days of throwing up a firewall and calling that a security program had come and gone.
Ransomware today is perhaps better described as RansomOps, as its driven primarily by the modern, interactive tactics of human operators than the programmatic, semi-guided logic of a wormable payload like WannaCry. This is an important distinction to make because it informs the ways enterprises must defend themselves. In the cases of prior generations of ransomware, the time between infection and ransomware payload delivery was short, and the avenue of attack is somewhat predictable, which meant your security controls (often an endpoint capability of some sort) either cleaned up the mess on the spot, or you found out pretty quickly there was a problem.
Modern ransomware gangs, however, tend to lurk in the environment for much longer to extract as much value as they can, before finally alerting defenders to the compromise by encrypting or destroying data. This means dwell times of days or weeks before ransomware payloads go down is common — which in turn means that by the time you detect a ransomware payload, it’s often far, far too late.
The current state of ransomware today, from the standpoint of a modern network defender, is one that focuses on all of the attacker tradecraft that occurs before the ransomware appears, ranging from the detection of command and control signals to the identification of misused and abused credentials — it’s a race to find and expel the adversary before they establish the persistence necessary to pick apart the enterprise at their leisure.
Vincent D’Agostino, Head of Cyber Forensics and Incident Response at BlueVoyant:
Five years later, some companies still have parts of their network exposed to the internet that shouldn’t be, making them vulnerable to attacks similar to WannaCry. The fact is that organizations are still being plagued by one of the core exploitation vectors that WannaCry used to exploit organizations and proliferate, but by new ransomware and malware families. Organizations still need to look at what is externally open to the internet, patch, and close externally facing ports/protocols, specifically the use and exposure of Server Message Block (SMB). SMB is a communication protocol for shared access to files and printers on a network.
Organizations need to focus on minimizing potential attack vectors by understanding how their systems are being accessed and the functions they provide. From this perspective, controls can be placed around identified risks, such as allowing deprecated protocols for backward compatibility of legacy systems.
The anniversary of WannaCry emphasizes that ransomware compromises increased exponentially since then despite having massive media attention around the issue. Given the significant coverage, both technical and high-level, much of the industry anticipated it would prompt organizations to take real defensive action. Yet, over the past five years, we have witnessed ransomware actors use near-identical methodologies (and in many instances, identical tooling) to accomplish their mission. The fifth anniversary should remind those organizations that have not taken defensive measures that there’s work to be done.
Davis McCarthy, Principal Security Researcher at Valtix:
Network segmentation, principles of zero trust, and defense-in-depth best practices [can] mitigate the damage from an attack like WannaCry. Many organizations learned that their loose security controls, lack of user permissions, and unfettered access to file shares by third parties greatly increased their risk of ransomware.
The North Korean government used the ransom payments from WannaCry to subvert economic sanctions. The fact that a government could generate revenue from a global cyberattack that hit banks, hospitals and even mom and pop shops — set a new precedent for what was possible in cyberspace. The financial incentives from cybercrime had expanded to funding nation-states.
Years later, I am having the same conversations with clients, getting the same answers; the attack surface is unknown, and no one in IT knows what their vendors need access to or why, but they will get back to me when they find out. And despite WannaCry being sinkholed by the hard work of a security researcher, I occasionally see relics from the global compromise; an old device the IT staff never remediated gets powered up by someone in accounting, and it desperately tries to phone home to its old command and control server.
Stan Black, CISO at Delinea:
The 2017 WannaCry ransomware attack sent shockwaves globally, impacting hundreds of thousands of computers and devices and leaving billions in damages in its wake. Little did we know then that it was just the start of a rise in more sophisticated, widespread, and detrimental ransomware attacks. Since then, we have seen a steady stream of high-profile ransomware victims, along with a rise in the number of ransomware groups offering ransomware-as-a-service (RaaS).
WannaCry taught all organizations some important lessons. The main one is that no matter how much you spend on your defense mechanisms and protecting your perimeter, you can be exposed from within if your technology and systems are old, outdated, or left unpatched. Poor internal cyber hygiene leaves the door open for malicious actors.
As we look toward the future, there are several initiatives organizations can implement to limit their exposure to such threats. One is segmentation, essentially putting in place technical guardrails that separate one business function from another. This minimizes the unchallenged propagation of malicious actors and malware. Another best practice is to identify all critical assets that are most commonly targeted for attacks and perform frequent incremental backups if a system recovery is needed. Strong multi-factor authentication and privileged access controls are also obvious components.
Every user is now a privileged user with access to sensitive systems and data. Organizations should consider the least privileged approach to access, limited to only what is required for the job function or task. While it will not help increase operational readiness, organizations should also always be prepared for the worst-case scenarios with a cyber insurance plan in place to cover any losses.
Ransomware attacks continue to proliferate today. While the U.S. government and other federal agencies around the world work to implement measures to prevent ransomware attacks and prosecute those who partake in such activities, successfully mitigating ransomware attacks requires a host of combined initiatives. This includes implementing security controls founded in least privilege and zero trust, the creation of a security-first company culture and employee training, robust threat detection and response, a collaboration between public and private sectors, and most importantly, operating on the mindset that it is not ‘if’ cybercriminals will attack but when.
Ariel Parnes, co-founder and COO of Mitiga:
Five years later, how would the world respond to a massive attack like WannaCry? Are we more ready now to respond to a similar incident? As we know, patching vulnerabilities can be a time-consuming and complex process today, too — just look at the number of organizations that have yet to patch Log4Shell four months after it was announced. Not only that but patching alone isn’t enough to stop attackers. They may have already used a vulnerability to gain access to an environment, and too few organizations conduct regular proactive threat hunting.
To ensure that organizations today are prepared for a global cryptoworm like WannaCry, they need to think beyond prevention solutions. While those solutions are a valuable and necessary part of cybersecurity today, adopting an approach that prioritizes readiness and includes automation to accelerate incident investigation and resolution. Without a change in approach to address changing capabilities and attack vectors of threat actors, we are still as vulnerable as we were five years ago.
John Bambenek, Principal Threat Hunter at Netenrich:
The one thing that sticks out with the anniversary of WannaCry is that despite a land invasion in Ukraine by the Russian Federation, we haven’t seen a similar attack by Russia. They have a history of destructive malware attacks and now have the geopolitical impetus to launch them; we just haven’t seen it. The era of worms is not over, certainly, while our patching significantly lags the exploit development cycle. Log4j, for instance, shows we haven’t evolved much on getting systems, especially legacy or embedded/IoT systems, patched and hardened. Since then, ransomware has been top-of-mind for business leaders but considering the pace of news of companies falling victim to ransomware, I’m not sure much resilience has been increased in the general business community.