WannaCry: Five Years Later

This blog was originally published by BlueVoyant here.

Ransomware remains a big issue — what have we learned since and lessons for the future

It may be hard to believe, but five years after WannaCry similar attacks are still happening. In fact, this past January WannaCry was the top most detected ransomware. It is important to note detections do not mean that organizations were actually infected.

What Happened?

On May 12, 2017, there were more than 45,000 attacks attributed to WannaCry around the globe, including China, Egypt, India, Italy, Russia and the United Kingdom. It gradually spread to the U.S. and other regions, but Europe was among the hardest hit. Instead of a targeted attack, the malware advanced far and wide.

WannaCry was one of the first times everyday citizens saw the effects of a cyber attack. The offensive cost the U.K.’s National Health Service (NHS) nearly £100 million and led to 19,000 appointments being canceled. Though the NHS was not specifically targeted, it was caught in the crosshairs and suffered major losses.

First discovered by the National Security Agency (NSA), WannaCry was believed to have exploited a Microsoft Windows vulnerability. The attackers, part of the Lazarus Group, had ties to North Korea, and in February of 2021 three programmers were indicted by the U.S. government.

At the time of the attack, a patch existed that could have prevented WannaCry, but many organizations had not yet installed it.

What Have We Learned?

Five years later, WannaCry remains active. By the same token, some companies still have parts of their network exposed to the internet that should not be, making them vulnerable to attacks similar to WannaCry.

Victims are still plagued by one of the core exploitation vectors that WannaCry used to exploit organizations and proliferate, but now via new ransomware and malware families.

Organizations still need to look at what is externally open to the internet, and close external-facing ports and protocols, specifically around the Server Message Block (SMB). SMB is a Windows communication protocol for shared access to files and printers on a network.

Analysis

In addition, the WannaCry anniversary emphasizes that ransomware compromises have increased exponentially, despite massive media attention.

Given the significant coverage, both technical and high level, much of the industry anticipated it would prompt organizations to take real defensive action. Yet over the past five years, BlueVoyant Threat Intelligence has witnessed ransomware actors use near-identical methodologies (and in many instances identical tooling) to accomplish their mission.

How to Protect Your Organization

As mentioned above, SMB is a Windows communication protocol for shared access to files and printers on a network.

Another important action is to regularly patch your systems. While this is not always an easy task, it is extremely important and could have prevented organizations from getting infected with WannaCry.

Organizations need to focus on minimizing potential attack vectors by understanding how their systems are accessed and the functions they provide. From this perspective, organizations can place controls around identified risks such as allowing deprecated protocols for backward compatibility of legacy systems.

If nothing else, WannaCry’s five-year anniversary should serve as a bullish reminder to those organizations that have not taken defensive measures. More than anything, it shows there’s still work to be done.