Five years on from WannaCry -- what have we learned?
Today marks the fifth anniversary of the notorious WannaCry ransomware attack which hit a number of large organizations around the world and was many people's first encounter with ransomware.
Five years on then, what have we learned from the attack and what long-term effect has it had on the industry?
Mikko Hyppönen, chief research officer at WithSecure says:
The WannaCry malware epidemic of spring 2017 was unique in the field of information security. This historic attack was one of the biggest of all time and destroyed hundreds of thousands of computers, almost exclusively targeting large corporations. Companies all over the world were infected: hospitals, car factories, power plants, train companies -- the list goes on.
While the impact was vast and its distribution wide, the attack did not succeed in its task. WannaCry's code was full of bugs, and ransom collection did not work properly. Paying the ransom did not restore the victim’s data, and knowledge of this spread quickly.
In the end, the North Koreans received only 60 bitcoins in their wallet, despite infecting more than 200,000 computers around the world. You could argue that this event shaped our 'modern' ideas of ransomware, forever providing a stark reminder of the constant battle security teams face and we hope an attack of this scale and magnitude is one which we never see again.
Paul Farrington, chief product officer at Glasswall says, "Since the events of WannaCry in 2017, the threat landscape has changed dramatically. In 2017, the ransomware payload was delivered through a critical vulnerability of Microsoft Windows systems -- rather than email or phishing as is often the case. Any organisations that hadn't yet patched for this specific vulnerability were left unprotected against the spread of the ransomware. However, despite the increased awareness to patch regularly since WannaCry, new risks are constantly emerging. Zero-day vulnerabilities do not have patches available and can evade detection from anti-virus tools for as many as 18 days after they are exploited."
Neil Jones, director of cybersecurity evangelism at Egnyte, echoes this view, "Without adequate preparation, disruptions are highly likely to recur. For years, we've realized how vulnerable global organisations are to potential attacks, but many of our concerns were dismissed as Fear, Uncertainty and Doubt (FUD). WannaCry was a pivotal event that spotlighted key shortcomings in public and private sector infrastructure security, and organisations always need to remain vigilant to stay one step ahead of cyber-attackers."
Marc Woolward, CISO at vArmour believes WannaCry marked a significant turning point, "WannaCry was the headline that marked the transition from simple ransomware to what I call 'advanced persistent ransomware', where a lateral movement stage wreaks enterprise-wide damage in contrast to the (then) more common compromise of a single system and its mounted drives and data. During WannaCry we saw up close the value of risk observability in detecting changes from baseline behavior of a system in detecting and halting the spread of ransomware. In one critical infrastructure instance we were involved with, it was literally the difference between a contained minor outbreak and a major enterprise wide incident."
Christopher Rogers, technology evangelist at Zerto says:
The infamous 2017 WannaCry ransomware attack was especially devastating in the UK as the malware was found to be operating in the NHS systems. Wreaking havoc, it resulted in the cancellation of thousands of appointments along with a fraught relocation of emergency patients from affected emergency centres. The resulting damages cost the UK £92 million and ran up global costs of £6 billion.
Thankfully since then, the world has not seen another global attack on this scale, but that doesn't mean the threat has subsided. In fact, ransomware has only become more prevalent. Since WannaCry, the annual number of ransomware attacks has increased by over 60 percent, from 184 million to more than 300 million instances recorded annually. Today it is no longer a question of if an organisation will be attacked but when.
Joseph Carson, chief security scientist and advisory CISO at Delinea says, "WannaCry taught all organizations some important lessons. The main one is that no matter how much you spend on your defense mechanisms and protecting your perimeter, you can be exposed from within if your technology and systems are old, outdated, or left unpatched. Poor internal cyber hygiene leaves the door open for malicious actors."
Reuven Harrison, chief technology officer at Tufin warns that, "There is no easy out-of-the-box technology solution to prevent ransomware, and attacks like WannaCry are only going to increase in frequency and severity unless companies take proactive action to transform a complex enterprise network environment into an easily managed, secure, and compliant network -- using consistent policy and rules to tighten their network security posture."
Carlo Edwards, cyber threat response analyst at Integrity360 focuses on how ransomware has evolved . "WannaCry focused on a single extortion method, deploying malware resulted in encrypted files, the victim had to pay up to gain access to those files. Now we are seeing more ransomware deployed as part of a double or even triple extortion tactic. With double extortion, the threat actors will exfiltrate the victim data and then encrypt the files and folders. The victim will then be held to ransom with the threat of having their data leaked, in addition to their local files being encrypted. Triple extortion has the added threat of a Distributed Denial of Service attack if the victim delays or refuses payment."
Isabelle Dumont, senior vice president of marketing and technology partners at Cowbell Cyber points out the need to guard against future attacks, "The five year anniversary of Wannacry is a great opportunity to reiterate the basic, often free, protections that enterprises can deploy to prevent such widespread attacks, starting with software patching, two-factor authentication and backups. These basic cybersecurity measures help not only against a wide range of cyber incidents, but they also open up access to cyber insurance options and incident preparedness and response resources available nowadays with modern cyber insurance policies. Small and medium-sized enterprises should look for access to their free software supply chain risk rating to get a benchmark of where they stand compared to industry peers with regards to software supply chain exposure. Enterprises in need of more sophisticated protection can refer to the newly updated NIST framework for Cybersecurity Supply Chain Risk Management (C-SCRM)."
Ariel Parnes, co-founder and COO of cloud incident response company Mitiga, also highlights the need for protection:
Five years later, how would the world respond to a massive attack like WannaCry? Are we more ready now to respond to a similar incident? As we know, patching vulnerabilities can be a time-consuming and complex process today too -- just look at the number of organizations that have yet to patch Log4Shell four months after it was announced. Not only that but patching alone isn’t enough to stop attackers. They may have already used a vulnerability to gain access to an environment, and too few organizations conduct regular proactive threat hunting.
To ensure that organizations today are prepared for a global cryptoworm like WannaCry, they need to think beyond prevention solutions. While those solutions are a valuable and necessary part of cybersecurity today, adopting an approach that prioritizes readiness and includes automation to accelerate incident investigation and resolution. Without a change in approach to address changing capabilities and attack vectors of threat actors, we are still as vulnerable as we were five years ago.
Image Credit: Sean Locke Photography / Shutterstock