A Year After WannaCry, What Lessons Have Been Learned?

NEWS ANALYSIS: On the first anniversary of the 2017 WannaCry ransomware attack, what has changed and is WannaCry still a risk?

WannaCry Ransomware

On May 12, 2017, the ransomware attack known as WannaCry was first reported, ushering in a new generation of ransomware worm attacks. WannaCry impacted organizations around the world, and its legacy continues today. 

Within the first few hours of its attack, WannaCry shut down hospitals in United Kingdom and was infecting files at Spanish telecom firm Telefonica. By end of the day on May 12, WannaCry had spread to more than 74 countries and became the single most prolific and fast spreading ransomware attack of all time.

The attack spread around the world, fueled in part by an exploit that made use of a vulnerability that Microsoft had patched in March 2017. The MS17-010 advisory released on March 14 patched a flaw in Microsoft’s SMB server. That flaw was publicly revealed by a group known as the Shadow Brokers the next month and was allegedly weaponized by the National Security Agency (NSA) as an exploit known as EternalBlue.

Even though Microsoft had a patch available in April and even though news of WannaCry made headlines around the world on May 12, organizations were still feeling the impact months later. On June 22, eWEEK reported that among the victims of WannaCry in June were Honda Motor Co. in Japan and traffic cameras in Australia.

Attribution

While there was some early speculation about the source of the WannaCry attack, it wasn't until December 2017 that the U.S. government made a formal accusation. On Dec. 19, the U.S. formally pointed the finger at North Korea for being behind WannaCry.

WannaCry helped to inspire multiple follow-up attacks, including the NotPetya ransomware campaign that appeared in June 2017, which likely surpassed WannaCry in terms of financial damages. Like WannaCry, NotPetya made use of the EternalBlue exploit in order to spread across networks. In February 2018, the U.S. government formally blamed Russia for NotPetya.

WannaCry Today

"There are WannaCry instances on the internet today," Vikram Thakur, technical director of Symantec Security Response, told eWEEK. "This is the nature of worms, whereby they only truly go away when every single computer in the world is immune to their method of spreading."

Proofpoint is also still seeing WannaCry on a daily basis. Kevin Epstein, vice president of threat research at Proofpoint, said that his firm continues to detect hundreds of samples of WannaCry daily on its worldwide sensor network, although network activity is much lower than at the height of the attack. 

"It appears that WannaCry never really went away but instead continued propagating more slowly," Epstein said.

Legacy

WannaCry stands out for a number of reasons.

"WannaCry was the largest attack seen in terms of computers impacted by a single strain of ransomware," Thakur said.

That said, Thakur noted that more computers have been impacted, historically, by single strains of non-ransomware malware. Also, he said that a number of other ransomware campaigns have made more money for attackers than WannaCry (e.g., Cryptolocker, SamSam, Cerber, etc.).

Also of note is how the attack has inspired other campaigns in the months since the initial appearance of WannaCry. The methods used by WannaCry have now found their way into cryptocurrency mining botnets, according to Proofpoint. 

"One of our researchers [Kafeine] published findings on a Monero mining botnet, Smominru, in which the primary method of infection was EternalBlue," Epstein said. "As more organizations deploy available patches against these exploits, we expect that both financially motivated and state-sponsored threat actors will continue to innovate, finding new means of large-scale infection to achieve their goals."

Lessons Learned

For organizations of all sizes, there are lessons that can be learned from the WannaCry incident. There are obvious lessons, such as the critical importance of patching and having backups, but there are others as well.

As one of the most publicized cyber-attacks of recent years, WannaCry was a wakeup call for many businesses, and the media coverage it received has helped companies bring cyber-risk to the attention of their boards and executive teams, Epstein said.

Organizations and the security industry in general have begun prioritizing the types of models and hygiene measures that would help defend against WannaCry-type attacks, he said. On the model side, there are zero trust frameworks, like Google's BeyondCorp, which requires everything to be trusted in order for communication to occur. For improved hygiene methods, organizations are now looking at shorter patch windows and implementing network segmentation to limit risk exposure.

Epstein said WannaCry is an example of a rare but high-impact, black swan-type incident, as opposed to the day-to-day phishing, fraud and other similar issues exploiting humans rather than vulnerabilities that most organizations see much more frequently. 

"Bottom line, companies should make it a priority to improve their defenses against increasingly targeted and sophisticated attacks across email, mobile devices, and social media, in addition to ongoing widespread malware and phishing campaigns," he said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.