Three years ago, the WannaCry ransomware worm quickly compromised hundreds of thousands of out-of-date, unpatched computers and servers, encrypting data on the systems and often shutting down operations at affected organizations.
The list of victims ranged from hospitals belonging to the National Health Service in the United Kingdom, to car factories belonging to Renault-Nissan in France, to FedEx's shipping operations in the United States. The cost of cleaning up the damage from WannaCry and business disruption topped $8 billion, according to one estimate.
The attack shocked businesses with its speed and damaging effects. If not for the serendipitous actions of one former malware writer, the breadth of the so-called "ransomworm" attack could have been much worse.
"That was really the first time that cyber weapons were really turned against the public," says Craig Williams, director of outreach for Cisco's Talos cybersecurity research group. "Before this, there were definitely worms, but they were mainly destructive because they were self-replicating. Even with ample warning about these vulnerabilities, a lot of people hadn't patched and a lot of people did not have protections in place."
If there is a lesson from the WannaCry incident, it's this: Companies that use outdated systems and do not rigorously patch those systems are at risk, not just for data breaches — which firms have historically shrugged off — but for attacks by operations-disrupting ransomware.
Unfortunately, many companies continue to ignore those lessons and are still using out-of-date software that is vulnerable to destructive attacks, said Jacob Noffke, senior principal cyber engineer at Raytheon Intelligence & Space, in a statement sent to Dark Reading.
"Many have upgraded older operating systems, aggressively patched their systems, better isolated unpatched systems behind firewalls, and have sound backup solutions to minimize the impact and chance that ransomware will wreak havoc on their networks in the future," he said. "But, unfortunately, not all organizations have taken note — and as ransomware attacks continue to evolve, those with weaker defenses will be a prime target for cybercriminals looking to capitalize on WannaCry-inspired attacks."
WannaCry appeared on May 12, 2017, spreading quickly to more than 200,000 Windows systems in 150 countries worldwide. The ransomware spread like a worm, using self-propagation through a remote exploit made public two months earlier. The exploit, a former cyber weapon created by the National Security Agency and leaked by the hacker group Shadow Brokers, can easily compromise systems running older versions of Microsoft Windows, such a Windows XP, Windows 7, Window Server 2003, and Windows Server 2008.
Within four days, the attack had spread to more than 300,000 systems, according to estimates at the time. More than 95% of all infected machines ran unpatched versions of Windows 7 because WannaCry did not attack Windows XP systems correctly.
The WannaCry attack, however, fell short of its potential to do damage because of the efforts of Marcus Hutchins, a cybersecurity researcher — later revealed to be a former malware writer — who identified a "kill switch" in the program that could be used to stop the attack.
In addition to the point about not using outdated, unpatched systems, WannaCry left the industry with some other significant lessons — though many companies fail to heed them.
1. Old exploits do haunt us: WannaCry dramatically demonstrated to companies that keeping old software connected to the Internet with poor defenses is a bad idea. In fact, the spread of WannaCry likely blunted the impact of the NotPetya ransomware attack the following month, says Alex Guirakhoo, threat research team lead with Digital Shadows, a digital-threat protection firm.
"It was a really big wakeup call for organizations that rely on end-of-life systems," Guirakhoo says. "It has always been this thing where people use technology beyond the end of life, and they just don't update. That puts them at risk."
Yet comprehensive patching continues to elude many companies, and old systems seem to survive well past their expiration dates on the Internet.
Even today, more than 600,000 computers still expose the SMB file-sharing port to the Internet — a risky configuration — and many may still be available to attacks such as the EternalBlue exploit used by WannaCry. Attackers continue to look for the vulnerability, with at least 100 different sources still scanning for instances of SMB file-sharing vulnerable to the exploit, according to data collected by vulnerability-management firm Rapid7.
2. Worms can dramatically impact operations: WannaCry demonstrated how badly ransomware can hobble businesses and operations. The ransomworm — and NotPetya— caused tens of billions of dollars of damage worldwide.
The WannaCry attack, for example, disrupted operations at more than a third of the hospitals and medical practices making up the UK's National Health Service. NotPetya infected more than 30,000 laptops and 7,500 servers at Merck, costing the pharmaceutical firm more than $870 million in damages and lost revenue.
"These threats will never go away," Cisco's Williams says. "However, because so much attention has been paid to these attacks, the Internet was forever changed for the better as a result. Think about how more destructive NotPetya would have been if WannaCry didn't happen."
3. Attribution is hard: Eventually, Western intelligence agencies laid the blame for the WannaCry attack on North Korea and the NotPetya attack on Russia's intelligence services. Yet security researchers debated whether the signs of a North Korean developer detected in WannaCry were significant or a false flag.
Some researchers pointed to the fact that WannaCry did not target intellectual property and failed to properly monetize infected systems as a sign that a more amateur group likely wrote the code. Language analysis posited that the ransom notes displayed on infected systems were likely written by a Chinese-speaking author.
With false-flag tactics being used more often, trying to find the source of attacks will only become more difficult. So are we any better prepared today? Until companies can discover their critical system and patch them quickly, business remains vulnerable to another attack, Williams says.
"I would love to be optimistic, but we still see worms from 20 years ago spreading on the Internet today," he says. "There are systems that will never ever be patched, that were plugged in 10 years ago, and the organization has forgot about them."