Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:00 PM

Three Years After WannaCry, Ransomware Accelerating While Patching Still Problematic

Using a known exploit to infect unmaintained systems, the WannaCry ransomware worm remains a study in preventable catastrophes. Yet many companies continue to ignore its lessons.

Three years ago, the WannaCry ransomware worm quickly compromised hundreds of thousands of out-of-date, unpatched computers and servers, encrypting data on the systems and often shutting down operations at affected organizations.

The list of victims ranged from hospitals belonging to the National Health Service in the United Kingdom, to car factories belonging to Renault-Nissan in France, to FedEx's shipping operations in the United States. The cost of cleaning up the damage from WannaCry and business disruption topped $8 billion, according to one estimate

The attack shocked businesses with its speed and damaging effects. If not for the serendipitous actions of one former malware writer, the breadth of the so-called "ransomworm" attack could have been much worse.

"That was really the first time that cyber weapons were really turned against the public," says Craig Williams, director of outreach for Cisco's Talos cybersecurity research group. "Before this, there were definitely worms, but they were mainly destructive because they were self-replicating. Even with ample warning about these vulnerabilities, a lot of people hadn't patched and a lot of people did not have protections in place."

Lesson Learned?
If there is a lesson from the WannaCry incident, it's this: Companies that use outdated systems and do not rigorously patch those systems are at risk, not just for data breaches — which firms have historically shrugged off — but for attacks by operations-disrupting ransomware.

Unfortunately, many companies continue to ignore those lessons and are still using out-of-date software that is vulnerable to destructive attacks, said Jacob Noffke, senior principal cyber engineer at Raytheon Intelligence & Space, in a statement sent to Dark Reading. 

"Many have upgraded older operating systems, aggressively patched their systems, better isolated unpatched systems behind firewalls, and have sound backup solutions to minimize the impact and chance that ransomware will wreak havoc on their networks in the future," he said. "But, unfortunately, not all organizations have taken note — and as ransomware attacks continue to evolve, those with weaker defenses will be a prime target for cybercriminals looking to capitalize on WannaCry-inspired attacks."

WannaCry appeared on May 12, 2017, spreading quickly to more than 200,000 Windows systems in 150 countries worldwide. The ransomware spread like a worm, using self-propagation through a remote exploit made public two months earlier. The exploit, a former cyber weapon created by the National Security Agency and leaked by the hacker group Shadow Brokers, can easily compromise systems running older versions of Microsoft Windows, such a Windows XP, Windows 7, Window Server 2003, and Windows Server 2008. 

Within four days, the attack had spread to more than 300,000 systems, according to estimates at the time. More than 95% of all infected machines ran unpatched versions of Windows 7 because WannaCry did not attack Windows XP systems correctly.

The WannaCry attack, however, fell short of its potential to do damage because of the efforts of Marcus Hutchins, a cybersecurity researcher — later revealed to be a former malware writer — who identified a "kill switch" in the program that could be used to stop the attack.

WannaCry Takeaways
In addition to the point about not using outdated, unpatched systems, WannaCry left the industry with some other significant lessons — though many companies fail to heed them.

1. Old exploits do haunt us: WannaCry dramatically demonstrated to companies that keeping old software connected to the Internet with poor defenses is a bad idea. In fact, the spread of WannaCry likely blunted the impact of the NotPetya ransomware attack the following month, says Alex Guirakhoo, threat research team lead with Digital Shadows, a digital-threat protection firm.

"It was a really big wakeup call for organizations that rely on end-of-life systems," Guirakhoo says. "It has always been this thing where people use technology beyond the end of life, and they just don't update. That puts them at risk."

Yet comprehensive patching continues to elude many companies, and old systems seem to survive well past their expiration dates on the Internet. 

Even today, more than 600,000 computers still expose the SMB file-sharing port to the Internet — a risky configuration — and many may still be available to attacks such as the EternalBlue exploit used by WannaCry. Attackers continue to look for the vulnerability, with at least 100 different sources still scanning for instances of SMB file-sharing vulnerable to the exploit, according to data collected by vulnerability-management firm Rapid7.

2. Worms can dramatically impact operations: WannaCry demonstrated how badly ransomware can hobble businesses and operations. The ransomworm — and NotPetya— caused tens of billions of dollars of damage worldwide. 

The WannaCry attack, for example, disrupted operations at more than a third of the hospitals and medical practices making up the UK's National Health Service. NotPetya infected more than 30,000 laptops and 7,500 servers at Merck, costing the pharmaceutical firm more than $870 million in damages and lost revenue.

"These threats will never go away," Cisco's Williams says. "However, because so much attention has been paid to these attacks, the Internet was forever changed for the better as a result. Think about how more destructive NotPetya would have been if WannaCry didn't happen."

3. Attribution is hard: Eventually, Western intelligence agencies laid the blame for the WannaCry attack on North Korea and the NotPetya attack on Russia's intelligence services. Yet security researchers debated whether the signs of a North Korean developer detected in WannaCry were significant or a false flag. 

Some researchers pointed to the fact that WannaCry did not target intellectual property and failed to properly monetize infected systems as a sign that a more amateur group likely wrote the code. Language analysis posited that the ransom notes displayed on infected systems were likely written by a Chinese-speaking author. 

With false-flag tactics being used more often, trying to find the source of attacks will only become more difficult. So are we any better prepared today? Until companies can discover their critical system and patch them quickly, business remains vulnerable to another attack, Williams says.

"I would love to be optimistic, but we still see worms from 20 years ago spreading on the Internet today," he says. "There are systems that will never ever be patched, that were plugged in 10 years ago, and the organization has forgot about them."

Related Content:


Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register
Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.2.0, BinaryHeap is not panic-safe. The binary heap is left in an inconsistent state when the comparison of generic elements inside sift_up or sift_down_range panics. This bug leads to a drop of zeroed memory as an arbitrary type, which can result in a memory ...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the sam...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. This bug could result in a use-after-free or double free.
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.50.0, read_to_end() does not validate the return value from Read in an unsafe context. This bug could lead to a buffer overflow.
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.52.0, the Zip implementation has a panic safety issue. It calls __iterator_get_unchecked() more than once for the same index when the underlying iterator panics (in certain conditions). This bug could lead to a memory safety violation due to an unmet safety r...