Customers
Why Mitiga
Request a DemoEmergency Assistance
Home
»
Blog Main

Five years ago, the WannaCry ransomware cryptoworm targeted computers running Microsoft Windows, encrypting data at organizations around the world. The attackers demanded a ransom of just $300 worth of bitcoins within three days or the files would be permanently deleted. The cryptoworm leveraged the EternalBlue exploit, which the National Security Agency developed to attack older Windows Systems.  

The attack was effective against organizations that had not implemented patches for the exploits or were still using old Windows systems that Microsoft no longer supported, while the vulnerability itself was revealed in April 2017 during a leak of NSA documents and hacking tools by the Shadow Brokers group in April 2017. Some estimated that the WannaCry attack impacted more than 200,000 computers in at least 150 countries, with damage estimates ranging in cost from hundreds of millions to billions of dollars. Prevention efforts alone were not sufficient to protect us from these attacks.  

Lesson #1: Prevention is not enough

Five years later, is the world ready to respond effectively to a massive attack like WannaCry? Are we more ready now to respond to a similar incident? As anyone in the software industry knows, patching vulnerabilities is often a time-consuming and complex process — just look at the number of organizations that have yet to patch Log4Shell months after it was announced. Even organizations that have patched the Log4j vulnerability may find that patching alone isn’t enough to stop attackers. They may have already used a vulnerability to gain access to an environment, and far too few organizations conduct regular proactive threat hunting to uncover such activities.

Lesson #2: Multiple incidents are devastating

The breadth of the WannaCry attack taught us that the impact of multiple simultaneous attacks using the same attack vector can be devastating. Are we more ready now to respond to similar incidents that impact so many customers worldwide at once? Five years ago, the world was not, and unless we increase automation, particularly in incident response, to scale up to meet the needs of customers around the world impacted by multiple incidents at the same time, we won’t be prepared to handle similar attacks in the future. To do that, we not only need automation but also to be far more efficient in sharing intelligence and cooperating across industries, organizations, and countries to handle these types of attacks.  

Lesson #3: Nation state weapons will leak

Today, cyberwarfare programs are increasing in sophistication in an ever-growing number of countries such as the United States, China, the United Kingdom, Russia, and others. WannaCry itself was based on a leaked zero-day vulnerability from a nation state organization, quickly leveraged into a ransomware attack. As cyber capabilities grow in nation states, it’s extremely likely that each one has a collection of zero-day vulnerabilities at their disposal. Leaks of these nation state level weapons are always possible, and adversaries will be quick to take advantage of them if they occur, so we need our agencies to work to secure these types of weapons and put effort into making sure these weapons do not become widely dispersed.  

WannaCry Lessons Learned: Be Ready  

Organizations must be prepared for a global cryptoworm like WannaCry or any other massive attack. While these types of events may seem extraordinary because the scale was unusual, this type of activity must be expected. Cybercriminals will continue their attacks because it offers significant rewards with minimal risk.  

Prevention solutions are a valuable and necessary part of cybersecurity today, but it’s also critical to prioritize cyber resilience. You can do so by adopting an approach to cybersecurity that prioritizes readiness and includes automation to accelerate incident investigation and resolution. Without a change in approach, one that addresses the changing technological landscape capabilities as well as attack vectors of threat actors, we will be as vulnerable to a massive attack like WannaCry as we were five years ago.

Are you ready for the next ransomware attack?

LAST UPDATED:

May 4, 2024

Don't miss these stories:

Frost & Sullivan’s Latest 2025 Frost Radar: The Need for Runtime Cloud Security in a Cloud-First World

Cloud breaches rose 35% year over year in 2024, and legacy security tools are failing to keep up. The rapid sprawl of multi-cloud and SaaS has shattered the assumptions baked into legacy, on-prem, and endpoint-focused security stacks, which can’t keep pace with today’s dynamic attack surfaces.

The Remote Worker Scam: Understanding the North Korean Insider Threat

Recent investigations have uncovered a sophisticated scheme by North Korean operatives to exploit remote work policies in the U.S. tech industry.

Who Touched My GCP Project? Understanding the Principal Part in Cloud Audit Logs – Part 2

This second part of the blog series continues the path to understanding principals and identities in Google Cloud Platform (GCP) Audit Logs. Part one introduced core concepts around GCP logging, the different identity types, service accounts, authentication methods, and impersonation.

Mitiga Security Advisory: Lack of Forensic Visibility with the Basic License in Google Drive

Mitiga's advisory highlights critical gaps in forensic visibility with Google Drive's Basic license, affecting security and incident investigations. Read on.

Cloud Detection vs Cloud Threat Hunting: Insights for Cyber Leaders

As cyber threats evolve, security teams need to detect and mitigate cloud attacks. Learn why cloud detection and threat hunting are key defense strategies.

Oops, I Leaked It Again — How Mitiga Found PII in Exposed Amazon RDS Snapshots

A recent Mitiga Research Team investigation found the well-regarded Amazon Relational Database Service is leaking PII via exposed RDS Snapshots.