Five years ago, the WannaCry ransomware cryptoworm targeted computers running Microsoft Windows, encrypting data at organizations around the world. The attackers demanded a ransom of just $300 worth of bitcoins within three days or the files would be permanently deleted. The cryptoworm leveraged the EternalBlue exploit, which the National Security Agency developed to attack older Windows Systems.  

The attack was effective against organizations that had not implemented patches for the exploits or were still using old Windows systems that Microsoft no longer supported, while the vulnerability itself was revealed in April 2017 during a leak of NSA documents and hacking tools by the Shadow Brokers group in April 2017. Some estimated that the WannaCry attack impacted more than 200,000 computers in at least 150 countries, with damage estimates ranging in cost from hundreds of millions to billions of dollars. Prevention efforts alone were not sufficient to protect us from these attacks.  

Lesson #1: Prevention is not enough

Five years later, is the world ready to respond effectively to a massive attack like WannaCry? Are we more ready now to respond to a similar incident? As anyone in the software industry knows, patching vulnerabilities is often a time-consuming and complex process — just look at the number of organizations that have yet to patch Log4Shell months after it was announced. Even organizations that have patched the Log4j vulnerability may find that patching alone isn’t enough to stop attackers. They may have already used a vulnerability to gain access to an environment, and far too few organizations conduct regular proactive threat hunting to uncover such activities.

Lesson #2: Multiple incidents are devastating

The breadth of the WannaCry attack taught us that the impact of multiple simultaneous attacks using the same attack vector can be devastating. Are we more ready now to respond to similar incidents that impact so many customers worldwide at once? Five years ago, the world was not, and unless we increase automation, particularly in incident response, to scale up to meet the needs of customers around the world impacted by multiple incidents at the same time, we won’t be prepared to handle similar attacks in the future. To do that, we not only need automation but also to be far more efficient in sharing intelligence and cooperating across industries, organizations, and countries to handle these types of attacks.  

Lesson #3: Nation state weapons will leak

Today, cyberwarfare programs are increasing in sophistication in an ever-growing number of countries such as the United States, China, the United Kingdom, Russia, and others. WannaCry itself was based on a leaked zero-day vulnerability from a nation state organization, quickly leveraged into a ransomware attack. As cyber capabilities grow in nation states, it’s extremely likely that each one has a collection of zero-day vulnerabilities at their disposal. Leaks of these nation state level weapons are always possible, and adversaries will be quick to take advantage of them if they occur, so we need our agencies to work to secure these types of weapons and put effort into making sure these weapons do not become widely dispersed.  

WannaCry Lessons Learned: Be Ready  

Organizations must be prepared for a global cryptoworm like WannaCry or any other massive attack. While these types of events may seem extraordinary because the scale was unusual, this type of activity must be expected. Cybercriminals will continue their attacks because it offers significant rewards with minimal risk.  

Prevention solutions are a valuable and necessary part of cybersecurity today, but it’s also critical to prioritize cyber resilience. You can do so by adopting an approach to cybersecurity that prioritizes readiness and includes automation to accelerate incident investigation and resolution. Without a change in approach, one that addresses the changing technological landscape capabilities as well as attack vectors of threat actors, we will be as vulnerable to a massive attack like WannaCry as we were five years ago.

Are you ready for the next ransomware attack?

LAST UPDATED:

May 4, 2024

Don't miss these stories:

What CSPMs Can't Do for Your Cloud Security

In recent years, Cloud Security Posture Management (CSPM) tools have become increasingly popular, and with good reason. The posture management capabilities a CSPM provides can help an organization better understand cloud configuration to prevent potential security incidents.

Microsoft Breach by Midnight Blizzard (APT29): What Happened?

Understand the Midnight Blizzard Microsoft breach by APT29, what happened, and key steps organizations should take to strengthen their defenses.

What Most SOC Teams are Missing in Their Cloud Security

For decades, Security Operations Center (SOC) have been at the foundation of organizational security and risk mitigation. SOCs perform critical operations, helping to keep systems updated and handle the day-to-day monitoring of organizational IT.

Overcoming the Challenges of Securing SaaS

Generally speaking, when most CISOs think about their cloud security, they’re keyed into their cloud infrastructure held at big providers like AWS, Azure, and GCP. Their typical focus is on securing virtual machines, storage and networks that run on cloud infrastructure. All of this is hugely important.

How Behavioral Detections Aid Healthcare Security

Healthcare organizations face unique cybersecurity challenges due to their hybrid IT (information technology) environments, sensitive data, and resource constraints.

The Red Team Mindset: Why Adversarial Testing is Critical for Cloud Security

Attacks against cloud and SaaS deployments are unfortunately inevitable.