We're proud to be named a 2024 Publisher's Choice winner!

We're an RSA Conference 2024 Innovation Sandbox Finalist!

Five years ago, the WannaCry ransomware cryptoworm targeted computers running Microsoft Windows, encrypting data at organizations around the world. The attackers demanded a ransom of just $300 worth of bitcoins within three days or the files would be permanently deleted. The cryptoworm leveraged the EternalBlue exploit, which the National Security Agency developed to attack older Windows Systems.  

The attack was effective against organizations that had not implemented patches for the exploits or were still using old Windows systems that Microsoft no longer supported, while the vulnerability itself was revealed in April 2017 during a leak of NSA documents and hacking tools by the Shadow Brokers group in April 2017. Some estimated that the WannaCry attack impacted more than 200,000 computers in at least 150 countries, with damage estimates ranging in cost from hundreds of millions to billions of dollars. Prevention efforts alone were not sufficient to protect us from these attacks.  

Lesson #1: Prevention is not enough

Five years later, is the world ready to respond effectively to a massive attack like WannaCry? Are we more ready now to respond to a similar incident? As anyone in the software industry knows, patching vulnerabilities is often a time-consuming and complex process — just look at the number of organizations that have yet to patch Log4Shell months after it was announced. Even organizations that have patched the Log4j vulnerability may find that patching alone isn’t enough to stop attackers. They may have already used a vulnerability to gain access to an environment, and far too few organizations conduct regular proactive threat hunting to uncover such activities.

Lesson #2: Multiple incidents are devastating

The breadth of the WannaCry attack taught us that the impact of multiple simultaneous attacks using the same attack vector can be devastating. Are we more ready now to respond to similar incidents that impact so many customers worldwide at once? Five years ago, the world was not, and unless we increase automation, particularly in incident response, to scale up to meet the needs of customers around the world impacted by multiple incidents at the same time, we won’t be prepared to handle similar attacks in the future. To do that, we not only need automation but also to be far more efficient in sharing intelligence and cooperating across industries, organizations, and countries to handle these types of attacks.  

Lesson #3: Nation state weapons will leak

Today, cyberwarfare programs are increasing in sophistication in an ever-growing number of countries such as the United States, China, the United Kingdom, Russia, and others. WannaCry itself was based on a leaked zero-day vulnerability from a nation state organization, quickly leveraged into a ransomware attack. As cyber capabilities grow in nation states, it’s extremely likely that each one has a collection of zero-day vulnerabilities at their disposal. Leaks of these nation state level weapons are always possible, and adversaries will be quick to take advantage of them if they occur, so we need our agencies to work to secure these types of weapons and put effort into making sure these weapons do not become widely dispersed.  

WannaCry Lessons Learned: Be Ready  

Organizations must be prepared for a global cryptoworm like WannaCry or any other massive attack. While these types of events may seem extraordinary because the scale was unusual, this type of activity must be expected. Cybercriminals will continue their attacks because it offers significant rewards with minimal risk.  

Prevention solutions are a valuable and necessary part of cybersecurity today, but it’s also critical to prioritize cyber resilience. You can do so by adopting an approach to cybersecurity that prioritizes readiness and includes automation to accelerate incident investigation and resolution. Without a change in approach, one that addresses the changing technological landscape capabilities as well as attack vectors of threat actors, we will be as vulnerable to a massive attack like WannaCry as we were five years ago.

Are you ready for the next ransomware attack?


May 4, 2024

Don't miss these stories:

Mitiga Wins Global InfoSec Award for Cloud Threat Detection Investigation & Response (TDIR)

We’re proud to report that at the open of today’s RSAC24, Mitiga was awarded the Publisher's Choice Cloud Threat Detection Investigation & Response (TDIR) from Cyber Defense Magazine (CDM), the industry’s leading electronic information security magazine.

Here's Why Traditional Incident Response Doesn’t Work in the Cloud

Traditional incident response (IR) learned from on-premises investigations doesn’t work in the cloud. Today's threat actors are finding misconfigurations and vulnerabilities to allow them to penetrate cloud environments.

Why Did AWS Replace My Role’s ARN with a Unique ID in My Policy?

After several years of working with AWS, IAM remains one of the most frequently used services in my daily routine. Yet, despite my familiarity with it, a recent production incident taught me that there’s always more to learn.