November 28, 2022 By Doug Bonderud 4 min read

WannaCry wasn’t a particularly complex or innovative ransomware attack. What made it unique, however, was its rapid spread. Using the EternalBlue exploit, malware could quickly move from device to device, leveraging a flaw in the Microsoft Windows Server Message Block (SMB) protocol.

As a result, when the WannaCry “ransomworm” hit networks in 2017, it expanded to wreak havoc on high-profile systems worldwide.

While the discovery of a “kill switch” in the code blunted the spread of the attack and newly developed patches countered the SMB vulnerability, WannaCry ultimately set the stage for the development of collective defense efforts that focused on information sharing to help limit attack impact.

What vulnerabilities did the attack expose in common security frameworks, and how did it change the course of cybersecurity? Five years later, it’s worth a look back on WannaCry for any worms of wisdom.

Anatomy of a ransomworm

The basic components of WannaCry were simple and familiar. Using a self-contained malware dropper, the WannaCry executable extracted three components after compromising a device: an encryption application, files with encryption keys and a copy of The Onion Router (Tor) for anonymous communication.

What set WannaCry apart, however, was its use of the SMB vulnerability to replicate itself across multiple network-connected devices. This exploit effort — known as EternalBlue — took WannaCry from mildly annoying to massively problematic.

Initially developed by the National Security Agency (NSA), EternalBlue was subsequently stolen by a hacker group known as the Shadow Brokers, who in turn released it publicly on April 8th, 2017. Just over a month later, WannaCry began worming its way through high-profile systems across the globe, including Britain’s National Health Service (NHS).

A Tweet told the tale. Devices across the NHS began displaying the same message: “Ooops, your files have been encrypted!” All told, WannaCry infected 70,000 NHS devices and completely shut down one-third of hospitals. While the ransom demands came in at around $300, almost laughably low compared to current exploit efforts, the scope and scale of the attack had security professionals worldwide on edge.

Flipping the switch

In 2017, cybersecurity professionals were expecting a large-scale attack. They didn’t have the specifics; instead, they knew that rapidly-evolving enterprise network landscapes were the ideal frameworks for hackers to exploit organizations. But while they were expecting a security storm, they weren’t expecting a complete cyber catastrophe.

Thankfully, security researcher Marcus Hutchins discovered a “kill switch” in the WannaCry code. Before encrypting any data, the malware attempted a connection to a specific URL that didn’t exist: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

If WannaCry failed to connect, it proceeded with encryption. If the connection was successful, it stopped. In theory, this hard-coded URL existed to stop security researchers from putting the malware in a sandbox and watching it connect to common URLs. In practice, Hutchins used this function to blunt the spread of WannaCry by registering the fake URL and making it active.

This kill switch helped stop the ransomworm’s spread. When it comes to WannaCry, however, the tears aren’t over yet.

(Wanna)Cry me a river

While the bulk of WannaCry’s damage occurred in the weeks after the May 2017 attack, cyber criminals didn’t simply move on. Instead, they took their time developing new versions without easy-to-find kill switch components and then leveraged these attacks against systems that still contained the SMB flaw.

The numbers tell the tale. From January to March 2021, WannaCry attacks increased by 53%. Despite the ongoing risks, however, many security experts agree that flaws in the attack itself led to its downfall. They also say that business and government agencies haven’t done enough to prevent a resurgence of similar attacks.

The result? WannaCry left a triple legacy in the wake of its original attack.

We’re all in this together

As noted above, the WannaCry malware itself wasn’t well-built or particularly innovative. Even the URL designed to prevent security teams from digging into the details did hackers more harm than good since they apparently didn’t consider that someone might simply register their fake URL and frustrate their efforts.

Where WannaCry did make an impact, however, was in the realization that companies weren’t islands when it came to security threats. The rapid uptake of sprawling cloud networks and connected devices provided the ideal path for ransomworm duplication, in turn paving the way for a more collegial defensive response that prioritized threat sharing over keeping security details close to the chest for fear of industry pushback.

The more things change…

The WannaCry attack also left its mark on cybersecurity by highlighting that no matter how far-reaching an attack — or how adaptable its code is over time — meaningful change is hard to implement.

Consider automatic patch application. Microsoft developed a patch for its SMB vulnerability ASAP after WannaCry began spreading. But five years later, there are still companies that haven’t updated their software to prevent this vulnerability.

Bad code, worse results

Analysis of WannaCry revealed that it was poorly built and not particularly innovative. It was bad code, but all it took was breaching a few network systems to create devastating results. The outcome was a revelatory recognition that it’s not how you code an attack; it’s how you use it.

In other words, it doesn’t matter what type of security controls are in place if attackers can bypass key systems. Even poorly made and poorly executed code can spread across networks and between companies, causing thousands of devices to fail. Put simply, the function rather than the form made this ransomworm so worrisome.

Bottom line? WannaCry changed the course of cybersecurity by demonstrating the inherent vulnerability of interconnected systems. And while it highlighted the need for better communication and data sharing across industries and operations, its short-lived rampage left some companies overconfident about their ability to handle emerging threats.

Ultimately, WannaCry remains active, a reminder that even “old” security threats never die — they’re simply less prevalent.

More from Risk Management

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today