WannaCry wasn’t a particularly complex or innovative ransomware attack. What made it unique, however, was its rapid spread. Using the EternalBlue exploit, malware could quickly move from device to device, leveraging a flaw in the Microsoft Windows Server Message Block (SMB) protocol.

As a result, when the WannaCry “ransomworm” hit networks in 2017, it expanded to wreak havoc on high-profile systems worldwide.

While the discovery of a “kill switch” in the code blunted the spread of the attack and newly developed patches countered the SMB vulnerability, WannaCry ultimately set the stage for the development of collective defense efforts that focused on information sharing to help limit attack impact.

What vulnerabilities did the attack expose in common security frameworks, and how did it change the course of cybersecurity? Five years later, it’s worth a look back on WannaCry for any worms of wisdom.

Anatomy of a Ransomworm

The basic components of WannaCry were simple and familiar. Using a self-contained malware dropper, the WannaCry executable extracted three components after compromising a device: an encryption application, files with encryption keys and a copy of The Onion Router (Tor) for anonymous communication.

What set WannaCry apart, however, was its use of the SMB vulnerability to replicate itself across multiple network-connected devices. This exploit effort — known as EternalBlue — took WannaCry from mildly annoying to massively problematic.

Initially developed by the National Security Agency (NSA), EternalBlue was subsequently stolen by a hacker group known as the Shadow Brokers, who in turn released it publicly on April 8th, 2017. Just over a month later, WannaCry began worming its way through high-profile systems across the globe, including Britain’s National Health Service (NHS).

A Tweet told the tale. Devices across the NHS began displaying the same message: “Ooops, your files have been encrypted!” All told, WannaCry infected 70,000 NHS devices and completely shut down one-third of hospitals. While the ransom demands came in at around $300, almost laughably low compared to current exploit efforts, the scope and scale of the attack had security professionals worldwide on edge.

Flipping the Switch

In 2017, cybersecurity professionals were expecting a large-scale attack. They didn’t have the specifics; instead, they knew that rapidly-evolving enterprise network landscapes were the ideal frameworks for hackers to exploit organizations. But while they were expecting a security storm, they weren’t expecting a complete cyber catastrophe.

Thankfully, security researcher Marcus Hutchins discovered a “kill switch” in the WannaCry code. Before encrypting any data, the malware attempted a connection to a specific URL that didn’t exist: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

If WannaCry failed to connect, it proceeded with encryption. If the connection was successful, it stopped. In theory, this hard-coded URL existed to stop security researchers from putting the malware in a sandbox and watching it connect to common URLs. In practice, Hutchins used this function to blunt the spread of WannaCry by registering the fake URL and making it active.

This kill switch helped stop the ransomworm’s spread. When it comes to WannaCry, however, the tears aren’t over yet.

(Wanna)Cry Me a River

While the bulk of WannaCry’s damage occurred in the weeks after the May 2017 attack, cyber criminals didn’t simply move on. Instead, they took their time developing new versions without easy-to-find kill switch components and then leveraged these attacks against systems that still contained the SMB flaw.

The numbers tell the tale. From January to March 2021, WannaCry attacks increased by 53%. Despite the ongoing risks, however, many security experts agree that flaws in the attack itself led to its downfall. They also say that business and government agencies haven’t done enough to prevent a resurgence of similar attacks.

The result? WannaCry left a triple legacy in the wake of its original attack.

We’re All in This Together

As noted above, the WannaCry malware itself wasn’t well-built or particularly innovative. Even the URL designed to prevent security teams from digging into the details did hackers more harm than good since they apparently didn’t consider that someone might simply register their fake URL and frustrate their efforts.

Where WannaCry did make an impact, however, was in the realization that companies weren’t islands when it came to security threats. The rapid uptake of sprawling cloud networks and connected devices provided the ideal path for ransomworm duplication, in turn paving the way for a more collegial defensive response that prioritized threat sharing over keeping security details close to the chest for fear of industry pushback.

The More Things Change…

The WannaCry attack also left its mark on cybersecurity by highlighting that no matter how far-reaching an attack — or how adaptable its code is over time — meaningful change is hard to implement.

Consider automatic patch application. Microsoft developed a patch for its SMB vulnerability ASAP after WannaCry began spreading. But five years later, there are still companies that haven’t updated their software to prevent this vulnerability.

Bad Code, Worse Results

Analysis of WannaCry revealed that it was poorly built and not particularly innovative. It was bad code, but all it took was breaching a few network systems to create devastating results. The outcome was a revelatory recognition that it’s not how you code an attack; it’s how you use it.

In other words, it doesn’t matter what type of security controls are in place if attackers can bypass key systems. Even poorly made and poorly executed code can spread across networks and between companies, causing thousands of devices to fail. Put simply, the function rather than the form made this ransomworm so worrisome.

Bottom line? WannaCry changed the course of cybersecurity by demonstrating the inherent vulnerability of interconnected systems. And while it highlighted the need for better communication and data sharing across industries and operations, its short-lived rampage left some companies overconfident about their ability to handle emerging threats.

Ultimately, WannaCry remains active, a reminder that even “old” security threats never die — they’re simply less prevalent.

More from Risk Management

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

How the Silk Road Affair Changed Law Enforcement

The Silk Road was the first modern dark web marketplace, an online place for anonymously buying and selling illegal products and services using Bitcoin. Ross Ulbricht created The Silk Road in 2011 and operated it until 2013 when the FBI shut it down. Its creator was eventually arrested and sentenced to life in prison. But in a plot twist right out of a spy novel, a cyber attacker stole thousands of bitcoins from Silk Road and hid them away. It…

Third-Party App Stores Could Be a Red Flag for iOS Security

Even Apple can’t escape change forever. The famously restrictive company will allow third-party app stores for iOS devices, along with allowing users to “sideload” software directly. Spurring the move is the European Union’s (EU) Digital Markets Act (DMA), which looks to ensure open markets by reducing the ability of digital “gatekeepers” to restrict content on devices. While this is good news for app creators and end-users, there is a potential red flag: security. Here’s what the compliance-driven change means for…

Defensive Driving: The Need for EV Cybersecurity Roadmaps

As the U.S. looks to bolster electric vehicle (EV) adoption, a new challenge is on the horizon: cybersecurity. Given the interconnected nature of these vehicles and their reliance on local power grids, they’re not just an alternative option for getting from Point A to Point B. They also offer a new path for network compromise that could put drivers, companies and infrastructure at risk. To help address this issue, the Office of the National Cyber Director (ONCD) recently hosted a…