November 28, 2022 By Doug Bonderud 4 min read

WannaCry wasn’t a particularly complex or innovative ransomware attack. What made it unique, however, was its rapid spread. Using the EternalBlue exploit, malware could quickly move from device to device, leveraging a flaw in the Microsoft Windows Server Message Block (SMB) protocol.

As a result, when the WannaCry “ransomworm” hit networks in 2017, it expanded to wreak havoc on high-profile systems worldwide.

While the discovery of a “kill switch” in the code blunted the spread of the attack and newly developed patches countered the SMB vulnerability, WannaCry ultimately set the stage for the development of collective defense efforts that focused on information sharing to help limit attack impact.

What vulnerabilities did the attack expose in common security frameworks, and how did it change the course of cybersecurity? Five years later, it’s worth a look back on WannaCry for any worms of wisdom.

Anatomy of a ransomworm

The basic components of WannaCry were simple and familiar. Using a self-contained malware dropper, the WannaCry executable extracted three components after compromising a device: an encryption application, files with encryption keys and a copy of The Onion Router (Tor) for anonymous communication.

What set WannaCry apart, however, was its use of the SMB vulnerability to replicate itself across multiple network-connected devices. This exploit effort — known as EternalBlue — took WannaCry from mildly annoying to massively problematic.

Initially developed by the National Security Agency (NSA), EternalBlue was subsequently stolen by a hacker group known as the Shadow Brokers, who in turn released it publicly on April 8th, 2017. Just over a month later, WannaCry began worming its way through high-profile systems across the globe, including Britain’s National Health Service (NHS).

A Tweet told the tale. Devices across the NHS began displaying the same message: “Ooops, your files have been encrypted!” All told, WannaCry infected 70,000 NHS devices and completely shut down one-third of hospitals. While the ransom demands came in at around $300, almost laughably low compared to current exploit efforts, the scope and scale of the attack had security professionals worldwide on edge.

Flipping the switch

In 2017, cybersecurity professionals were expecting a large-scale attack. They didn’t have the specifics; instead, they knew that rapidly-evolving enterprise network landscapes were the ideal frameworks for hackers to exploit organizations. But while they were expecting a security storm, they weren’t expecting a complete cyber catastrophe.

Thankfully, security researcher Marcus Hutchins discovered a “kill switch” in the WannaCry code. Before encrypting any data, the malware attempted a connection to a specific URL that didn’t exist:

If WannaCry failed to connect, it proceeded with encryption. If the connection was successful, it stopped. In theory, this hard-coded URL existed to stop security researchers from putting the malware in a sandbox and watching it connect to common URLs. In practice, Hutchins used this function to blunt the spread of WannaCry by registering the fake URL and making it active.

This kill switch helped stop the ransomworm’s spread. When it comes to WannaCry, however, the tears aren’t over yet.

(Wanna)Cry me a river

While the bulk of WannaCry’s damage occurred in the weeks after the May 2017 attack, cyber criminals didn’t simply move on. Instead, they took their time developing new versions without easy-to-find kill switch components and then leveraged these attacks against systems that still contained the SMB flaw.

The numbers tell the tale. From January to March 2021, WannaCry attacks increased by 53%. Despite the ongoing risks, however, many security experts agree that flaws in the attack itself led to its downfall. They also say that business and government agencies haven’t done enough to prevent a resurgence of similar attacks.

The result? WannaCry left a triple legacy in the wake of its original attack.

We’re all in this together

As noted above, the WannaCry malware itself wasn’t well-built or particularly innovative. Even the URL designed to prevent security teams from digging into the details did hackers more harm than good since they apparently didn’t consider that someone might simply register their fake URL and frustrate their efforts.

Where WannaCry did make an impact, however, was in the realization that companies weren’t islands when it came to security threats. The rapid uptake of sprawling cloud networks and connected devices provided the ideal path for ransomworm duplication, in turn paving the way for a more collegial defensive response that prioritized threat sharing over keeping security details close to the chest for fear of industry pushback.

The more things change…

The WannaCry attack also left its mark on cybersecurity by highlighting that no matter how far-reaching an attack — or how adaptable its code is over time — meaningful change is hard to implement.

Consider automatic patch application. Microsoft developed a patch for its SMB vulnerability ASAP after WannaCry began spreading. But five years later, there are still companies that haven’t updated their software to prevent this vulnerability.

Bad code, worse results

Analysis of WannaCry revealed that it was poorly built and not particularly innovative. It was bad code, but all it took was breaching a few network systems to create devastating results. The outcome was a revelatory recognition that it’s not how you code an attack; it’s how you use it.

In other words, it doesn’t matter what type of security controls are in place if attackers can bypass key systems. Even poorly made and poorly executed code can spread across networks and between companies, causing thousands of devices to fail. Put simply, the function rather than the form made this ransomworm so worrisome.

Bottom line? WannaCry changed the course of cybersecurity by demonstrating the inherent vulnerability of interconnected systems. And while it highlighted the need for better communication and data sharing across industries and operations, its short-lived rampage left some companies overconfident about their ability to handle emerging threats.

Ultimately, WannaCry remains active, a reminder that even “old” security threats never die — they’re simply less prevalent.

More from Risk Management

Remote access risks on the rise with CVE-2024-1708 and CVE-2024-1709

4 min read - On February 19, ConnectWise reported two vulnerabilities in its ScreenConnect product, CVE-2024-1708 and 1709. The first is an authentication bypass vulnerability, and the second is a path traversal vulnerability. Both made it possible for attackers to bypass authentication processes and execute remote code.While ConnectWise initially reported that the vulnerabilities had proof-of-concept but hadn’t been spotted in the wild, reports from customers quickly made it clear that hackers were actively exploring both flaws. As a result, the company created patches for…

Researchers develop malicious AI ‘worm’ targeting generative AI systems

2 min read - Researchers have created a new, never-seen-before kind of malware they call the "Morris II" worm, which uses popular AI services to spread itself, infect new systems and steal data. The name references the original Morris computer worm that wreaked havoc on the internet in 1988.The worm demonstrates the potential dangers of AI security threats and creates a new urgency around securing AI models.New worm utilizes adversarial self-replicating promptThe researchers from Cornell Tech, the Israel Institute of Technology and Intuit, used what’s…

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today