If I had polled cybersecurity experts on their way to work on May 12, 2017, most of them would have said they knew a major cybersecurity event loomed.

Yet, on that day no one expected that they were walking into the perfect storm — in the form of WannaCry ransomware, the most damaging cyberattack to date — when they traveled by car, train or ferry to their respective offices that spring morning.

Our devices, systems and networks are more and more interconnected — meaning viruses can much more easily move between systems than they’d been able to in the past. But without a major event in recent memory, most of us (even a cybersecurity journalist like myself) became a bit complacent. When you combined these factors with the number of active devices and systems, the stage was set.

Breaking Update October 30, 2020

The FBI, CISA and HHS recently released an advisory regarding an “imminent cybercrime threat to U.S. hospitals and healthcare providers.” Watch the webinar, “Protecting Healthcare Organizations from Recent Malware Attacks,” on demand to learn more about how to respond.

WannaCry Destroyed Systems Across the Globe

This ransomware attack was the biggest cybersecurity event the world had ever seen in part because the impact was wider than the outbreak itself. It created huge aftershocks across enterprises, politics, the hacker community and cybersecurity culture.

Even after the kill switch was found, the virus continued to ravage every system and all the data it touched — attacking computer systems of 300 organizations in 150 countries.

Even after the kill switch was found, the virus continued to ravage every system and all the data it touched — attacking computer systems of 300 organizations in 150 countries.

Russia suffered the single highest number of infection attempts of any country worldwide, according to the BBC. Most mission-critical servers were not affected, however, as they ran a Soviet-era software known as Elbrus. However, technical immunity didn’t stop the virus from spreading to computers across the country. It took down endpoints at the interior ministry, railways, banks and the massive Megafon mobile carrier.

Back to top

What Was it Like to Face WannaCry?

Covering WannaCry live left me intrigued and full of questions, even years later. Whenever the attack became a topic of conversation over the past three years, I heard the same theme repeated: WannaCry was overwhelming and changed the way we approach cybersecurity and view risks to businesses.

For me, that sentiment was too broad for an event of this magnitude. I had specific questions. What was it like to be a security professional on May 12, 2017? What was the total impact to businesses and governments around the world? How did what we learned that day shape our current business, technology and cybersecurity landscape?

I also wondered how having the whole world watching the event — through social media and digital news sites — changed both the response and the overall impact. Business leaders and members of the public watched the news coverage, and no one knew exactly what was happening. Nearly everyone agreed it seemed ominous. I was also curious if this added to the public panic or helped solve the issue sooner.

“It’s still big. It’s held up as the thing that organizations weren’t prepared for. It was a really good wakeup call for a lot of companies,” says Tracey Nash, IBM X-Force Incident Command Program manager. Nash counts May 12, 2017, as the moment when organizations learned they needed to consider the business side of cybersecurity risks.

To find out exactly what happened — and, even more importantly, why WannaCry left a crater in the landscape — I talked to key players who responded to the attack. One person I spent many hours talking to was Wendi Whitmore, vice president of IBM X-Force Threat Intelligence. I also spoke with Christopher Scott, director of Security Innovation and Remediation (Office of the CISO) at IBM, to get his perspective on the events of that day and the recovery after the WannaCry attack.

This story chronicles the journey to find out what really happened those chaotic days three years ago and how WannaCry’s impact and legacy lives on today.

Back to top

A Single Tweet Broke the News

Many people — even industry-leading cybersecurity professionals — first learned of the attack from a tweet. A United Kingdom National Health System (NHS) physician was among the first to break the news about the massive attack on Twitter. This was followed by countless colleagues who showed photos of their locked computer screens, all with the same message: “Ooops, your files have been encrypted!”

At the time, NHS employees had no idea the attack would eventually result in 70,000 infected devices and a total shutdown of one-third of all NHS hospitals. WannaCry’s impact on the NHS and other hospitals around the world was proof that cybercrime could wreak havoc in the Internet of medical things (IoMT) age. Thankfully, clinical safety researchers have established definitively that the cryptoworm chaos didn’t result in any patient deaths.

Even those not at their computers knew very quickly something big was happening:

A demand for bitcoin appeared on the digital signage that announced commuter train arrivals and departures in Germany.

That exact wording also popped up on dozens of cinema screens in South Korea.

In Jakarta, Indonesia, hospital patients waited for several hours while doctors switched from computer systems to paper records.

Back to top

Panic Begins Rising

Whitmore, who at the time worked as a global partner and lead for incident response with X-Force Threat Intelligence, says almost as soon as the attack began, her team began scratching their heads and uttering out loud, “This is weird.”

Specifically, Whitmore’s team knew they were facing something different when they discovered it was literally impossible to get infected files released. The ransomware did not provide a way for hackers to know who paid the ransom.

One of her first priorities was getting copies of the malware. She knew you can’t stop something until you know exactly how it works. But getting the copies and breaking it down was hard, especially under the pressure of knowing the world was quickly grinding to a halt.

Back to top

WannaCry Strikes Internet Connected Computers Fast

WannaCry was the fastest-spreading cybercrime attack ever experienced. Unpatched internet-connected computers could fall victim within minutes and quickly begin spreading the worm through a network. Many news stories describe IT teams rushing around trying to contain the damage as their colleagues booted up their work PCs.

When I asked Laurance Dine, global lead at X-Force Threat Intelligence (who at the time worked for a global managed-service provider), his biggest memory of the day, he said it was the phone constantly ringing. Every person on the other end was a panicked customer needing help. He summed up the day as “absolute insanity.”

Very quickly, his entire team — including other security experts who weren’t on the incident response team — found themselves deployed on the front line.

“It was all over everything and felt like everybody was involved. The average citizen knew what was going on with ransomware,” says Dine. “They understood the news and what was happening, and they couldn’t go to hospitals, and people’s lives were impacted by that.”

Throughout the day, incident response workers collectively canceled their plans and buckled up for a long weekend of hard work. Everyone was watching the global businesses stunned in the wake of the WannaCry worm.

Back to top

Network Configuration Aids in Rapid Spread

What none of us knew at the time was that the cryptoworm destroying every system it touched was actually from a two-month-old vulnerability known as EternalBlue. Once the ‘Wanna Decryptor’ managed to infect a single machine on a single network, WannaCry began spreading to other computers on the same network while scanning the internet for other unpatched machines. The vulnerability exploited by EternalBlue left unpatched Windows machines open to infection and spread the WannaCry virus.

Cryptoworms can usually be detected quickly on enterprise networks. But WannaCry stayed under the radar — until it didn’t. Detection is something that many sophisticated threat actors try to avoid at all costs, especially during a highly targeted attack, but WannaCry wasn’t a targeted attack. It was a carefully planned, global attack that was designed to get as much attention as possible, which is exactly what happened.

In a lot of cases, Scott explains, the spread was also enabled by what he calls an “M&M network.” In a case like this, the network structure is hard on the outside and soft on the inside. This was a welcoming interior for threat actors and cryptoworms. He notes once the cryptoworm got past the hard candy shell at the edge of the network, WannaCry found a lot of freedom to move around the environment.

Back to top

Finding the Kill Switch is Only the Beginning of Recovery

Over the next seven hours, the “big slimy worm” wreaked global havoc until cybersecurity researchers Marcus Hutchins and Jamie Hankins discovered a kill switch. Two additional kill switches were discovered, eventually rendering the ransomware strain mostly inert.

But the long remediation process was just starting for 300 organizations worldwide, and none of us realized the extent of the damage and the process to fix it. We were still in unmapped territory, including Scott’s team, who was rushing to apply a fix.

“I need[ed] to bring those environments back up into operational capability,” Scott says. “But how do we go through testing to make sure a fix is OK? How do we go through user acceptance? And, then, how do we move that into production?”

In a lot of cases, Scott’s team had to bypass traditional testing processes and run the risk that rushing would “break a few things.” WannaCry didn’t exactly offer people options, which was one of the big reasons for the mass destruction in its wake.

Back to top

Adding Up the Cost of WannaCry

Most cybersecurity pros know WannaCry was hardly a financial success, and the data on its net profit shows it being much lower than expected. Blockchain records reveal that between May 2017 and December 2019, WannaCry netted attackers a total of around $386,000, although the total fluctuates with the valuation of bitcoin. That’s a paltry $1.08 or less per infected computer.

Compared to much earlier email viruses, strictly in terms of dollars, it was nearly a bargain. Symantec estimated $4 billion in financial losses in 2018 due to WannaCry, a number likely higher today. The Conficker virus caused over $9.1 billion in damages in 2007 and infected millions of computers around the world. In 2004, MyDoom caused around $38 billion in damages and affected some 25% of emails sent over the course of the year.

This cryptoworm was intended to make a lot of noise instead of profit off a single target. The threat actors behind WannaCry specifically leveraged Ukrainian tax accounting software — a software that the government mandated for any organization doing business in Ukraine, according to Dine. By pushing out a software update, the threat actors managed to take down a huge chunk of Ukraine’s national infrastructure along the way.

The vast majority of cybercrime is financially motivated. It’s rare to encounter a ransomware designed to wreak mass havoc with little concern for actual ransoms.

Back to top

Over The Next Year Attacks Became More Targeted

When asked what she thought was the most significant part of WannaCry, Whitmore says everything was significant.

“It was certainly a huge wakeup call,” says Whitmore. “So, for any organization that saw these global conglomerates … who had good security programs and protocols that were impacted [by the virus], it raised awareness.”

“It was certainly a huge wakeup call,” says Whitmore.

More targeted campaigns are more common in the wake of WannaCry, she says. Although the attacks aren’t always against a single client, now threat actors might send out many phishing emails and get access to 10 clients. From there, she sees threat actors spending six to 12 months performing careful reconnaissance on potential targets while avoiding detection inside the network.

Eventually, Whitmore says, they set off ransomware where they know or suspect they’re going to have a better chance of getting paid.

WannaCry is probably at least partially responsible for the current threat vector and the rising popularity of commercial ransomware attacks. Ransomware comprised 39% of all malware incidents with data loss in 2017, according to the 2018 Data Breach Investigations Report (DBIR). Since then, attacks have morphed to become much more sophisticated and costly for victims. Commercial ransomware is also often highly capable of evading detection methods.

Many organizations that were impacted had plentiful data backups, but they weren’t always recoverable. In many cases, the backups were connected to the network and vulnerable to being locked by WannaCry. In other cases, organizations had off-site backups and had not tested them for easy recovery.

The May 2017 crypto-ransomware incident was a turning point for the threat landscape. WannaCry had a positive impact on enterprise cybersecurity culture, but it also skyrocketed ransomware into the consciousness of global threat actors. Many commercial ransomware threat actors now put careful research into the value of a victim’s data if it’s lost or sold to a competitor.

Case in point: Whitmore just saw a ransomware attack against an organization in the past six weeks. “The attackers asked for $25 million for the ransom. This was not a huge company by any means,” says Whitmore.

Back to top

Two Years Later: CEOs Talk About Ransomware

Before WannaCry, most enterprise leaders seemed to have an ‘it can’t happen to us’ attitude, especially outside the healthcare area. Now, when I bring up ransomware, people listen. Enterprise leaders often are the first to bring up ransomware with me and other cybersecurity experts. From my viewpoint, one of the most significant impacts from the trauma and destruction of WannaCry was how enterprise leadership realized ransomware was a meaningful threat.

The event also had a profound impact on cybersecurity’s role within a business and the CISO’s role on the board. Leadership now realizes you could go through a major cyber breach and actually end up better from a reputational perspective.

One logistics brand based in the EU shows how it suffered little reputational damage from WannaCry. The CEO took a public role and spoke directly to the public and clients in the days after the attack. The combination of the cryptoworm and the confident, communicative CEO was a critical first step toward an enterprise cybersecurity culture of shared responsibility.

Back to top

WannaCry Infections Are Still Found in 2020

Countless copycats and aftershocks came after the first WannaCry attack. ESET disclosed in May 2020 that WannaCry accounted for 40.5% of all its ransomware detections in Q1 2020. Some countries are still disproportionately affected by WannaCry aftershocks because major ISPs block the kill switch domains. Some of these lingering infections are due to poor cyber hygiene practices. Other infections persist on nontraditional endpoints that are difficult for many enterprises to detect, let alone manage.

Back to top

What if WannaCry Hit on May 12, 2020?

It’s hard to say whether enterprises would be significantly better prepared for a global cryptoworm attack in 2020 than they were in 2017. However, most experts I spoke with agree the human element of cybersecurity has dramatically evolved, which should give incident response professionals hope.

However, according to ESET, data from the search engine Shodan revealed that almost 1 million devices were still vulnerable and unpatched against the EternalBlue vulnerability as of May 2019. There has been very little variance in that figure since late May 2017, which is deeply concerning.

A recent survey shows 27% of global organizations had attributed a data breach incident to unpatched vulnerabilities. More concerning is a huge percentage have little idea exactly which endpoints on their network are posing risks. Meanwhile, 39% of organizations admit to performing vulnerability scans less than once a month. According to CA Veracode, more than 70% of vulnerabilities remain unpatched after 30 days.

The cost to recover from a highly destructive attack was $239 million, or 61 times more expensive than an average incident involving data loss.

Scott has seen major positive changes in how organizations approach environments and control points to avoid the ‘hard candy shell’ conditions that allowed the worm to spread so quickly. Clients are now thinking about containerization and microservices instead of providing attackers with the kind of soft, gooey network target that was common in 2017 and before. This could be partially linked to WannaCry, but is also likely due to the fact that enterprise network perimeters have shifted.

In today’s networks, it’s not uncommon to come across many servers that may not have access to workstations. Instead, users can access cloud data via agents. The secure cloud adds a bit of complexity to security policies and complicated some workflows, but it has also improved security posture in many respects. Cloud-driven isolation means organizations no longer operate on one big network.

The switch away from yesterday’s candy networks has also impacted user privileges. Scott sees this as a major positive in defending against advanced persistent threats (APTs) and privileged accounts. Most importantly, many organizations are switching to trust-based and need-based models of access instead of designating super users and rearchitecting privileges.

However, three years after the WannaCry worm, the cost of bouncing back from highly targeted ransomware and APTs is at an all-time high. This is incredibly disconcerting. Last year, the average recovery cost for a data breach was $3.92 million, according to 2019 Cost of a Data Breach Report. The cost to recover from a highly destructive attack was $239 million, or 61 times more expensive than an average incident involving data loss.

Back to top

The Tides Have Shifted to Carefully Targeted TTPs

Threat actors are getting bolder and more calculated about demanding exactly the amount of money they think a victim’s data is worth. Commercial ransomware in 2020 isn’t intended to spread virally across networks or target hundreds of thousands of unpatched endpoints. Instead, threat actors target companies that are likely to pay ransoms in the millions.

Threat actors zero in on victims to make sure they invade all the right systems to create an environment of terror, often even getting to the backup servers to try to force their victim’s hand in paying the ransom.

Back to top

Today’s More Collaborative Cybersecurity Culture

Increased collaboration has been one of the most positive impacts in the past three years. WannaCry may have been something of a catalyst for greater collaboration between industries, the public sector and international policymakers.

I spoke with Mike Barcomb, program director at X-Force Incident Command, to get his perspective on the change.

“It’s been the focus of companies to build these [incident response] programs, but also to work along with their peers and other businesses in the industry,” says Barcomb. “They build energy where they can share best practices and threat information about threat actors — things they’ve seen, and things they’ve experienced.

“They build energy where they can share best practices and threat information about threat actors — things they’ve seen, and things they’ve experienced.”

“It’s very encouraging to see companies working together to build up defenses against threats.”

Back to top

Preparing for the Future: WannaCry Showed How Controls Fail

The human element of preparedness is just as important as technological readiness in ensuring proper cyber hygiene, says Kurt Rohrbacher, IBM X-Force Threat Intelligence North American lead. The single best way an organization can be prepared for any global incident is to think about what happens when controls fail, and consider the weight of each decision.

“People don’t often think about [how] the first few hours of an incident can often dictate whether you’re dealing with this for a day, a week, a month or in some cases, a year,” says Rohrbacher. “Identifying the steps you’re going to take very early in an incident will make or break your ultimate response.”

“Identifying the steps you’re going to take very early in an incident will make or break your ultimate response.”

This statement really resonated with me because we often underestimate the impact of stress and panic on our decision making ability. These seemingly small decisions can make the difference between millions of dollars and years of recovery or months.

Back to top

Incentivizing Solid Cybersecurity Work with KPIs

Scott told me it gives him hope to see the beginnings of a shift in key performance indicators (KPIs), which is an area he’s particularly passionate about. He often asks his team “How do we track and really incentivize the people to do the work correctly?”

In the case of SOC analysts, metrics that focus on speed-to-resolution and timeframes can be counterproductive. SOC analysts can get sidetracked if they are operating in an environment too focused on efficiency. They may close out tickets before completing an investigation and miss the bigger picture — like the infiltration point of an attack.

The industry’s cyber hygiene and patching habits may not have measurably improved since May 2017, but most experts agree we would be better prepared today than we were before, even outside of organizations that have already faced ransomware attacks. It’s about a shift in the human element of cybersecurity.

Back to top

Building Confidence to Handle the Unexpected

Rohrbacher chuckles when I ask how companies and cybersecurity professionals prepare for the unexpected. He shrugs his shoulders and says, “Well, there is nothing like the real thing.”

He told me a real incident, such as WannaCry, increases both awareness and preparedness. Beyond that, nearly all the incident response experts I talked to agree that simulation is crucial, just as quarterly tabletop exercises and regular communication tool tests are crucial to building muscle memory.

He pointed to phishing simulations and cyber-range activities as two ways organizations could prepare for unforeseen outcomes. Rohrbacher says if an exercise or drill really draws people into the situation and encourages them to have fun, they are more likely to have their own takeaways for how to respond better.

I am continually struck by the similarity between the current COVID-19 pandemic and the WannaCry attack. The early hours of the attack felt very similar to March 2020 as everyone moved into crisis mode trying to manage a never-before-seen situation. Now, as the pandemic stretches on, the feeling is similar to us still finding WannaCry infections today. The pandemic likely affects most of us on a more personal level. But both crises affected our daily lives in ways no one could have imagined or predicted.

The key lessons from both events boil down to preparedness. Both WannaCry and the pandemic caught everyone off guard. This begs the age-old question of how to prepare for something that has never even come close to happening before.

What comes to most people’s minds when they think of preparedness are strategic plans, simulations, education and using tools, such as backups for recovery. However, these measures only go so far when a novel attack occurs and a plan for exactly what’s happening doesn’t exist. I think it really comes down to taking a new view and approach.

“When you’re in the middle of a crisis, everything except muscle memory goes out the window.”

Something Rohrbacher says keeps coming to mind: “When you’re in the middle of a crisis, everything except muscle memory goes out the window.”

Of course, we need to be able to deploy technology, and create plans and back up recovery options. But we must also focus on creating confidence and muscle memory for every incident response worker.

Confidence isn’t something that happens in a single training session or a box you check off on a Thursday afternoon. It is an underlying shift in culture and processes. Preparedness comes down to empowering individuals to feel confident enough to take charge. You want your team to take a deep breath and say, “OK, I got this,” even when the unexpected happens.

Jasmine Henry contributed to the reporting of this story.