September 1, 2021 By Jennifer Gregory 3 min read

The cybersecurity world is still feeling the effects of the 2017 WannaCry ransomware attack today. While the majority of the damage occurred in the weeks after May 12, 2017, WannaCry ransomware attacks actually increased 53% from January 2021 to March 2021.

While researching my in-depth article WannaCry: How the Widespread Ransomware Changed Cybersecurity, I learned that WannaCry attacks are still found today. Even so, I was surprised that it is still such an active issue. So, what has happened since then? What are these attackers doing today? How have organizations responded to these threats? And will an attack like this happen again?

I was also more than a bit concerned to learn that the largest ransomware attack since WannaCry hit over the recent Fourth of July holiday, making it even more important that the cybersecurity industry continue to learn from past attacks.

Putting the Impact in Perspective

So, how has the WannaCry virus has affected cybersecurity broadly? Many changes had already happened before I wrote my article last year. But I had a hunch that even more had evolved after the increase in ransomware and the pandemic.

I knew from covering the attack live that the primary goal of the WannaCry ransomware was destruction, not financial gain. The ransom demand was only $300. But I was still surprised to learn how far the amount was from the average ransomware payment in 2020, which Emsisoft and ID Ransomware reported to be $154,000. This discrepancy points to the fact that those attackers were really after chaos and panic.

However, the monetary damages went much further than the ransom itself. Symantec estimated the WannaCry recovery cost at nearly $4 billion, very close to the nearly $4.9 billion in ransomware costs for all incidents in 2020.

Download the Definitive Guide to Ransomware

WannaCry Attackers Indicted

According to the U.S Department of Justice, three North Korean computer programmers were indicted by a grand jury on February 17, 2021 for their role in creating and distributing the WannaCry Ransomware.

Meanwhile, the 22-year old who discovered the WannaCry kill switch is also still in the media. Marcus Hutchins likely saved companies billions of dollars in damages — not to mention continued disruption. The 2020 Wired article The Confessions of Marcus Hutchins, the Hacker Who Saved the Internet details how before stopping WannaCry he was involved in the creation and distribution of the Kronos banking Trojan and UPAS Kit malware. The judge’s decision to let him go is intriguing; the judge felt the cybersecurity industry needed people with Hutchins’ skills to stop threat actors. One can spend a long time pondering the very short distance between good and evil in the cybersecurity world.

Lessons Learned From WannaCry

The bottom line for organizations in the aftermath is that installing software patches in a timely matter is essential. Organizations that still haven’t patched the EternalBlue issue are at risk for being victims from more attacks.

As a cybersecurity writer, I often feel that most of my advice comes back to basics. I advise organizations to use strong passwords, train employees to avoid phishing scams and install software updates. After all, most attacks and issues come back to one of these or other basic guidelines. Using a zero trust approach and AI cybersecurity tools are quickly becoming industry standards. However, these institutional precautions don’t remove all risk. Every single person who uses your data, applications and network still needs to follow basic cybersecurity hygiene.

Another major change after WannaCry was that the U.K.’s National Health Services, to which the WannaCry ransomware attack caused serious disruption and damage, formed the Cyber Security Programme to lead the effort to make improvements specifically based on what happened.

Its top priorities include managing risk by communicating with NHS Trusts about vulnerabilities and completing critical cyber alerts. ZDNet detailed other changes, including patch assistance for NHS Trusts and evaluating and installing new backup systems when necessary.

Moving Forward

Could we ever totally rid the world of ransomware so days like May 12, 2017 never happen again? The Washington Post asked whether an approach similar to Operation Warp Speed — the U.S. initiative to churn out COVID-19 vaccines fast — could work for inoculating against computer viruses. Their conclusion: this approach won’t work on a widespread basis. There are just too many targets and too much money on the line for attackers.

That leaves us with three options for ransomware: defend, defund and deter. In the end, ransomware is an evil we must learn to live with and manage.

It all came down to one big question. How likely is it that an attack on the scale of WannaCry ransomware will happen again? The best answer I’ve been able to articulate is that it’s possible — and maybe even probable. Only by returning to cybersecurity basics every single time, especially patches, can we work on defending against and deterring ransomware attacks.

More from Malware

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today