The cybersecurity world is still feeling the effects of the 2017 WannaCry ransomware attack today. While the majority of the damage occurred in the weeks after May 12, 2017, WannaCry ransomware attacks actually increased 53% from January 2021 to March 2021.

While researching my in-depth article WannaCry: How the Widespread Ransomware Changed Cybersecurity, I learned that WannaCry attacks are still found today. Even so, I was surprised that it is still such an active issue. So, what has happened since then? What are these attackers doing today? How have organizations responded to these threats? And will an attack like this happen again?

I was also more than a bit concerned to learn that the largest ransomware attack since WannaCry hit over the recent Fourth of July holiday, making it even more important that the cybersecurity industry continue to learn from past attacks.

Putting the Impact in Perspective

So, how has the WannaCry virus has affected cybersecurity broadly? Many changes had already happened before I wrote my article last year. But I had a hunch that even more had evolved after the increase in ransomware and the pandemic.

I knew from covering the attack live that the primary goal of the WannaCry ransomware was destruction, not financial gain. The ransom demand was only $300. But I was still surprised to learn how far the amount was from the average ransomware payment in 2020, which Emsisoft and ID Ransomware reported to be $154,000. This discrepancy points to the fact that those attackers were really after chaos and panic.

However, the monetary damages went much further than the ransom itself. Symantec estimated the WannaCry recovery cost at nearly $4 billion, very close to the nearly $4.9 billion in ransomware costs for all incidents in 2020.

Download the Definitive Guide to Ransomware

WannaCry Attackers Indicted

According to the U.S Department of Justice, three North Korean computer programmers were indicted by a grand jury on February 17, 2021 for their role in creating and distributing the WannaCry Ransomware.

Meanwhile, the 22-year old who discovered the WannaCry kill switch is also still in the media. Marcus Hutchins likely saved companies billions of dollars in damages — not to mention continued disruption. The 2020 Wired article The Confessions of Marcus Hutchins, the Hacker Who Saved the Internet details how before stopping WannaCry he was involved in the creation and distribution of the Kronos banking Trojan and UPAS Kit malware. The judge’s decision to let him go is intriguing; the judge felt the cybersecurity industry needed people with Hutchins’ skills to stop threat actors. One can spend a long time pondering the very short distance between good and evil in the cybersecurity world.

Lessons Learned From WannaCry

The bottom line for organizations in the aftermath is that installing software patches in a timely matter is essential. Organizations that still haven’t patched the EternalBlue issue are at risk for being victims from more attacks.

As a cybersecurity writer, I often feel that most of my advice comes back to basics. I advise organizations to use strong passwords, train employees to avoid phishing scams and install software updates. After all, most attacks and issues come back to one of these or other basic guidelines. Using a zero trust approach and AI cybersecurity tools are quickly becoming industry standards. However, these institutional precautions don’t remove all risk. Every single person who uses your data, applications and network still needs to follow basic cybersecurity hygiene.

Another major change after WannaCry was that the U.K.’s National Health Services, to which the WannaCry ransomware attack caused serious disruption and damage, formed the Cyber Security Programme to lead the effort to make improvements specifically based on what happened.

Its top priorities include managing risk by communicating with NHS Trusts about vulnerabilities and completing critical cyber alerts. ZDNet detailed other changes, including patch assistance for NHS Trusts and evaluating and installing new backup systems when necessary.

Moving Forward

Could we ever totally rid the world of ransomware so days like May 12, 2017 never happen again? The Washington Post asked whether an approach similar to Operation Warp Speed — the U.S. initiative to churn out COVID-19 vaccines fast — could work for inoculating against computer viruses. Their conclusion: this approach won’t work on a widespread basis. There are just too many targets and too much money on the line for attackers.

That leaves us with three options for ransomware: defend, defund and deter. In the end, ransomware is an evil we must learn to live with and manage.

It all came down to one big question. How likely is it that an attack on the scale of WannaCry ransomware will happen again? The best answer I’ve been able to articulate is that it’s possible — and maybe even probable. Only by returning to cybersecurity basics every single time, especially patches, can we work on defending against and deterring ransomware attacks.

More from Malware

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

ITG10 likely targeting South Korean entities of interest to the Democratic People’s Republic of Korea (DPRK)

7 min read - In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10's tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a…

Ransomware renaissance 2023: The definitive guide to stay safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

BlackCat (ALPHV) ransomware levels up for stealth, speed and exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…