The cybersecurity world is still feeling the effects of the 2017 WannaCry ransomware attack today. While the majority of the damage occurred in the weeks after May 12, 2017, WannaCry ransomware attacks actually increased 53% from January 2021 to March 2021.

While researching my in-depth article WannaCry: How the Widespread Ransomware Changed Cybersecurity, I learned that WannaCry attacks are still found today. Even so, I was surprised that it is still such an active issue. So, what has happened since then? What are these attackers doing today? How have organizations responded to these threats? And will an attack like this happen again?

I was also more than a bit concerned to learn that the largest ransomware attack since WannaCry hit over the recent Fourth of July holiday, making it even more important that the cybersecurity industry continue to learn from past attacks.

Putting the Impact in Perspective

So, how has the WannaCry virus has affected cybersecurity broadly? Many changes had already happened before I wrote my article last year. But I had a hunch that even more had evolved after the increase in ransomware and the pandemic.

I knew from covering the attack live that the primary goal of the WannaCry ransomware was destruction, not financial gain. The ransom demand was only $300. But I was still surprised to learn how far the amount was from the average ransomware payment in 2020, which Emsisoft and ID Ransomware reported to be $154,000. This discrepancy points to the fact that those attackers were really after chaos and panic.

However, the monetary damages went much further than the ransom itself. Symantec estimated the WannaCry recovery cost at nearly $4 billion, very close to the nearly $4.9 billion in ransomware costs for all incidents in 2020.

Download the Definitive Guide to Ransomware

WannaCry Attackers Indicted

According to the U.S Department of Justice, three North Korean computer programmers were indicted by a grand jury on February 17, 2021 for their role in creating and distributing the WannaCry Ransomware.

Meanwhile, the 22-year old who discovered the WannaCry kill switch is also still in the media. Marcus Hutchins likely saved companies billions of dollars in damages — not to mention continued disruption. The 2020 Wired article The Confessions of Marcus Hutchins, the Hacker Who Saved the Internet details how before stopping WannaCry he was involved in the creation and distribution of the Kronos banking Trojan and UPAS Kit malware. The judge’s decision to let him go is intriguing; the judge felt the cybersecurity industry needed people with Hutchins’ skills to stop threat actors. One can spend a long time pondering the very short distance between good and evil in the cybersecurity world.

Lessons Learned From WannaCry

The bottom line for organizations in the aftermath is that installing software patches in a timely matter is essential. Organizations that still haven’t patched the EternalBlue issue are at risk for being victims from more attacks.

As a cybersecurity writer, I often feel that most of my advice comes back to basics. I advise organizations to use strong passwords, train employees to avoid phishing scams and install software updates. After all, most attacks and issues come back to one of these or other basic guidelines. Using a zero trust approach and AI cybersecurity tools are quickly becoming industry standards. However, these institutional precautions don’t remove all risk. Every single person who uses your data, applications and network still needs to follow basic cybersecurity hygiene.

Another major change after WannaCry was that the U.K.’s National Health Services, to which the WannaCry ransomware attack caused serious disruption and damage, formed the Cyber Security Programme to lead the effort to make improvements specifically based on what happened.

Its top priorities include managing risk by communicating with NHS Trusts about vulnerabilities and completing critical cyber alerts. ZDNet detailed other changes, including patch assistance for NHS Trusts and evaluating and installing new backup systems when necessary.

Moving Forward

Could we ever totally rid the world of ransomware so days like May 12, 2017 never happen again? The Washington Post asked whether an approach similar to Operation Warp Speed — the U.S. initiative to churn out COVID-19 vaccines fast — could work for inoculating against computer viruses. Their conclusion: this approach won’t work on a widespread basis. There are just too many targets and too much money on the line for attackers.

That leaves us with three options for ransomware: defend, defund and deter. In the end, ransomware is an evil we must learn to live with and manage.

It all came down to one big question. How likely is it that an attack on the scale of WannaCry ransomware will happen again? The best answer I’ve been able to articulate is that it’s possible — and maybe even probable. Only by returning to cybersecurity basics every single time, especially patches, can we work on defending against and deterring ransomware attacks.

More from Malware

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…