September 1, 2021 By Jennifer Gregory 3 min read

The cybersecurity world is still feeling the effects of the 2017 WannaCry ransomware attack today. While the majority of the damage occurred in the weeks after May 12, 2017, WannaCry ransomware attacks actually increased 53% from January 2021 to March 2021.

While researching my in-depth article WannaCry: How the Widespread Ransomware Changed Cybersecurity, I learned that WannaCry attacks are still found today. Even so, I was surprised that it is still such an active issue. So, what has happened since then? What are these attackers doing today? How have organizations responded to these threats? And will an attack like this happen again?

I was also more than a bit concerned to learn that the largest ransomware attack since WannaCry hit over the recent Fourth of July holiday, making it even more important that the cybersecurity industry continue to learn from past attacks.

Putting the Impact in Perspective

So, how has the WannaCry virus has affected cybersecurity broadly? Many changes had already happened before I wrote my article last year. But I had a hunch that even more had evolved after the increase in ransomware and the pandemic.

I knew from covering the attack live that the primary goal of the WannaCry ransomware was destruction, not financial gain. The ransom demand was only $300. But I was still surprised to learn how far the amount was from the average ransomware payment in 2020, which Emsisoft and ID Ransomware reported to be $154,000. This discrepancy points to the fact that those attackers were really after chaos and panic.

However, the monetary damages went much further than the ransom itself. Symantec estimated the WannaCry recovery cost at nearly $4 billion, very close to the nearly $4.9 billion in ransomware costs for all incidents in 2020.

Download the Definitive Guide to Ransomware

WannaCry Attackers Indicted

According to the U.S Department of Justice, three North Korean computer programmers were indicted by a grand jury on February 17, 2021 for their role in creating and distributing the WannaCry Ransomware.

Meanwhile, the 22-year old who discovered the WannaCry kill switch is also still in the media. Marcus Hutchins likely saved companies billions of dollars in damages — not to mention continued disruption. The 2020 Wired article The Confessions of Marcus Hutchins, the Hacker Who Saved the Internet details how before stopping WannaCry he was involved in the creation and distribution of the Kronos banking Trojan and UPAS Kit malware. The judge’s decision to let him go is intriguing; the judge felt the cybersecurity industry needed people with Hutchins’ skills to stop threat actors. One can spend a long time pondering the very short distance between good and evil in the cybersecurity world.

Lessons Learned From WannaCry

The bottom line for organizations in the aftermath is that installing software patches in a timely matter is essential. Organizations that still haven’t patched the EternalBlue issue are at risk for being victims from more attacks.

As a cybersecurity writer, I often feel that most of my advice comes back to basics. I advise organizations to use strong passwords, train employees to avoid phishing scams and install software updates. After all, most attacks and issues come back to one of these or other basic guidelines. Using a zero trust approach and AI cybersecurity tools are quickly becoming industry standards. However, these institutional precautions don’t remove all risk. Every single person who uses your data, applications and network still needs to follow basic cybersecurity hygiene.

Another major change after WannaCry was that the U.K.’s National Health Services, to which the WannaCry ransomware attack caused serious disruption and damage, formed the Cyber Security Programme to lead the effort to make improvements specifically based on what happened.

Its top priorities include managing risk by communicating with NHS Trusts about vulnerabilities and completing critical cyber alerts. ZDNet detailed other changes, including patch assistance for NHS Trusts and evaluating and installing new backup systems when necessary.

Moving Forward

Could we ever totally rid the world of ransomware so days like May 12, 2017 never happen again? The Washington Post asked whether an approach similar to Operation Warp Speed — the U.S. initiative to churn out COVID-19 vaccines fast — could work for inoculating against computer viruses. Their conclusion: this approach won’t work on a widespread basis. There are just too many targets and too much money on the line for attackers.

That leaves us with three options for ransomware: defend, defund and deter. In the end, ransomware is an evil we must learn to live with and manage.

It all came down to one big question. How likely is it that an attack on the scale of WannaCry ransomware will happen again? The best answer I’ve been able to articulate is that it’s possible — and maybe even probable. Only by returning to cybersecurity basics every single time, especially patches, can we work on defending against and deterring ransomware attacks.

More from Malware

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today