WannaCry wasn’t a particularly complex or innovative ransomware attack. What made it unique, however, was its rapid spread. Using the EternalBlue exploit, malware could quickly move from device to device, leveraging a flaw in the Microsoft Windows Server Message Block (SMB) protocol.
As a result, when the WannaCry “ransomworm” hit networks in 2017, it expanded to wreak havoc on high-profile systems worldwide.
While the discovery of a “kill switch” in the code blunted the spread of the attack and newly developed patches countered the SMB vulnerability, WannaCry ultimately set the stage for the development of collective defense efforts that focused on information sharing to help limit attack impact.
What vulnerabilities did the attack expose in common security frameworks, and how did it change the course of cybersecurity? Five years later, it’s worth a look back on WannaCry for any worms of wisdom.
Anatomy of a ransomworm
The basic components of WannaCry were simple and familiar. Using a self-contained malware dropper, the WannaCry executable extracted three components after compromising a device: an encryption application, files with encryption keys and a copy of The Onion Router (Tor) for anonymous communication.
What set WannaCry apart, however, was its use of the SMB vulnerability to replicate itself across multiple network-connected devices. This exploit effort — known as EternalBlue — took WannaCry from mildly annoying to massively problematic.
Initially developed by the National Security Agency (NSA), EternalBlue was subsequently stolen by a hacker group known as the Shadow Brokers, who in turn released it publicly on April 8th, 2017. Just over a month later, WannaCry began worming its way through high-profile systems across the globe, including Britain’s National Health Service (NHS).
A Tweet told the tale. Devices across the NHS began displaying the same message: “Ooops, your files have been encrypted!” All told, WannaCry infected 70,000 NHS devices and completely shut down one-third of hospitals. While the ransom demands came in at around $300, almost laughably low compared to current exploit efforts, the scope and scale of the attack had security professionals worldwide on edge.
Flipping the switch
In 2017, cybersecurity professionals were expecting a large-scale attack. They didn’t have the specifics; instead, they knew that rapidly-evolving enterprise network landscapes were the ideal frameworks for hackers to exploit organizations. But while they were expecting a security storm, they weren’t expecting a complete cyber catastrophe.
Thankfully, security researcher Marcus Hutchins discovered a “kill switch” in the WannaCry code. Before encrypting any data, the malware attempted a connection to a specific URL that didn’t exist: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
If WannaCry failed to connect, it proceeded with encryption. If the connection was successful, it stopped. In theory, this hard-coded URL existed to stop security researchers from putting the malware in a sandbox and watching it connect to common URLs. In practice, Hutchins used this function to blunt the spread of WannaCry by registering the fake URL and making it active.
This kill switch helped stop the ransomworm’s spread. When it comes to WannaCry, however, the tears aren’t over yet.
(Wanna)Cry me a river
While the bulk of WannaCry’s damage occurred in the weeks after the May 2017 attack, cyber criminals didn’t simply move on. Instead, they took their time developing new versions without easy-to-find kill switch components and then leveraged these attacks against systems that still contained the SMB flaw.
The numbers tell the tale. From January to March 2021, WannaCry attacks increased by 53%. Despite the ongoing risks, however, many security experts agree that flaws in the attack itself led to its downfall. They also say that business and government agencies haven’t done enough to prevent a resurgence of similar attacks.
The result? WannaCry left a triple legacy in the wake of its original attack.
We’re all in this together
As noted above, the WannaCry malware itself wasn’t well-built or particularly innovative. Even the URL designed to prevent security teams from digging into the details did hackers more harm than good since they apparently didn’t consider that someone might simply register their fake URL and frustrate their efforts.
Where WannaCry did make an impact, however, was in the realization that companies weren’t islands when it came to security threats. The rapid uptake of sprawling cloud networks and connected devices provided the ideal path for ransomworm duplication, in turn paving the way for a more collegial defensive response that prioritized threat sharing over keeping security details close to the chest for fear of industry pushback.
The more things change…
The WannaCry attack also left its mark on cybersecurity by highlighting that no matter how far-reaching an attack — or how adaptable its code is over time — meaningful change is hard to implement.
Consider automatic patch application. Microsoft developed a patch for its SMB vulnerability ASAP after WannaCry began spreading. But five years later, there are still companies that haven’t updated their software to prevent this vulnerability.
Bad code, worse results
Analysis of WannaCry revealed that it was poorly built and not particularly innovative. It was bad code, but all it took was breaching a few network systems to create devastating results. The outcome was a revelatory recognition that it’s not how you code an attack; it’s how you use it.
In other words, it doesn’t matter what type of security controls are in place if attackers can bypass key systems. Even poorly made and poorly executed code can spread across networks and between companies, causing thousands of devices to fail. Put simply, the function rather than the form made this ransomworm so worrisome.
Bottom line? WannaCry changed the course of cybersecurity by demonstrating the inherent vulnerability of interconnected systems. And while it highlighted the need for better communication and data sharing across industries and operations, its short-lived rampage left some companies overconfident about their ability to handle emerging threats.
Ultimately, WannaCry remains active, a reminder that even “old” security threats never die — they’re simply less prevalent.