Five years of WannaCry: what has changed in ransomware since 2017?

Five years of WannaCry: what has changed in ransomware since 2017?

In 2017, from May 12th to May 15th, the world experienced one of the world’s biggest cyber attacks. This attack was later attributed to North Korea by the United States and several other countries.

Within 24 hours, the WannaCry malware — a self-propagating and self-replicating ransomware cryptoworm — infected over 200,000 systems across 150 different countries and eventually caused estimated global damage of 4 billion dollars, mainly from business interruption costs. WannaCry used the EternalBlue exploit to target computers running Microsoft Windows operating systems.

An interesting and quite controversial aspect of the EternalBlue exploit is that it was actually developed by the US National Security Agency (NSA) for their own cyber offensive operations. However, it was stolen and leaked by a hacker group, The Shadow Brokers, a month before the WannaCry attack. The same exploit was also used in the NotPetya data wiper attack a few months later.

Although Microsoft officially released the patch for the EternalBlue vulnerability nearly two months before the attack, most of the computers in the world were still unpatched, which allowed WannaCry to have such a global impact.

The impact of the attack

The data on infected computers was encrypted and a ransom note was shown demanding $300 - $600 worth of Bitcoin to decrypt the files. A ransom this small indicates that the main goal attackers were pursuing was chaos and destruction instead of financial gain.

A few hours after the attack began, a British computer security researcher discovered a kill switch in the WannaCry’s code. The ransomware encrypted files on the infected machine only if a specific hard-coded domain was not registered. While registering this domain did not help already infected computers, it did stop the spread and gave people time to work on their defenses.

However, this did not stop the attack, as three variants of WannaCry with distinct kill switches appeared over the next few days. When different cyber security experts triggered all kill switches around the globe, the attack stopped. Nevertheless, a few days later, a new variant appeared, which eliminated the kill switch functionality altogether. Luckily, by that time, most systems were already patched, but still, even to this day, the WannaCry worm is infecting those computer systems whose owners are unaware that they are running the EternalBlue vulnerability or simply have not addressed it yet.

Probably the most notable organization that became a victim of WannaCry during its four-day run was the British National Health Service (NHS). Thousands of devices — including computers, MRI scanners, and blood-storage refrigerators — were affected in dozens of different NHS facilities. Nissan Motor Manufacturing UK and Renault stopped their production, and Spain’s Telefonica, FedEx, and Deutsche Bahn were all hit, along with many other countries and companies worldwide.

How has the cyber security industry changed?

The WannaCry attack was a wake-up call for all organizations worldwide to take cyber threats and ransomware seriously. It showed many CEOs that ransomware is not improbable or even hypothetical but, in fact, is a clear and present danger. Companies immediately began revising their cyber security policies, defenses, and patch management. The primary lesson extracted from the WannaCry attack was that patch management is of utmost importance in the face of cyber threats. With better patch management practices and policies, millions of dollars of losses could have been avoided.

It also made people focus on cyber resilience to maintain ongoing business operations even in the face of active cyber attacks. In order to support cyber resilience, companies started using better data backup and recovery solutions, redundant hostings, and other cyber security technologies.

Unfortunately, even five years later, too many organizations still implement cyber security as an afterthought rather than a core aspect of their business.

How ransomware affects infrastructure

The WannaCry attack also showed that cyber-attacks could have real physical impacts when we consider critical infrastructures such as energy generation and transmission, manufacturing, agriculture, transportation, banking and financial institutions, and healthcare.

The NHS experienced that firsthand when they had to shut down many systems, divert ambulances, and left many patients without proper care due to the attack. After that, many governments started treating large ransomware attacks as national security issues on the same level as terrorist attacks.

Additionally, many countries have passed laws mandating that companies report substantial cyber incidents and ransomware payments to their respective government agencies responsible for national cyber security. This further reinforces that ransomware and cyber attacks have become something private companies and governments must pay attention to.

How has the threat landscape changed?

The WannaCry attack served as a call to action to cyber threat actors, showing how simple yet effective ransomware can be. During the last five years, ransomware attacks have become the most prevalent and profitable form of cyber attacks. WannaCry showed threat actors that they can use nation-state-level tools and exploits. Before that, they mostly relied on their handcrafted tools. However, many aspects of ransomware are now different compared to WannaCry. Here are several most notable ones:

1. WannaCry was amazingly simple ransomware

It used only one exploit to infiltrate the system, checked the kill switch domain and encrypted files, and moved to the next system. Modern ransomware is much more sophisticated: it relies on several different exploits and uses advanced evasion techniques to avoid detection.

2. Attacks are now much more targeted.

Previously, ransomware attacks were effectively “spray and pray” — thousands of phishing emails were sent to many organizations hoping that at least one got infected. Modern ransomware attacks are much more precise – attackers patiently research their target, spend a lot of resources to infiltrate a company’s network, and stay there undetected for days or even months, moving laterally through systems looking for the best place to attack with the highest chance of a payout.

3. Threat actors look for various ways to increase their payday by turning to various extortion and harassment tactics.

In addition to encrypting the company’s most valuable data, they also steal and threaten to publish it. This is often referred to as double extortion or double extortion ransomware. Furthermore, attackers can harass companies’ clients and shareholders, perform Distributed Denial of Service (DDoS) attacks, and other unpleasantries to make the company pay the ransom.

4. Ransomware threat actors became much more organized.

Today’s most prolific ransomware groups look more like an IT enterprise with different divisions, each focusing on the attack’s different steps, infrastructure, proper employment (if we can call it that), and so on.

An interesting example of how ransomware gangs are similar to IT companies is when the LockBit gang announced a bug bounty program for their latest ransomware platform LockBit 3.0, at the end of June 2022, which parallels IT companies’ use of bug bounty campaigns to discover bugs in their software.

5. The major rise in the popularity and variety of cryptocurrencies.

The decentralized and relatively anonymous nature of cryptocurrencies, such as Bitcoin used in the WannaCry attack, attracted many cybercriminals. Over the last five years, cryptocurrency has become the go-to method for ransom payments because they are easier to move internationally and much harder to track. In response, many started calling for stricter rules and the policing of digital finances and cryptocurrencies.

6. The ransom amounts are increasing.

Еven though the financial gain was not the main goal of WannaCry, it is worth mentioning that the ransom amount has increased immensely in the last five years. If WannaCry requested a ransom of only $300-$600, the average ransom payment in 2022 already approaches $1 million.

Cyber security hygiene can’t be ignored

Overall, the WannaCry attack seriously affected the cyber security industry and shaped the ransomware threat landscape in a significant way. It made people realize that good cyber security is imperative for a company’s success and made ransomware a matter of national security.

WannaCry also brought the issue of ransomware into the cyber risk aggregation discussion. Today, leading (re)insurers are making use of portfolio loss modeling solutions that can account for realistic cyber aggregation risks due to systemic ransomware events like WannaCry, like CyberCube’s Portfolio Manager. Find out more about how a solution like this can help create a forward-looking view of risk in our blog, allowing (re)insurers to make profitable portfolio management decisions.

Understanding cyber threat actors report