Virtualization Technology News and Information
WannaCry Ransomware Attack 5-year Anniversary. Cybersecurity Experts React.


It is May 12th, and today marks the 5th year anniversary of the WannaCry ransomware attacks.  Five years on, and ransomware attacks continue to proliferate and cause widespread societal disruption and loss.

Below, VMblog is sharing insights from a few cybersecurity industry experts.


John Bambenek, Principal Threat Hunter at Netenrich, a San Jose, Calif.-based digital IT and security operations company:

The one thing that sticks out with the anniversary of WannaCry is that despite a land invasion in Ukraine by the Russian Federation, we haven't seen a similar attack by Russia. They have a history of destructive malware attacks and now have the geopolitical impetus to launch them, we just haven't seen it. The era of worms is not over, certainly while our patching significantly lags the exploit development cycle. Log4j, for instance, shows we haven't evolved much on getting systems, especially legacy or embedded/IoT systems, patched and hardened. Since then, ransomware has been top-of-mind for business leaders but considering the pace of news of companies falling victim to ransomware, I'm not sure much resilience has been increased in the general business community.


Stan Black, CISO at Delinea, a Redwood City, Calif.-based provider of privileged access management (PAM) solutions:

The 2017 WannaCry ransomware attack sent shockwaves globally, impacting hundreds of thousands of computers and devices and leaving billions in damages in its wake. Little did we know then that it was just the start of a rise in more sophisticated, widespread, and detrimental ransomware attacks. Since then, we have seen a steady stream of high-profile ransomware victims, along with a rise in the number of ransomware groups offering ransomware-as-a-service (RaaS).

WannaCry taught all organizations some important lessons. The main one is that no matter how much you spend on your defense mechanisms and protecting your perimeter, you can be exposed from within if your technology and systems are old, outdated, or left unpatched. Poor internal cyber hygiene leaves the door open for malicious actors. 

As we look towards the future, there are several initiatives organizations can implement to limit their exposure to such threats. One is segmentation, essentially putting in place technical guardrails that separate one business function from another. This minimizes the unchallenged propagation of malicious actors and malware. Another best practice is to identify all critical assets which are most commonly target for attacks and perform frequent incremental backup in the event a system recovery is needed. Strong multi-factor authentication and privileged access controls are also obvious components.

Every user is now a privileged user with access to sensitive systems and data. Organizations should consider a least privilege approach to access, limited to only what is required for the job function or task. While it will not help increase operational readiness, organizations should also always be prepared for the worst-case scenarios with a cyber insurance plan in place to cover any losses.

Ransomware attacks continue to proliferate today. While the U.S. government and other federal agencies around the world work to implement measures to prevent ransomware attacks and prosecute those who partake in such activities, successfully mitigating ransomware attacks requires a host of combined initiatives. This includes implementing security controls founded in least privilege and Zero Trust, the creation of a security first company culture and employee training, robust threat detection and response, collaboration between public and private sectors, and most importantly operating on the mindset that it is not ‘if' cybercriminals will attack but when.


Matthew Warner, CTO and Co-Founder at Blumira, an Ann Arbor, Mich.-based provider of automated threat detection and response technology:

Ransomware is a major focus for organizations today, but that wasn't always the case. The WannaCry attack was arguably the first big uncontrolled outbreak of ransomware, and sparked real concern - as well as media buzz - that previous attacks hadn't. WannaCry and its related offshoots such as Petya (and NotPetya the wiper) helped organizations to realize the business impact of ransomware.

The time period around the WannaCry attack was tumultuous for defensive security. Most people remember that WannaCry was the first global shot across the bow for ransomware across the public, but it was not only exclusively driven by a leak of NSA hacking tools but also exposed a vulnerability in Windows that existed since Windows 2000. In mid-2016 a group calling themselves The Shadow Brokers announced that they had stolen a large number of tools from an NSA-linked group called The Equation Group and would be auctioning them off. Over the next six months, The Shadow Brokers collected over 11 bitcoins and released a variety of information in tranches until April 2017, when they released a large number of new tools and exploits that contained ETERNALBLUE, a nation-state created SMB exploit, to the internet as a whole.

The technical impact of WannaCry has also lasted far beyond 2017. While Microsoft had released a patch for ETERNALBLUE in March 2017, many had not patched and WannaCry utilized this exploit in May 2017 with great success. Unpatched MS17-070 can be found in internal networks with legacy applications today.

What WannaCry did was reinforce the need for evaluation of what the attack surface was for organizations. WannaCry was a reminder that exposing SMB to the internet was not necessary and helped ETERNALBLUE spread quickly. Similarly, WannaCry exposed the need for segmentation to prevent worms such as WannaCry from lateral moving laterally across networks.

Most importantly the need for better IT hygiene, processes to build up security maturity, and the desire to prevent ransomware all require additional budget and buy-in from the organization itself. In 2017 ISC2 estimated that there would be a 1.8 million worker gap by 2022, in 2021 the actual gap reduced from 3.12 to 2.72 million people. The industry, tooling, and need for skilled people have grown quickly across the last 5 years as it has globalized and improved. There is forward motion on security maturity across all sizes of organizations, but as Log4Shell proved in 2021, there is more work to do as we all grow together.


Tim Wade, Deputy CTO at Vectra, a San Jose, Calif.-based AI cybersecurity company:

First, WannaCry was among the first widely publicized recent ransomware events that alerted even non-technical, non-practitioner stakeholders of how dangerous and damaging this threat could become.  Second, weaponization of WannaCry could be traced directly back to leaked Nation State toolkits, demonstrating that sophisticated adversarial tradecraft was increasingly becoming commoditized among lower-tier operators.  This was something of a wake-up call to security programs that were interested in continuing the status-quo, and underscored the need for more proactive security measures - the days of throwing up a firewall and calling that a security program had come and gone.

Ransomware today is perhaps better described as RansomOps, as its driven primarily by the modern, interactive tactics of human operators than the programmatic, semi-guided logic of a wormable payload like WannaCry.  This is an important distinction to make because it informs the ways enterprises must defend themselves.  In the cases of prior generations of ransomware, the time between infection and ransomware payload delivery was short and the avenue of attack is somewhat predictable, which meant your security controls (often an endpoint capability of some sort) either cleaned up the mess on the spot, or you found out pretty quickly there was a problem.  Modern Ransomware gangs, however, tend to lurk in the environment for much longer to extract as much value as they can, before finally alerting defenders to the compromise by encrypting or destroying data.  This means dwell times of days or weeks before ransomware payloads go down is common - which in turn means that by the time you detect a ransomware payload, it's often far, far too late.  The current state of ransomware today, from the standpoint of a modern network defender, is one that focuses on all of the attacker tradecraft that occurs before the ransomware appears, ranging from the detection of command and control signals to identification of misused and abused credentials - it's a race to find and expel the adversary before they establish the persistence necessary to pick apart the enterprise at their leisure.


Ariel Parnes, co-founder and COO, Mitiga, a cloud incident response company:

"In May 2017, the WannaCry ransomware cryptoworm attack targeted computers running Microsoft Windows, encrypting data and demanding ransom payments in Bitcoin. Leveraging the EternalBlue exploit that the National Security Agency developed for older Windows Systems, it was effective against organizations that had not implemented patches for the exploits or were still using old Windows systems that were no longer supported by Microsoft. Some estimated that the attack impacted more than 200,000 computers in at least 150 countries, with damage costs ranging from hundreds of millions to billions of dollars.

Five years later, how would the world respond to a massive attack like WannaCry? Are we more ready now to respond to a similar incident? As we know, patching vulnerabilities can be a time-consuming and complex process today too — just look at the number of organizations that have yet to patch Log4Shell four months after it was announced. Not only that but patching alone isn’t enough to stop attackers. They may have already used a vulnerability to gain access to an environment, and too few organizations conduct regular proactive threat hunting.

To ensure that organizations today are prepared for a global cryptoworm like WannaCry, they need to think beyond prevention solutions. While those solutions are a valuable and necessary part of cybersecurity today, adopting an approach that prioritizes readiness and includes automation to accelerate incident investigation and resolution. Without a change in approach to address changing capabilities and attack vectors of threat actors, we are still as vulnerable as we were five years ago."


Ian Farquhar, Field Chief Technology Officer at Gigamon, a leading deep observability company:

"We’re fast approaching the fifth anniversary of WannaCry, which has now become ‘Anti-Ransomware Day’. What is clear in the five years since the devastating worldwide cyberattack is that a significant cultural shift around attitudes to cybersecurity breaches is yet to occur. Instead of fostering industry wide collaboration and enabling the transparency needed to tackle the complexity of ransomware attacks, the blame culture, with constant finger pointing and criticism from the side-lines is rife and on the rise. This culture is also undoubtedly accelerating the ‘Great Resignation’, leaving organisations with even larger digital skills gaps and less resources to properly secure their infrastructure. Security professionals are at breaking-point, with 54% in the U.S. saying they currently want to quit their jobs due to overwhelming amounts of responsibilities and workforce shortages. And with ransomware groups like Lapsus$ typically preying on disgruntled and stressed employees, offering financial incentives to enable intrusion, the industry needs to change fast.

Rather than adding to the blame culture experienced most acutely by Infosec teams and their CISOs (held responsible when ransomware attacks occur), we should be calling for transparency and Zero Trust which can only be truly achieved through deep observability. In organisations, data moves far and wide and very few organisations can honestly claim that they have a complete handle on where their sensitive data is – for example, BYOD, OT, removable storage devices can all contain sensitive data which may not be protected by the typical EDR solutions. The best way to tackle ransomware and help prevent future attacks on such a large scale as WannaCry, is through deep observability which provides total insight into the ransomware groups’ actions. This same capability will allow organisations to also target the actions of non-ransomware operators too: insider threats and nation state actors.
It’s a difficult world we are facing right now but by enabling transparency we can ensure a more secure future."


Published Thursday, May 12, 2022 7:32 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<May 2022>