Two Years Since the WannaCry Cyberattack: What the Industry Has Learned (and What it Hasn’t)
Two years ago, the world was paralyzed for several days, and news announcers introduced a new term to the public that many had never heard before: ransomware. The WannaCry cyberattack was the first genuinely global mass ransomware attack, and it skyrocketed the idea into the public consciousness.
Two years later, have businesses and governments learned the lessons of WannaCry?
The WannaCry Attack – Why It’s Important
The peak of the WannaCry attack lasted from May 12th to the 15th of 2017, starting early in the morning in Asia and continuing around the world. The malicious software spread like a disease from system to system, between and inside networks, and ultimately infected half a million computers. Infected users were informed that their computers had been locked, that their data had been encrypted, and that the only way to restore access was to send hundreds of dollars’ worth of Bitcoin to a specific cryptocurrency wallet.
The WannaCry cyberattack was spread via a combination of two tools initially developed by the National Security Agency (NSA) – the EternalBlue exploit, which took advantage in a hole in Microsoft Windows’ Server Message Block protocol, and the DoublePulsar kernel-level backdoor software.
WannaCry infected half a million computers across more than 150 countries, and some upper estimates put the financial cost of the hack at US$4 billion. Major organizations like the United Kingdom’s NHS, Renault, Nissan, and FedEx slowed or ceased operations entirely to halt the worm’s further spread. The impact could have been even worse if not for cybersecurity researchers discovering a kill switch built into the software, allowing the worm to be shut down early.
High-profile cyberattacks like WannaCry are devastating, of course, but they also represent a critical opportunity for experts in the cybersecurity field: They’re perhaps our best chance to convince people outside the field that they should care about, and invest resources into, IT security. However, once the attack has been resolved, it can be difficult to muster the same level of interest in dealing with these critical issues.
Cybersecurity professionals must seize upon incidents like WannaCry to demonstrate why organizations, governments, and individuals need to prioritize detecting, defeating, and preventing ransomware attacks.
The Landscape After WannaCry
Cybersecurity is still less of a priority than it must be. As previously mentioned, one of the highest profile victims of WannaCry was the UK’s NHS, which had to turn away all non-critical medical incidents, costing them nearly £100m. However, in late 2018, well over a year after the WannaCry attack, the NHS refused to pay a requested £1bn for cybersecurity improvements, despite seeing the damages first-hand.
State-sponsored cybercrime is here to stay. The American and British governments have jointly labeled North Korea as the culprit behind WannaCry, and in late 2018, the US DOJ charged a North Korean man named Park Jin Hyok for several malware attacks, including WannaCry, that he allegedly carried out as part of the state-sponsored Lazarus Group.
Between state actors like China, Russia, and even the United States (see: Stuxnet), geopolitics and conflicts of the future may involve fewer missiles and more computer worms. This is perhaps above any one organization or CISO, but the reality of international cybercrime as a global risk of doing business is something for which businesses and governments must account.
Perimeter security isn’t enough. For many organizations, cybersecurity stops at the (fire)wall – and this alone won’t cut it. After infecting a computer in a network, the worm that propagated WannaCry scanned for computers on the same network, intentionally attempting to spread itself laterally in an organization.
A malicious program or bad actor that has made it past perimeter defenses are challenging to detect. Companies must be investing in network security such as Network Threat Analysis (NTA) programs or network threat detection and response to find bad programs already in the system. To do otherwise is the equivalent of building a very nice wall around Fort Knox, but forgetting entirely to staff it with guards.
The Lessons of WannaCry
Patch early, and patch often. As every security professional knows, regularly implementing software patches is critically important, but WannaCry was living proof positive of what can happen if you’re not fully up to date. Microsoft had, in fact, released a patch for the EternalBlue vulnerability two months before the WannaCry attack, but it had not been fully adopted.
Not all attacks are driven by user error. Early reports during the peak of WannaCry claimed that the program had been spread via an email scam. However, as we have learned, the real culprit was the EternalBlue exploit, which had nothing to do with users opening emails or downloading files that they shouldn’t.
Cybersecurity professionals often stress the importance of user training in fighting cybercrime. This isn’t wrong – malicious actors often exploit inherent human fallibility with, for example, phishing attacks, which are the cause of a massive 93% of data breaches. However, WannaCry showed that major attacks don’t need an employee mistake in order to succeed.
User training is, and should remain, a vital part of any cybersecurity strategy – but this does mean that training your users to recognize things like phishing emails can’t be the sum total of your cybersecurity plan.
The true damage of ransomware isn’t the ransom payments. As mentioned previously, the upward bound of the cost of WannaCry is around US$4 billion, though other estimates put the damages in the hundreds of millions of dollars instead. However, analysts estimate that only $150,000 was ever paid in ransom. The rest of the financial cost came via lost business and necessary upgrades and data recovery – the NHS alone lost £20m through 19,000 canceled appointments and £72m through upgrades.
Indeed, the WannaCry attack demonstrated that paying ransom payments is foolish; there’s no guarantee the criminals will release the ransomed files – in the case of WannaCry, analysis has shown that they likely couldn’t do so remotely – and paying the ransom encourages further attacks.
Having an incident response plan isn’t enough. Many organizations have, in theory, an incident response plan that will let them deal with an attack like WannaCry. In practice, these plans may not be well known or may slip out of date. It is essential to drill these plans and test them so that they can be rehearsed before a real attack.
About a month after WannaCry, the NotPetya cyberattack similarly exploited EternalBlue. However, it was much more easily managed – perhaps due to the experience and testing response plans had from handling WannaCry.
To this date, the WannaCry cyberattack has been the high-water mark for ransomware attacks, driven in no small part by the rise of crypto-mining malware. However, with cryptocurrency’s future uncertain, cybercriminals may fall back to ransomware. Even if preventing ransomware attacks entirely is difficult, it’s better to be prepared than not.