WannaCry ransomware crisis, one year on: Are we ready for the next global cyber attack?

WannaCry caused chaos across the world. But have its lessons been learned?
Written by Danny Palmer, Senior Writer

It's been a year since the gigantic WannaCry ransomware cyber attack caused chaos across the world, hitting more than 230,000 computers in total.

The hard-drive encrypting malware spread so fast because the group behind it had combined normal malware with EternalBlue, a leaked NSA hacking tool which allowed WannaCry to use worm-like capabilities to self-propagate on vulnerable Windows systems.

While there was some initial speculation that WannaCry was spread in an email spam campaign, the ransomware didn't in fact require any user interaction at all. Combining EternalBlue and another leaked exploit in the form of DoublePulsar, the worm looked for vulnerable public-facing SMB ports it could establish a connection to.

Once these were located, the leaked SMB exploits were harnessed to not only deploy WannaCry on that particular system, but to spread to all other vulnerable machines on the connected network. In essence, even just one open, vulnerable SMB port could lead to a whole network being infected by the ransomware.

Spanish mobile operator Telefónica was one of the first major organisations to report problems caused by WannaCry, while by the afternoon of the 12th May, the UK's NHS was reporting problems, with systems down at hospitals and doctor's surgeries across the country, forcing the cancellation of thousands of appointments and ambulances to be rerouted. It led to the first meeting of the UK government's emergency COBRA committee because of a cyber attack.

French car manufacturer Renault and German railway firm Deutsche Bahn were other high profile victims in Europe, while Russian government ministries and companies were also hit, with FedEx another major victim.

The ransom note told victims their files were encrypted and their documents, photos, videos and databases were 'no longer accessible' and that 'nobody can recover your files without our decryption service'.

The attackers demanded $300 of bitcoin to be sent to a specific address and threatened to double the ransom if it wasn't paid within three days. If the victim didn't pay within a week, they were threatened with their files being permanently deleted.


WannaCry ransom note.

Image: Cisco Talos

Cyber-security researchers always warn users not to pay a ransom to criminals, and when it came to WannaCry that advice was no different - especially as researchers discovered that even if victims did pay, the sloppy coding behind the ransomware meant it couldn't associate payments with specific victims, so didn't send out a decryption key. That is if the decryption key worked at all, which researchers concluded it didn't.

In addition to this, while many ransomware schemes pride themselves on offering 'customer support' to 'help' the victim through the payment process, WannaCry didn't offer any of that.

In the end, just 338 victims paid the ransom demand, with the funds laying untouched for three months after the attack. However, those behind the attack cashed out in August - making off with about $140,000.

As the hard-drive scrambling malware spread, cyber security researchers around the world quickly tried to get to the bottom of what was going on.

Among them was Darien Huss, senior security research engineer at Proofpoint.

Huss was tasked with attempting to reverse engineer a sample of the code - while he was at his parents for Mother's Day.

"All my cousin's were running around, while I was sitting at my grandmother's dining room table," he told ZDNet. He quickly made an important discovery.

"The kill switch was in the very first lines of code, so I noticed it immediately and started playing around - if this domain is registered will it stop its activity?" he said.

Indiana Huss shared his findings with Marcus Hutchins -- AKA MalwareTech -- a British cyber-security researcher who took a chance and registered the at-the-time unregistered domain of the kill switch, which redirected the WannaCry requests into a sinkhole server.

That meant that even if the infection hit machines, the attack was useless and unable to perform encryption or carry out any tasks - the research work had rendered WannaCry useless.

See also: Ransomware: An executive guide to one of the biggest menaces on the web

The assault had been stopped: but by then much of the damage had been done.

The UK's National Cyber Security Centre later described WannaCry outbreak as the biggest challenge of the year.

By December, the UK, the United States, Canada Australia, New Zealand and Canada came to the conclusion that the attack had been the work of North Korea, although the regime denies responsibility.

The high profile nature of the incident arguably brought cyber security -- particularly ransomware -- into focus for the wider, general public.

"Wannacry raised awareness for the phenomenon of ransomware in general. The financial sector was already familiar with this but other sectors were less aware. Because of all the attention Wannacry got last year, this has changed. Although we do still believe that prevention efforts need to be continued," a Europol spokesperson told ZDNet.

But a year on, have lessons been properly learned, or despite the hype around the attack, have people just forgotten about security again?

Two months prior to the outbreak, Microsoft released a patch to protect systems from EternalBlue and other exploits released by the Shadow Brokers hacking group, but it became evident that many organisations hadn't applied it.

"For organisations, I do think that many of them have learned about patching and security, but not enough," Maya Horowitz, threat intelligence group manager at Check Point told ZDNet.

"There's still room for improvement when it comes to less technically interesting challenges like patch management and visibility into critical assets and infrastructure to ensure everything is protected, patched and updated whenever a patch is available from major vendors," Jens Monrad, principal intelligence analyst at FireEye told ZDNet.

If organisations had followed basic security advice and patched their systems in April, "a lot of the initial compromise could've been limited," Monrad said. But despite the impact of WannaCry, he too believes there's still work to be done on bolstering systems against major attacks.

"We're still not where I feel comfortable saying there have been a lot of lessons learned and companies are following the right procedures," he said.

Straight after WannaCry there was chance to prove that the lessons had been learned as June saw the NotPetya attack exploit EternalBlue once again. Many organisations felt the force of the attack.

But despite the damage done by NotPetya, Huss believes that if it hadn't been for WannaCry and some organisations realising the threat posed by cyber attacks -- and therefore bolstering their defences -- NotPetya could've been much worse.

"NotPetya was a huge incident in terms of cost of money for Maersk and other companies. The question for me is, if WannaCry hadn't happened, how much worse could've been the damage of NotPetya?" he said.

"I really think WannaCry opened a lot of organisations eyes to something as simple as patching, how important it can be," he added.

See also: This is how it feels to face a major cyber attack

One organisation which says it has learned from the WannaCry experience is the NHS. In the year since WannaCry, it announced a number of schemes designed to improve cyber security and resilience throughout the organisation.

There are plans for a new cyber-security centre to toughen its defences and protect hospitals against cyber attacks - particularly when it comes to following best practices, so something like poor patch management can't occur again.

The organisation has also set a date for upgrading all the systems to Windows 10, with security one of the primary reasons for the move.

"What WannaCry was, was a shot across our bows," said Dan Taylor, head of security at NHS Digital, speaking at a recent security conference. "But it was not the be-all-and-end-all incident for health care - that day will come, something new will happen, there will be another WannaCry. It will be different to what it was in May last year."

Taylor said prior to WannaCry, response plans had not been fully tested and that there were mistakes in communication but the organisation will be better braced for any future attacks.

"The thing we've done since that is test and test and test again, so if it does happen, hopefully we'll be in a much better position," he said.

However, there are still plenty of organisations which, over a year on from the release of the patch, still haven't applied it. That's despite the initial impact of WannaCry, and stories of new infections.

Australian speed cameras and LG in South Korea were among those which fell victim to WannaCry in the months following the initial attack and twelve months on from the release of the EternalBlue patch, aerospace giant Boeing was hit by WannaCry.

While many consider patching systems to be time consuming and disruptive, organisations who fail to update their network in this way are leaving themselves open to attack from cyber attacks - and not just WannaCry.

For Horowitz, one way to ensure that patches are applied to systems -- thus helping to protect against destructive cyber attacks -- is to make them less intrusive, enabling them to work automatically in the background if possible.

"There needs to be more responsibilities from vendors on security and automating," she said, pointing to Google Chrome as an example of this working successfully.

"We don't even know it's being updated with security patches. But it's helpful that when they learn about vulnerabilities they fix it for everyone, we don't need to click anything or restart anything.

"More and more vendors should move onto automatic patching, it'd be super beneficial especially with IoT devices," Horowitz added.

WannaCry was by far the most high profile ransomware attack of last year - and while the likes of Locky, Cerber and SamSam continued to find success in the second half of 2017, the file-encrypting malware appears to have fallen out of fashion.

See also: Defending against cyberwar: How the cybersecurity elite are working to prevent a digital apocalypse

Nonetheless, threats still loom. WannaCry itself may look as if it is a thing of the past, but attackers are still exploiting the EternalBlue vulnerability and using it in various forms of malware. Researchers at ESET even say EternalBlue itself is more popular now than it was during the WannaCry outbreak.

But while ransomware is in your face and obviously, malicious cryptocyrrency mining is secretive, the average user isn't going to think much about their computer fans working harder or that the reason more power is being used is because attackers are subtly harnessing the power of their system for illicit profit.

Indeed, the growth of cryptocurrency mining has boomed over the last year and EternalBlue is playing a large role in spreading it.

But that doesn't mean the threat of more damaging cyber attacks has gone away, especially when leaked government tools are now in the hands of cyber criminals - and nation-states who weren't meant to have access to them.

"I would be surprised if this is the last sort of incident we see with these disruptive attacks. Because it is a tool which seems to be highly powerful and also very impactful," said Monrad.

"And since there's little risk of repercussions for the states doing this, it makes sense for them to follow that path rather than doing something that might cause sanctions or a physical response.

WannaCry, he suggests, could potentially provide an excellent case study for nation-states on how to carry out a global cyber attack.

"My fear is some of these nations aspiring to become the next cyber superpower, they're looking into how successful campaigns like WannaCry have been and may be inspired to carry out their operations," he said.

While organisations can bolster security and patch systems, that isn't going to stop cyber attackers attempting to carry out a wide-scale destructive campaign. For Horowitz, the biggest takeaway from WannaCry is therefore that everyone is a potential target for attacks.

"The greatest lesson there is that each and every one of us is a target for cyber tools and weapons developed by nation-states," she said.

"So while we tend to think that hackers will only go for the big fish, that's not true because we all have something that we care for on our systems, so ransomware, a wiper, a banking trojan, they have something for the hacker on each personal computer."

There is a silver lining to this - in some circles, WannaCry has improved awareness about the threats posed by hacking and cyber attacks and that action needs to be taken in order to protect against them. However, for some, taking direct action still isn't quite on the agenda - yet.

"From understanding to implementing, that's another step, but we'll get there," said Horowitz.


Editorial standards