Blog

Analyzing WannaCry a Year After the Ransomware Attack

Many of the organizational problems that were highlighted in WannaCry are still occurring presently, despite their relatively simple solutions.

Kailyn Johnson
August 16, 2018
Table of contents
<p>The cyber-attack known as WannaCry first broke out in May of 2017 and was unprecedented in its scope and impact. It utilized a Microsoft Windows vulnerability that was leaked by a cyber threat group, the Shadow Brokers, and despite Microsoft releasing a patch for the vulnerability, many organizations failed to apply the patch and were left vulnerable. Because of this, organizations around the globe were impacted by the ransomware, with WannaCry infecting over 200,000 machines in only a few days. The malware worked by utilizing the SMB vulnerability mentioned above to spread within a network after the initial infection.</p><p>One year later it is still unclear to researchers the methods for the initial attack vector, though there were some rumors regarding phishing email; however, nothing has been confirmed. This particular vulnerability was especially detrimental to organizations because it did not require any user interaction, so it could spread freely and indiscriminately. The infected networks found that the malware encrypted all the files on the machines, and was notified that the only way to retrieve them was to pay $300 USD. However, as many victims discovered, the malware was coded in a way where machines that paid the ransom were not organized. Due to this, the threat actors could not send a decryption key since they had no way of knowing who had and had not paid. Despite this major flaw the cyber-attack only gained a small profit compared to the number of machines that were infected which prompted many people to believe that the attack was intended to wreak havoc rather than gain money. Eventually, several western countries identified the attack as a case of cyber espionage.</p><p>A recent report by Kailyn Johnson of the Anomali Labs team examines consequences the attack had on organizations, specifically examining the UK's NHS since the impact of the attack and an audit was made public. Based on how the NHS handled the attack, and the recommendations made in the audit, the report applies some of those to the larger affected population. Many of the lessons to be learned from this WannaCry attack are based heavily on organizational culture and how companies organize and prioritize various aspects of security. Some of the major lessons learned in the white paper include improved cybersecurity awareness training for all employees, remaining informed of the current threat landscape, and better cyber habits in and out of the workplace.</p><p><strong><a href="https://www.anomali.com/resources/whitepapers/wannacry-one-year-later?cid=7011Y0000011HsR">Download the Report</a></strong></p>
Kailyn Johnson

Kailyn Johnson is a former Cyber Threat Intelligence Analyst at Anomali. While at Anomali, Kailyn focused on strategic intelligence and conducted OSINT research and analyses on threat actors, APTs, cyber attack campaigns, and more.

Propel your mission with amplified visibility, analytics, and AI.

Learn how Anomali can help you cost-effectively improve your security posture.

August 16, 2018
-
Kailyn Johnson
,

Analyzing WannaCry a Year After the Ransomware Attack

<p>The cyber-attack known as WannaCry first broke out in May of 2017 and was unprecedented in its scope and impact. It utilized a Microsoft Windows vulnerability that was leaked by a cyber threat group, the Shadow Brokers, and despite Microsoft releasing a patch for the vulnerability, many organizations failed to apply the patch and were left vulnerable. Because of this, organizations around the globe were impacted by the ransomware, with WannaCry infecting over 200,000 machines in only a few days. The malware worked by utilizing the SMB vulnerability mentioned above to spread within a network after the initial infection.</p><p>One year later it is still unclear to researchers the methods for the initial attack vector, though there were some rumors regarding phishing email; however, nothing has been confirmed. This particular vulnerability was especially detrimental to organizations because it did not require any user interaction, so it could spread freely and indiscriminately. The infected networks found that the malware encrypted all the files on the machines, and was notified that the only way to retrieve them was to pay $300 USD. However, as many victims discovered, the malware was coded in a way where machines that paid the ransom were not organized. Due to this, the threat actors could not send a decryption key since they had no way of knowing who had and had not paid. Despite this major flaw the cyber-attack only gained a small profit compared to the number of machines that were infected which prompted many people to believe that the attack was intended to wreak havoc rather than gain money. Eventually, several western countries identified the attack as a case of cyber espionage.</p><p>A recent report by Kailyn Johnson of the Anomali Labs team examines consequences the attack had on organizations, specifically examining the UK's NHS since the impact of the attack and an audit was made public. Based on how the NHS handled the attack, and the recommendations made in the audit, the report applies some of those to the larger affected population. Many of the lessons to be learned from this WannaCry attack are based heavily on organizational culture and how companies organize and prioritize various aspects of security. Some of the major lessons learned in the white paper include improved cybersecurity awareness training for all employees, remaining informed of the current threat landscape, and better cyber habits in and out of the workplace.</p><p><strong><a href="https://www.anomali.com/resources/whitepapers/wannacry-one-year-later?cid=7011Y0000011HsR">Download the Report</a></strong></p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.