Case Study

Happy 4-year Anniversary, WannaCry! Have We Learned Anything?

May 2021

Learn more

Happy 4-year Anniversary, WannaCry!

Have We Learned Anything?

Four years ago on May 12th 2017, “WannaCry” shook the world and caught the cybersecurity community by surprise. This unprecedented attack exploited a “one-day” Windows OS vulnerability named EternalBlue through an exposed SMB port. It spread like a wildfire and within 24 hours over 75,000 computers were found to be infected globally. 

Microsoft promptly released out-of-band security updates for end of life Windows products and urged companies to update their operating systems as fast as possible in order to implement the new patches.

Herein lies the primary culprit for the catastrophic outcome of WannaCry: Companies Do Not Update Their Systems On Time

The patch for the EternalBlue vulnerability was made available by Microsoft in March 2017, but many companies remained unpatched and vulnerable for an extended period of time and a large amount of these networks were exploited by WannaCry ransomware in May of that same year.

As we mark the four year anniversary of this unfortunate cyber event, Kovrr applied the CRA-Zones research methodology. The research divided the attacked companies into distinct and meaningful categories which allowed for review of their general security in 2017 (on the eve of the WannaCry attacks) in comparison to their current security posture. This analysis allowed us to bring to light interesting insights and see which CRA-Zones have learned from the WannaCry experience and improved their defensive capabilities against similar future attacks. The analysis also identified which CRA-Zones remain vulnerable and exposed to the next WannaCry-like event.

Assisted by Bitsight’s proprietary security rating data, we identified approximately 400 companies which were attacked and exploited by WannaCry in 2017 and categorized these companies into 227 CRA-Zones. A statistically representative sample of approximately 4000 companies was created using the same CRA-Zones allowing for the following conclusions to be made:

This graph shows the average security rating for companies in a given CRA-Zone on two dates: the week before the WannaCry attack in May 2017, and the first week of May 2021. The difference between these two ratings is shown on the Y-axis, color coded for convenience: purple for a positive change, and orange for a negative change.

This  comparison shows the CRA-Zones with the highest and lowest security scores in 2017 generally had a negative change in their security score, meaning their current scores are lower than they were at the time of the WannaCry cyber attack. Comparatively, median CRA-Zones were mostly successful in significantly raising their security rating.

A majority of the CRA-Zones (70%) can be said to be better positioned to effectively protect themselves from WannaCry-like events in 2021 than they were four years ago.

Zooming in on the top-5 and bottom-5 CRA-Zones with the most significant change in security rating since 2017 produces the following graph:

The top-5 CRA-Zones with the most significant positive changes are:

  • Medium sized companies within the healthcare industry, located in Massachusetts, United States
  • Extra small sized companies within the hospitality industry, located in California, United States
  • Medium sized food manufacturing companies located in Belarus
  • Medium sized membership organizations, located in New York, United States
  • Large wholesale trade companies in the Philippines 


The bottom-5 CRA-Zones with the most significant negative changes are:

  • Large educational organizations in Oregon, United States
  • Large educational organizations in Mexico
  • Large educational organizations in North Dakota, United States
  • Small telecommunication companies in Brazil
  • Small companies within the business service industry, located in Iowa, United States

Based on this analysis, companies that have not improved their security posture over the last four years are more exposed than ever to WannaCry-like events which could potentially be more damaging and cause greater financial losses than the original WannaCry, due to the progress attackers have made with regards to toolkits, exploits, and methodology.


Conclusion

WannaCry was one of the biggest ransomware attacks in the past few years, both in its global spread and the amount of financial damage it caused. Unfortunately it probably won’t be the last one. Just in the past 2 years, the number of ransomware attacks grew by 62% globally and the trends and methods used by attackers keep improving and evolving. This is why it is crucial for companies to invest in the improvement of their cybersecurity readiness and closely monitor ransomware trends and developments in order to remain ahead of the curve and safe from attacks. The CRA-Zones analysis has shown that some companies have made great strides in improving their security and defenses while others still have a long way to go when it comes to protecting themselves from these types of events. Lessons from WannaCry should be taken to heart - better late than never.

Geniya Brass Gershovich

Cyber Intelligence Analyst

Amos Israel

Risk Data Scientist