WannaCry ransomware: lessons to learn in 2023

It’s been six long years since the WannaCry ransomware worm left the UK’s National Health Service with recovery costs of £92 million and almost 20,000 cancelled appointments. Even more sobering? The NHS was just one of an estimated 300,000 victims across 150 countries.

2017 may seem ancient history in cybersecurity terms, but there are still plenty of lessons to be learned from WannaCry in 2023. Read on to find out what they are, and read our separate article on what ransomware is and how it works.

How WannaCry ransomware worked

When WannaCry first exploded into life on Friday 12 May 2017, there were two prevailing theories. First, this was a targeted attack against the NHS. Second, it used the usual ransomware tactic of a phishing campaign. It quickly became apparent that neither of these assumptions was true.

In fact, WannaCry was a ransomware worm that exploited a Microsoft Windows vulnerability. In particular, in Microsoft’s Windows Server Message Block (SMB) protocol implementation. A vulnerability that Microsoft had already fixed in a patch released two months before the WannaCry attack itself.

The WannaCry exploit

The exploit at the heart of WannaCry? Called EternalBlue, this exploit was developed by the US National Security Agency (NSA). A hacking group calling itself the Shadow Brokers stole and then published the exploit from the Equation Group, associated with the Tailored Access Operations (TAO) of the NSA.

The WannaCry attack was eventually attributed to a threat actor associated with the North Korean state, called the Lazarus Group.

WannaCry managed to spread devastatingly quickly, as self-replicating ‘worms’ do, thanks to the number of unpatched systems out there. More than 200,000 victims are thought to have been hit within the first 24 hours.

This timeframe proved important because within 24 hours a UK security researcher, Marcus Hutchins, had found a ‘kill switch’ in the form of a gibberish URL within the exploit code. WannaCry only began encrypting files if a connection to the URL couldn’t be made.

This was either to give the attackers themselves a kill switch or, more likely, as a method of preventing execution within malware analysis sandboxed environments. Whatever, Hutchins paid $10 to register the nonsense domain and set up a site for the worm to connect to, so halting the attacks.

What can businesses learn from WannaCry, six years on?

Given the amount of time that has passed since WannaCry reared its ugly head, you might be forgiven that it’s old news. That there’s nothing that can be learned from it in 2023. You’d be wrong; very wrong indeed.

Let’s ignore the fact that variations of WannaCry, with the kill switch disabled, are still doing the rounds, looking for unpatched machines to infect. Instead, your focus should be on the use of similar methodologies by ransomware actors and other malicious groups across the threat landscape.

While threats to data continue to evolve, organisations aren’t always equal to the task as far as creating a resilient defensive posture is concerned. I don’t think that Sun Tzu mentioned the importance of reflecting on past battles in order to defend against future attackers in The Art of War; but he should have done. 

Three security lessons to learn from WannaCry in 2023

Lesson one: Patch management is not optional

WannaCry could not have become a watershed moment in cybersecurity history had organisations already installed the Microsoft patch that fixed the vulnerability it exploited.

Remember, the timeline here is that WannaCry hit almost exactly two months after the patch was made available. While patching for larger enterprises is an altogether more complex beast than for the small business, two months should be plenty of time to test and rollout.

A patch management implementation should take care of updates both at application and operating system level, and do so by prioritising the vulnerabilities that could have the most critical impact upon your business.

Be it by way of a managed service provider or specialist patch management software, WannaCry taught the dangers of not taking patching seriously enough all too clearly.

Lesson two: Know what you’ve got, where it is, and how to protect it

Another WannaCry truism is that if many of the victim organisations had spent more time and, yes, money, on auditing both their networks and security controls, the impact of the attack could have been mitigated. At the very least. 

Knowing what data you hold, and how critical to your business it is, along with where it’s held and how it’s protected is just security 101 common sense. There really can be no excuse for not getting these basics right.

Concentrate on reducing the attack vector footprint. Look at who (including machines as well as people) has access to what data, why and when.

Applying the principle of least privilege to data access needs this knowledge, and by implementing it you can restrict how far attackers can move laterally across your networks.

Don’t leave the doors to data open, lock them down and only give the keys to those who really need them.

Have an incident response plan and know how to use it

There’s no doubt that some of the chaos caused by WannaCry could have been avoided if organisations had an incident response plan, and knew how to use it.

Being able to get your business back to some kind of normality, as quickly as possible, while dealing with an ongoing attack isn’t ever going to be easy. But it’s a lot easier if there is a clear plan of action, something that defines who does what, and when, during an attack.

An incident response plan is only as good as those definitions and needs to be both understood and practised. Let’s break that into three simple (if not comprehensive) steps:

  • Know who needs to be contacted and in what order of priority
  • Understand the technical steps that need to be taken
  • Define when business as usual (or close to) can be given the go-ahead
  • And, importantly, who has the named responsibility for performing these duties at every step along the way

This might not be something that can be executed within the organisation, especially for smaller businesses with fewer security staff, but there are plenty of options to outsource to an incident response provider.

Call to action

WannaCry has taught organisations of all sizes that not patching critical vulnerabilities in a timely fashion can have hugely costly implications. Patch management is your friend, be that in-house through specialist software or outsourced to a service provider.

A WannaCry event can, and will, happen again. Organisations that have implemented, and practised, a sturdy incident response plan will have the best outcomes.

Achieving the above requires knowledge: an audit of what data you have, where it is and who can access is a vital component of any modern cybersecurity strategy.

Avatar photo
Davey Winder

With four decades of experience, Davey is one of the UK's most respected cybersecurity writers and a contributing editor to PC Pro magazine. He is also a senior contributor at Forbes. You can find him at TechFinitive covering all things cybersecurity.