The ransomware attack against Colonial Pipeline has garnered widespread attention, the culmination of years of warnings about potential cyberthreats to critical infrastructure. But the lessons learned from the ransomware attack are far from novel.
The takeaways echo a ransomware spree four years ago when WannaCry hit computers May 12, 2017. The EternalBlue leak and mass, unpatched Windows 7 operating systems created the perfect storm for the ransomware.
The campaign marked a change in ransomware. While today's opportunistic ransomware operators carefully choose victims, WannaCry operated as a worm, autonomously spreading its ransom demands.
"I think it was the first time we've ever seen an attack of that magnitude, operating at that kind of speed," said Justin Fier, director of cyber intelligence and analytics at Darktrace.
The malware ripped through more than 200,000 computers worldwide, which Sophos credits as "the first ransomware-worm hybrid." WannaCry tested how much time it took between a company's detection and response, dwindling it down from days to hours — similar to how ransomware operators attack today.
"The ease at which a criminal organization can break through whatever your perimeter is in today's day and age and get to the goods is far simpler than even I would have thought when I worked in the intel community," said Fier. "It worries me that it's 2021 and those words are even coming out of my mouth to you."
Since 2017, the greatest lesson industry learned from WannaCry is the importance of patching. Deterring major cyberattacks comes down to security basics.
"There are still unpatched systems, beaconing in the darkness and attempting to find victims," Sophos said in a December report. If organizations haven't patched the EternalBlue exploit, Sophos suspects the risks are "far worse" than WannaCry.
"Just ask yourself, 'Are we doing the same thing we were doing as recently as three or four years ago from a security standpoint?' said Fier. "If that's the case, you've been living under a rock."
WannaCry was built on the stolen NSA Windows hacking tool, EternalBlue, which was leaked in April 2017 by Shadow Brokers. Aware of the exploits, Microsoft released patches for vulnerable Windows systems in March, and two months before WannaCry's outbreak. By May, with WannaCry spreading, Microsoft released additional support for Windows XP and Windows Server 2003, which the company previously sunset in 2014 and 2015, respectively.
Though a lot of focus was on outdated systems, 97% of WannaCry's infections involved Windows 7, according to Sophos.
Mechanics of WannaCry
MalwareTech's Marcus Hutchins, who at the time was a hacker living in his parents' home, sinkholed the malware hours into the attack by finding WannaCry's kill switch. He registered the domain name, which was not registered during the malware's mass infection.
WannaCry wasn't perfect, and its kill switch proved it. Security practitioners are still unsure why the kill switch existed.
The malware exploited the Windows Server Message Block (SMB) protocol, though additional NSA-created (and stolen) backdoors were found in thousands of WannaCry infections.
It's rare to have internet-exposed SMB protocols, according to Brent Johnson, CISO at Bluefin, who was a security consultant at the time of the hack. Companies with static systems are the ones "that really got whacked."
WannaCry's ransom tactics were also abnormal. Even if a victim paid the provider address, it was a single address, said Johnson. "Normally a ransomware attack has a unique Bitcoin or Monero address and then you'll get your stuff back."
The attack reflected a change in motives. The bad actor behind WannaCry was motivated by a wide path of destruction, not money. WannaCry's ability to self-propogate set it apart from other forms of ransomware, "that doesn't happen very often," said Johnson.
The attack occurred in the midst of the "ransomware era," which Sophos describes as 2013 to present. Ransomware was met with the rise of cryptocurrency, creating peak opportunity for funding cybercrime.
"I think that's another factor that kind of led to the explosion of this theme we've been living through," said Fier. Ransomware is still profitable, racking up to about $350 million in bitcoin paid in ransoms in 2020.
WannaCry's ransom demands were a mere $300, significantly shy of the demands industry expects today. In 2020, the average ransom payment was more than $154,000, according to data from Emsisoft and ID Ransomware.
A year after WannaCry, related recovery costs mounted to $4 billion, by Symantec's estimations. By comparison, overall ransomware costs reached nearly $4.9 billion in 2020, according to Emsisoft.