The 2017 WannaCry ransomware attack was one of the most widespread computer infections ever, and WannaCry attacks continue today.

Key Points:

  • The WannaCry ransomware epidemic of 2017 disrupted hospitals, banks and communications companies worldwide.
  • Four years later, cybercriminals renewed efforts to deploy WannaCry ransomware during the COVID-19 pandemic.
  • Companies can take steps to prevent infection, with software updates being most important.

Responsible for one of the most notorious worldwide malware infections ever, WannaCry ransomware is still actively used by cyberattackers today. Four years ago this month, it decimated networks around the globe, from entire healthcare systems to banks and national telecommunications companies.

It's still lethal enough to be used now, and there's been an uptick in reports of its appearance during the pandemic. Here's everything you need to know about WannaCry ransomware today — including how to protect your organization from it.

What Is WannaCry Ransomware?

WannaCry ransomware is a crypto ransomware worm that attacks Windows PCs. It’s a form of malware that can spread from PC to PC across networks (hence the "worm" component) and then once on a computer it can encrypt critical files (the "crypto" part). The perpetrators then demand ransom payments to unlock those files. The name was derived from strings of code detected in some of the first samples of the virus.

WannaCry has been called a "study in preventable catastrophes" because two months before it first spread around the world in 2017, Microsoft issued a patch that would have prevented the worm from infecting computers.[1] Unfortunately, hundreds of thousands of systems were not updated in time, and an unknown number of such systems remain vulnerable today.

How Does WannaCry Infect Systems?

WannaCry would just be another also-ran among ransomware attacks if it weren't for its method of infecting computers. A critical vulnerability of Windows systems was discovered and reportedly first exploited by the U.S. National Security Agency. Dubbed EternalBlue, the exploit was eventually shared by a cybercriminal hacking group online in April 2017, and it allowed WannaCry's creators to trick Windows systems into running its code using the Server Message Block protocol.

The way WannaCry spreads is by using corporate networks to jump to other Windows systems. Unlike phishing attacks, computer users don't have to click on a link or open an infected file. WannaCry just looks for other vulnerable systems to enter (in some versions it uses stolen credentials), then copies and executes the program, again, and again, and again. So a single vulnerable computer on an enterprise network can put an entire organization at risk.

How Does a WannaCry Attack Work?

The WannaCry program has several components. There's a primary delivery program that contains other programs, including encryption and decryption software. Once WannaCry is on a computer system, it searches for dozens of specific file types, including Microsoft Office files and picture, video and sound files. Then it executes a routine to encrypt the files, which can only be decrypted using an externally delivered digital key.

So the only way for an infected user to access WannaCry encrypted files is if they have an external backup copy of those files. During the initial WannaCry attack, the only recourse some victims had was to pay the Bitcoin ransoms. Unfortunately, reports indicated that after the companies paid up, the hackers did not give victims access to their files.

Where Did WannaCry Originate, and Is It Still Active?

In May 2017, WannaCry spread panic across corporate networks worldwide as it quickly infected more than 200,000 computers in 150 countries. Among those systems, the National Health Service of the U.K. was disrupted, Spain's Telefónica telecom service was threatened and banks in Russia were compromised. While the virus seemed to appear all at once, researchers later traced earlier versions to a North Korean organization known as the Lazarus Group.

There were many clues buried in the code of WannaCry but no one ever claimed responsibility for creating or spreading the program. One researcher discovered early in the cyberattack that the program initially tried to access a specific web address that turned out to be an unregistered nonsense name. If the program was able to open the URL, WannaCry would not execute, so it acted as a sort of kill switch. Consequently, British researcher Marcus Hutchins registered the URL and effectively blunted the spread of the WannaCry ransomware.[2] 

Nevertheless, there have been waves of WannaCry resurgence in the years since. One high-profile case occurred in 2018 at Boeing. Ultimately, it caused more panic than actual damage, but productivity at the aircraft maker took a hit.

Recently, security researchers have seen renewed WannaCry infections. One report noted a 53% increase in WannaCry ransomware in March 2021 compared to January of this year, while another stated that WannaCry was the top ransomware family used in the Americas in January with 1,240 detections. More noteworthy: the latest variants being used by hackers no longer include a kill-switch URL.[3]

Protecting Against Ransomware

Fortunately, there are cybersecurity steps every company can take to prevent a WannaCry ransomware attack:

  • Install the latest software: If the three most important words in real estate are location, location, location, the three most important words in cybersecurity are update, update, update. The original global WannaCry infection could have been prevented if companies and individuals had updated their Windows software. The exploit that allowed WannaCry to propagate had been patched by Microsoft two months earlier.
  • Perform Backups: It's a mundane task but a necessary one to protect critical data, so companies need to establish a routine of backing up information. In addition, backups should be stored externally and disconnected from the enterprise network, as in a cloud service, to protect them from infection.
  • Cybersecurity awareness training: Employees need to be periodically reminded of good email habits, especially now that more workers are working remotely. They should never open unknown email attachments, and they should never click on any links that are at all suspicious.

The Bottom Line

Although it had a massive impact four years ago, WannaCry ransomware remains a persistent threat today — more evidence that those who don't learn from history are destined to repeat it. Fortunately, your organization won't have to if you're diligent about updating your software and systems.

[1]Three Years After WannaCry, Ransomware Accelerating While Patching Still Problematic,” Dark Reading

[2]Marcus Hutchins, malware researcher and ‘WannaCry hero,’ sentenced to supervised release,” TechCrunch

[3]WannaCry Ransomware Attacks Up 53% Since January 2021,”

Want more great articles like this?Subscribe to our blog.

Get all the latest news, tips and articles delivered right to your inbox

You may also like:

Everything You Need to Know About IT Disaster Recovery

COVID-related business disruptions have …

COVID-related business disruptions have been teaching compan… Read More >

Mercedes Cardona

by Mercedes Cardona

Contributing Writer

Posted May 03, 2021

Will 2021 Be the Year of Ransomware?

Ransomware is hitting more companies har…

Ransomware is hitting more companies harder than ever, accor… Read More >

Mike Azzara

by Mike Azzara

Contributing Writer

Posted Apr 28, 2021

Mimecast’s State of Email Security 2021 Reveals Pandemic Email Threats

New study examines how companies are res…

New study examines how companies are responding to the cyber… Read More >

Elliot Kass

by Elliot Kass

Contributing Writer

Posted Apr 20, 2021