WannaCry's ghost is still wreaking havoc five years on

Five years since the infamous WannaCry ransomware strain swept corporate networks globally, we look back on its impact with fresh eyes. In the first of a two-part series, we explore the deficiencies in how WannaCry was written, and what cyber security experts have learned from its shortcomings

Friday 12 May 2017 will be remembered as the start of one of the worst days many NHS practitioners in the UK will likely have ever faced throughout their careers. Ambulances were diverted, computers locked, and phone lines killed, not to mention the swathes of unwell patients desperate for treatment.

The direct impact of WannaCry was felt for days after the initial attack right across the NHS and other organisations worldwide, and the aftershock for many months after that. It would have been difficult at the time, though, to understand that a computer program that caused so much damage and so much disruption was actually a shining example of how not to write ransomware.

WannaCry was by no means the first strain of ransomware ever encountered, but its undeniable success propelled ransomware to the forefront of cyber security practitioners’ minds. It also catalysed perhaps the biggest long-term trend in cyber security we’ve seen this millennium. Ransomware, however, has come a long way in recent years, with criminal gangs stamping out the technical shortcomings that stopped WannaCry from becoming even more devastating than it was.

A waste of a good exploit

The US National Security Agency (NSA) had its hand on a goldmine – an immensely powerful exploit kit – for five years between 2012 and 2017, one month before WannaCry took hold across the globe. Called EternalBlue, the zero-day exploit for most versions of Microsoft Windows was obtained and leaked by The Shadow Brokers hacking group. EternalBlue eventually played a role in other devastating attacks, but it’s perhaps best known for allowing WannaCry to spread so voraciously across unpatched systems.

Royal London Hospital in East London

The Royal London Hospital (Barts Health NHS Trust) was among five hospitals that were forced to close their emergency departments during the WannaCry attack

EternalBlue is the component of WannaCry that was wormable, and the powerful exploit previously under close guard of a nation state was now helping WannaCry infect hundreds of thousands of computers worldwide – around 230,000 in just a few hours.


Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk


WannaCry “wasted” EternalBlue, “a truly frightening exploit,” according to Jonathan Knudsen, head of global research at the Synopsys Cybersecurity Research Centre. “If the WannaCry developers had made a better design or been more cognizant of how researchers would be able to analyse the inner workings of their code, they might have designed and implemented it differently, and the result could have been much, much worse.”

Ultimately, it was a separate technical shortcoming that proved to be the end of WannaCry – a so-called ‘kill switch’ that disabled the ransomware’s wormable functionality.

WannaCry’s untimely kill switch

It may sound like a small, even silly, mistake – but WannaCry was ultimately undone by one self-taught security researcher identifying a single ‘quick trick’ to disable WannaCry’s most destructive features. It was just “one little mistake, that made it possible for WannaCry to be shut down before it got worse,” Knudsen tells IT Pro, out of all the myriad vulnerabilities the WannaCry operators surely would have checked with a fine-toothed comb.

After conducting an independent analysis of WannaCry, Marcus Hutchins “unintentionally” discovered that registering a command and control (C2) domain, an everyday task of his job investigating various malware strains, drove a digital pitchfork into WannaCry’s cogs.

One of its mechanisms was to check if a given domain had been registered before it would continue to infect, encrypt, and spread if the domain wasn’t registered. Simply by claiming the domain associated with this mechanism, Hutchins stopped WannaCry in its tracks.

The British programmer Marcus Hutchins

Marcus Hutchins (pictured) is widely considered to be the man who saved the world from WannaCry

This oversight highlighted a crucial flaw in the developers’ approach and one that ransomware operators have learned from in the years sicne. The decision to obfuscate the code or otherwise prevent analysis was a fatal error in judgement, according to Maor Hizkiev, Datto's senior director of software engineering.

Echoing other experts speaking to IT Pro, he says: “The fact that the hacker started the campaign without owning the domain was the biggest mistake. Combining it with the fact he didn't protect his code properly from security researchers, the campaign resulted in just 200-300,000 infections. Simple protection would delay the researchers in at least a day.”

The ransomware payment plight

You would think, as career ransomware criminals, the first priority when designing such a program would be to ensure that if it was successful, you would be able to be paid for your hard work. That wasn’t the case for some WannaCry victims, though, as reports circulated in the following weeks that some were able to get their files back simply by telling the hackers they had paid the ransom. No proof whatsoever was required.

“Unlike its competitors in the ransomware market, WannaCry doesn’t seem to have a way of associating a payment to the person making it,” Check Point said at the time. “Most ransomware, such as Cerber, generates a unique ID and Bitcoin wallet for each victim and thus know who to send the decryption keys to. WannaCry, on the other hand, only asks you to make a payment, and then wait.”

“Due to their lack of adequate payment-tracking, many victims complained that they never got a response for their payment and thus never got their files back,” says Jim Simpson, director of threat intelligence at BlackBerry to IT Pro. “Word of this spread quickly and may have dissuaded a lot of people from paying the ransom to get their files back.”

Writing secure code is difficult

Industry experts tell of numerous other failings in the code of WannaCry that could have led to much wider consequences. Simpson says a compatibility issue was also discovered in WannaCry that affected older versions of Windows. In some cases, WannaCry held data in memory that was used to generate the decryption key, meaning that experts had a brief window in which they could gather information and potentially decrypt their files.

This being said, WannaCry is still one of the most significant cyber attacks to have ever been launched. Not just for its effectiveness, but for its role in shifting cyber crime one notch in its evolution. Ransomware is, and has been since WannaCry, the biggest threat to organisations bar none. Despite its minor failures – it’s still software packaged with its own vulnerabilities, at the end of the day – WannaCry will be remembered as a historically momentous event in the world of IT.

“Writing secure code is difficult, it requires significant knowledge, skills and judgment,” says Kev Breen, Director of Cyber Threat Research at Immersive Labs. “Even large software companies with established peer reviews and quality assurance processes write flawed software and applications.

Malware tools are also focused more on impact – rather than being reliable and sustainable – so this is bound to compound the issue,” he adds. “It's also hard to test malware, especially ransomware, due to their destructive nature.”

What has the industry learned from WannaCry?

WannaCry detections remain high in some corners of the world, but the industry, and the cyber criminals that drive it, have largely considered WannaCry’s 2017 rampage as the teachable moment it was.


The state of brand protection 2021

A new front opens up in the war for brand safety


Ransomware has also, of course, evolved to become a much different beast from what it was when WannaCry was at its peak. “Worm functionality has effectively died out in modern ransomware, as it’s been far too easy for it to get out of threat actors’ control,” says Simpson. “It has been replaced with ‘hands-on-keyboard’ attacks after doing specific reconnaissance, so they can see what exactly is happening.”

Not only are cyber criminals playing a more active role in proceedings, they’ve also learned how to write programs that can’t be terminated using a quick trick like the kill switch. “There have been some malware or ransomware strains that have been released with some vulnerabilities but these are usually from inexperienced actors,” says Damien Townsend, senior digital forensics and incident response analyst at Bridewell Consulting.

“The big ones like Ryuk or DarkSider ransomware don’t have these vulnerabilities in them. Once they infect your system there is not much that you can do to stop them.”

Indeed, vulnerabilities in modern ransomware are rare discoveries, although not entirely mythical. Just this week a cyber security researcher published mitigations to stop the file encryption process of leading malware samples from the likes of the Conti, REvil, and, yes, WannaCry. That said, businesses shouldn’t rely on these ultra-rare discoveries as fail-safe strategies and instead adopt proper cyber security principles and apply them throughout the organisation, as well as using well-tooled security products configured perfectly for their specific IT environments.

Fortunately, the security industry has, for the most part, learned from WannaCry and improved its cyber hygiene considerably. Although infections are still prevalent in regions like the Americas and parts of Asia, the basics of cyber security are being dealt with much better.

“One of the main impacts since WannaCry is the installation of patches on systems,” says Townsend. “I know from some of the more recent vulnerabilities such as Log4J and [Microsoft] Exchange, the patch time has reduced from months/years to days and even hours.”

In part two, we outline how 'WannaCry 2.0' continues to pose a serious threat to businesses, half a decade on, and how the infamous strain has evolved and retooled through the years

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.