Marcus Hutchins on halting the WannaCry ransomware attack – ‘Still to this day it feels like it was all a weird dream’

Five years since WannaCry exploded onto the scene, ransomware still tops global threat lists

ANALYSIS Five years ago today (May 12), a ransomware attack by a North Korean hacking group hit computers running Microsoft Windows, encrypting data and demanding ransom payments in bitcoin.

The biggest ransomware attack in history, it spread within days to more than a 250,000 systems in 150 countries.

But a ‘kill switch’ was discovered by British researcher Marcus Hutchins, who inadvertently stopped the attack by registering a web domain found in the malware’s code.

Once the ransomware checked the URL and found that it was active, it was shut down – buying precious time and giving organizations breathing room to update their systems.

“It didn’t feel real and the reality never really set in. Still to this day it feels like it was all a weird dream,” Hutchins tells The Daily Swig.

“It’s rare for such sophisticated exploits to fall into the wrong hands. Even to this day, nothing close to the severity of the exploit WannaCry used has surfaced.”

Ongoing threat

Five years on, though, and the effects of WannaCry are still apparent, with other attackers emboldened to act.

“Little did we know then that it was just the start of a rise in more sophisticated, widespread, and detrimental ransomware attacks,” says Joseph Carson, chief security scientist and advisory CISO at Delinea.

RELATED Ransomware surge prompts joint NCSC, CISA warning to safeguard systems

“Since then, we have seen a steady stream of high-profile ransomware victims, along with a rise in the number of ransomware groups offering ransomware-as-a-service.”

Indeed, according to a recent report from Sophos, two-thirds of organizations surveyed were hit with ransomware in 2021, up from 37% in 2020, with almost half of those whose data was encrypted paying a ransom.

Even WannaCry itself is still on the loose and causing significant damage, with Trend Micro reporting that more than 5,500 cases were detected in each of the last three months of last year. Clearly, organizations are still failing to act.

“Given the significant coverage, both technical and high-level, much of the industry anticipated it would prompt organizations to take real defensive action,” says James Tamblin, president of BlueVoyant UK.

“Yet, over the past five years, we have witnessed ransomware actors use near-identical methodologies – and in many instances, identical tooling – to accomplish their objectives.”

Basic steps

There’s broad industry agreement that more needs to be done to defend against ransomware, with Carson urging organizations to take basic steps to protect themselves.

“One is segmentation, essentially putting in place technical guardrails that separate one business function from another. This minimizes the unchallenged propagation of malicious actors and malware,” he says.

“Another best practice is to identify all critical assets which are most commonly targets for attacks and perform frequent incremental backup in the event a system recovery is needed. Strong multi-factor authentication and privileged access controls are also obvious components.”

Read more of the latest cybercrime news from around the world

Meanwhile, he says, organizations should consider a least privilege approach to access, limited to only what is required for the job function or task.

But the general culture within infosec is also a factor in the continuing proliferation of ransomware, according to Ian Farquhar, field CTO at Gigamon.

“Instead of fostering industry-wide collaboration and enabling the transparency needed to tackle the complexity of ransomware attacks, the blame culture, with constant finger pointing and criticism from the side-lines, is rife and on the rise,” he tells The Daily Swig.

“Infosec professionals are at breaking-point, with 41% of IT security managers in the UK considering quitting. And with ransomware groups like Lapsus$ typically preying on disgruntled, stressed employees and offering financial incentives to enable intrusion, the industry needs to change fast.”

If you haven’t already seen it, check out WannaCry: The Marcus Hutchins Story on YouTube:

This three-part miniseries made it into our Top 10 Hacking Documentaries of All Time list.

Additional reporting by Jessica Haworth.

YOU MIGHT ALSO LIKE Researcher stops REvil ransomware in its tracks with DLL-hijacking exploit