Happy birthday WannaCry! Marking a grim ransomware anniversary

Not every birthday is a happy one. Today marks the eighth anniversary of WannaCry, a cryptoworm which infected 300,000 computers across 150 nations within just 24 hours, causing an estimated $4 billion in damages.

The attack took place on May 12, a date Interpol named as Anti-Ransomware Day in 2020 as a kind of memorial to WannaCry.

Britain's famous NHS was the most high-profile victim, losing £92m due to the loss of services and the cost of recovery. Other victims reportedly included Telex, Renault and Telefónica.

WannaCry's initial vector was a fully-wormable exploit chain built from EternalBlue, a Server Message Block (SMB) vulnerability tracked as CVE-2017-0144. First discovered by the National Security Agency (NSA), it targets Server Message Block (SMB) - the transport protocol Windows machines use for file sharing, printer sharing and access to remote services.

It also drew on the DoublePulsar backdoor implant tool - another NSA innovation. Both DoublePulser and EternalBlue were released publicly by the Shadow Brokers in April 2017.

WannaCry attacked SMB version 1 to load malware and then spread to other machines in a network, using TCP port 445 to propagate.

EternalBlue first triggered an out-of-bounds write, enabling system-level remote code execution (RCE). The shellcode then loaded DoublePulsar, which injects the ransomware payload.

Victims were asked to pay between $300 and $600 in Bitcoin (a ransom that doubled after three days) as attackers threatened to permanently delete the data.

Marcus Hutchins, working under the codename MalwareTech, stopped WannaCry by registering a domain name found in the malware’s code, which acted as a kill switch and halted its spread.

Intelligence services from the US and UK claimed WannaCry was the work of North Korea's Lazarus Group - although the hermit nation's deputy ambassador to the United Nations reportedly described this allegation as "ridiculous".

The rise and rise of ransomware-as-a-service

Since WannaCry, the threat landscape has become ever more threatening and the risk has grown exponentially due to the growth of the ransomware-as-a-service industry.

Jim Walter, Senior Threat Researcher at SentinelOne, told Machine: "Over the past decade, branding, marketing, and reputational integrity have become an essential part of RaaS strategy, paralleling the 'go-to-market' business model of legitimate organisations.

"Threat actors now maintain distinctive names, logos, and online personas to attract affiliates and persuade victims to pay. Many ransomware groups maintain leak sites and use platforms like Telegram, X (formerly Twitter), Discord, and dark web forums to name and shame victims publicly.

"Media outreach is now a standard tactic, helping to amplify pressure on victims to pay. Brand recognition has become so integral to threat actors' profits that some attackers have impersonated established groups like LockBit and Babuk to gain victim trust.”

 He warned that the barrier to entry has dropped in the age of AI, so that unskilled actors can now launch devastating attacks.

"The most advanced groups operate with professional polish, strong branding, and corporate-style structure," he added. "This dual dynamic, combining accessibility with professionalism, has made ransomware one of the most persistent and costly threats facing organisations today."

Many unhappy returns for ransomware gangs

A spokesperson for Check Point software confirmed that the threat landscape is now "exponentially more complex".

"Today’s ransomware groups operate more like digital cartels than isolated hackers," they said. "The tools are sharper, their targets more strategic, and their tactics infused with artificial intelligence. As we mark Anti-Ransomware Day this year, we’re not just reflecting on the past - we’re sounding the alarm for the future."

In Q1 2025 alone, 2,289 ransomware victims were listed on data leak sites, according to Check Point Research — a 126% increase year-over-year.

The Cl0p group, for instance, targeted the Cleo file transfer platform and compromised more than 300 organisations, with 83% of victims in North America.

"New strategies allow threat actors to avoid detection, bypass defences, and increase psychological pressure on victims," Check Point added. "In the coming months, we expect to see even more aggressive triple extortion models emerge combining DDoS attacks, stolen data exposure, and direct victim intimidation via calls or emails to customers and business partners."

In 2024, at least 46 new ransomware groups became operational -  a 48% increase on the previous year. This growth is driven by affiliate programmes and plug-and-play hacking kits. Customers now even have access to support portals.

"The industrial revolution of ransomware"

AI is accelerating the scale and sophistication of ransomware operations by automating key stages of the attack chain. Cybercriminals are using large language models to craft phishing lures that closely mimic the tone, style, and linguistic nuances of trusted contacts. These AI-generated messages are far more convincing than traditional phishing emails, increasing click-through rates and enabling initial access with minimal human effort.

Generative AI is being used to produce custom malware in seconds. Rather than relying on prebuilt toolkits or writing code manually, threat actors can use AI to create tailored payloads designed to exploit specific systems or evade detection. This dramatically reduces the time and skill needed to mount effective attacks.

Another major development is the use of deepfake technology in business email compromise (BEC) campaigns. Attackers can synthesise audio or video of executives giving urgent instructions to finance teams or IT staff. These deepfakes, when combined with spoofed emails or compromised accounts, significantly raise the success rate of high-value fraud attempts.

Attackers are also becoming increasingly stealthy, deploying legitimate IT tools such as remote management software or PowerShell scripts to silently disable security controls or exfiltrate data without triggering alerts. AI can assist in selecting and orchestrating these tools in ways that mimic routine administrative activity, further reducing the chances of detection.

“We are witnessing the industrial revolution of ransomware,” says Sergey Shykevich, Threat Intelligence Group Manager at Check Point Software Technologies. “AI is making it easier than ever to customise, deploy, and scale ransomware attacks, and the impact isn’t just technical anymore. It’s operational, financial, and reputational.”

Check Point anticipates that there will be between two and three large-scale supply chain ransomware attacks in 2025 in which AI will be used not just for payload creation but to automate lateral movement, target prioritisation and ransom negotiation.

Shykevich added: "Ransomware is no longer just a technology problem, it’s a boardroom issue. It's about operational continuity, trust, and resilience. Executives need to treat cyber security the same way they treat legal risk or financial health - as a non-negotiable part of doing business."

How can organisations protect themselves against ransomware?

In the 8 years since WannaCry, there have been vast numbers of serious cyberattacks around the world, from NotPetya to the attack on Colonial Pipeline. The world has also witnessed the first known case of a life being lost as a result of a cyber-attack during a digital assault on Düsseldorf University Hospital. During this incident, hackers disabled the computer systems and a woman lost her life whilst being moved to another medical facility.

Drew Streib, VP of engineering at Black Duck, said: "Certain security events are notable not just because of technical severity, but because of how they drive global awareness and fundamentally change the public’s perception of cybersecurity. WannaCry marked an inflection point for global mainstream attention of the broad category of ransomware.

"It had an easy to understand and visceral impact on affected users and has a place in history for helping ransomware to be a tentpole in modern security training. It probably managed to replace the more generic virus as a scary emblematic consequence of poor security posture."

Lucas von Stockhausen, executive director of Black Duck, also offered the following advice on staying safe: "It’s critical for organisations and institutions to stay vigilant, ensuring that software is patched and updated. Software runs the world, and we are far beyond the point of operating without it. Think of it like car maintenance.

"We must make certain our cars are taken to the experts regularly for maintenance to keep them running smoothly so they get us where we need to go, and to make sure they keep their value. Software maintenance works along these same lines – we must bring it into the proverbial ‘garage’ for regular maintenance.

"Preparation is also a non-negotiable element. Business continuity and incident response plans ensure we’re not ready for the ‘if’, but rather ‘when’ the next cyber incident occurs. WannaCry taught us that testing software throughout the software development lifecycle is necessary – throughout the entire lifecycle, until it’s decommissioned.

"Updating open source, scanning for weaknesses on a regular basis. Even if there aren’t any updates available, attack vectors will update constantly. Remember that software is evolving constantly, as are the threats. The software you release today will become outdated or potentially vulnerable tomorrow. The key takeaway from WannaCry is to remain vigilant and to focus on building trust into the software that powers our world."

Should organisations pay the ransom?

The classic answer to this question is simply: "no".

Darren Guccione, CEO and co-founder at Keeper Security, offered the following advice: "When faced with a ransomware attack, organisations are faced with a difficult decision - whether or not a ransom should be paid.  Paying a ransom to release their data may seem like the simplest solution, however, it is often illegal and only fuels the explosive growth of this criminal activity. Also, in this instance and many other cases, paying a ransom doesn’t guarantee the cybercriminal’s illicit activities will end.  Cybercriminals often receive payment and subsequently leverage the stolen files to further monetise their value. 

"Generally, a payment absent proper responsive cybersecurity protection increases the probability of a future attack, as cybercriminals now know they will pay the ransom. Cybersecurity investment before a cybercriminal strikes is critical for organisations of all sizes.

"A zero-trust security model with data backups will limit exposure if a cyberattack occurs. Additionally, strong authentication and encryption measures on the front end will help prevent a data breach. IT professionals need to consider the security of their third-party vendors, as a vendor breach can have significant downstream effects, which the schools affected by this attack are experiencing firsthand.

"Beyond immediate remediation, organisations should focus on strengthening access controls, enforcing phishing-resistant multi-factor authentication and ensuring all accounts use strong, unique passwords that are stored in an encrypted password manager. Implementing a zero-trust security model with privileged access management, where every login attempt is verified and administrative privileges are tightly controlled, can reduce the risk of future attacks and greatly diminish the impact if a successful attack occurs."

Zero ransomware: Towards a better future

Fabio Fratucello, Field CTO Worldwide at CrowdStrike, said International Ransomware Day "is a timely reminder for organisations to rethink how they’re securing their environments".

“Ransomware remains one of the most persistent and damaging threats facing organisations today. It has evolved far beyond being just an endpoint issue — it’s now a challenge rooted in identity, cloud infrastructure and data security," Fratucello said.

 "Modern ransomware operations are stealthier and more sophisticated than ever. Adversaries aren’t relying on traditional malware alone. Instead, they’re abusing valid credentials, exploiting misconfigured cloud environments, and using legitimate tools to move laterally and remain undetected.

According to CrowdStrike’s 2025 Global Threat Report, 79% of initial access attacks are now malware-free and access broker activity has surged by 50% year over year.

Fratucello added: "This shows a clear pivot towards stealth and credential-based attacks, making traditional defences obsolete. International Anti-Ransomware Day is a timely reminder for organisations to rethink how they’re securing their environments.

"Fragmented, legacy approaches that rely on point products and siloed data are no match for modern threats. What’s needed is a unified, AI-native platform that delivers protection and visibility across endpoint, identity and cloud.

"This integrated approach not only closes protection gaps across the entire attack lifecycle, it also reduces the cost and complexity of operations — a win for both CISOs and boards looking to drive resilience while staying agile. In today’s threat landscape, visibility is protection. And protection must start with consolidation."

Have you got a story or insights to share? Get in touch and let us know. 

Follow Machine on X, BlueSky and LinkedIn