Cybersecurity incidents place us in tough spots, and it can be difficult to make all the right decisions. One of the best ways to determine the right course of action for your organization is to understand the tactics that are being used against you. The National Security Agency Director, General Paul M. Nakasone, warns that daily attacks should be expected over the next five years. It’s critical for organizations to be properly prepared. Successful cybersecurity attacks lend valuable information that can be used to formulate new protections—threats are getting smarter, but so is cybersecurity.

Ransomware comes in many shapes and sizes. Although it can be difficult to nail down every caveat of every instance of ransomware, there are certain variants of ransomware that come with hard-learned lessons. Wannacry is definitely in that category.

What is Wannacry Ransomware?

Wannacry ransomware is a form of ransomware, called crypto-ransomware, with worm capabilities that exploits the vulnerabilities in Microsoft Windows Server Messaging Block (SMBv1) protocol to compromise remote systems, spread to other hosts, and encrypt files. The ransom demands payment using the cryptocurrency Bitcoin. Wannacry ransomware propagates through an exploit known as EternalBlue, which was developed by the National Security Agency and stolen by the hacking group known as the Shadow Brokers. It was the Shadow Brokers who released it to the public.

How Does Wannacry Work?

Wannacry ransomware invades and encrypts files that can’t be decrypted unless the attackers hand over the specific encryption key. It also has worm-like capabilities, which enables Wannacry to propagate itself through infected systems to then go on and infect new systems.

Wannacry ransomware is coded in Microsoft’s Visual C++, and therefore, Wannacry targets the Microsoft Windows OS. More specifically, the ransomware targets a SMB v1  vulnerability in the Windows operating system, using an exploit referred to as EternalBlue. Once it gains access through Eternal Blue, it uses DoublePulsar to install itself and execute.

It’s important to note that Wannacry ransomware relies entirely upon EternalBlue exploiting the SMBv1 vulnerability. Before the major global attack, a patch for this vulnerability had already been issued. Having implemented the patch, a system couldn’t be infected by the Wannacry ransomware.

In the original version of Wannacry, there was a built-in kill switch—the ransomware would check to see if it could connect to a specific URL. If the check failed, the software executed. If the check reached an active URL, it would not execute the attack. When this vital information was discovered by security professionals, the URL was quickly registered and brought the attack to a close.

In Wannacry attacks since, there was still an active kill switch, but the URLs are different. However, in Wannacry’s newest evolution, which began in 2021, the ransomware no longer contains a kill switch.

What Was the Global Wannacry Ransomware Attack?

On May 12, 2017 at 3:44 am EST, the Wannacry ransomware attack launched itself on a global scale. The attack lasted for 7 hours and 19 minutes, and was halted by the registration of the built-in kill switch domain that had been coded inside. It compromised more than 200,000 devices in 150 countries and crippled organizations across a plethora of industries.

One of its more catastrophic impacts was the compromise of the National Health Service in Scotland and England. It affected everything from MRI machines, surgical theatres, and blood storage to diverting ambulances. Some other organizations that it affected were Telefonica in Spain, several state governments in India, FedEx, Honda, and the Chinese Public Security Bureau. Overall, the financial losses were estimated to range in the hundreds of millions for those affected by this Wannacry ransomware attack.

How to Prevent and Detect a Ransomware Attack

Ransomware of any kind is a frightening prospect, but big hitters like Wannacry have proven that there are measures to take that can keep systems safe. Even if there’s an initial breach, proper detection can mitigate the damage and lessen the overall impact of the cyber threat incident.


Defending against ransomware, especially those reliant on specific exploits, can all boil down to adequate prevention tactics. These methods of prevention are effective against many types of malware, so they provide some best practices for an organization’s cybersecurity defense.

1. Focus on basic principles and drill often

A system is only as good as its foundation. Know your organization’s threat landscape and define critical assets. Implement multifactor authentication wherever possible. Encrypt data and conduct vulnerability testing. Always keep systems patched—Wannacry is a hard way to learn the lesson on the importance of patching.

2. Have a plan

Cybersecurity threats can happen anytime, anywhere, and an organization needs to be prepared and involved in threat prevention. Define security policies and make sure all compliance for the industry is followed. Involve stakeholders and major decision makers. Help everyone to know their part in mitigative risk—it’s truly a company-wide effort.

3. Improve continuously

Security is never stationary. Like the technology it protects, cybersecurity must evolve over time. An organization should look at their security posture and threat landscape as an iterative process. Over time, new vulnerabilities are discovered and patched, or new technology is integrated. It’s essential to continuously evaluate risk and security measures.

4. Implement Zero Trust

Zero Trust rests on the principle of “trust no one”. Implementing least privilege and microsegmentation are key ways to defend against ransomware and other modern malware, or at minimum Zero Trust segmentation policies can stop propagation within the network. Monitor traffic patterns and look for device behavior changes. Modern threats require a modern solution.


Prevention is one piece of the puzzle, but detection is also important. There are several stages of the cyber kill chain  at which ransomware can be detected.

To enable effective detection:

  • Have a comprehensive real-time asset inventory so you know where devices are.
  • Use an integrated threat detection engine to monitor traffic, both north-south and east-west.
  • Use a machine-learning to baseline normal patterns of behavior for devices to surface anomalous behaviors indicative of a compromised device.
  • Integrate with threat intelligence solutions to identify new indicators of compromise.
  • Automate policies to quickly isolate infected devices or  mitigate risks from an attack.

Detecting sophisticated ransomware requires a robust security solution like Ordr. Ordr  monitors internal lateral movement and uses known behavioral baselines to detect unusual or suspicious traffic, which could flag early ransomware activity. Ordr profiles every device and maps every device communications pattern If suspicious activity is detected, Ordr can immediately track down and identify the infected asset, track down infection roots and automatically create policies to mitigate risks from the attack.

Be Prepared for a Ransomware Attack

Wannacry ransomware drove home that patching is an essential point of cybersecurity. One exploit led to a compromise that touched 150 countries and over 200,000 devices. Wannacry began as a dangerous crypto-ransomware with worm-like capabilities and a built-in kill switch, and continues to be a risk today as there are a million plus devices that remain unpatched.

In order to protect your organization from Wannacry ransomware and other malware, it’s critical to learn details of the major attacks. Define who, what, when, where, and how a specific attack occurred, and analyze and convert that information into action plans so you can improve your cybersecurity measures and ensure your organization isn’t the next victim.

An advanced security solution can help your organization build its security fortress. With Ordr, you can see all your connected devices and identify those at-risk, practice Zero Trust microsegmentation to reduce the attack surface, monitor traffic using behavioral base patterns and watch for east-west lateral movement, and much more. Ordr helps you understand the purpose and operation of all devices connected to your network, and automates management and security policies to ensure maximal protection. Should you fall under attack, Ordr can help you rapidly isolate and protect infected devices.

Interested in Learning More?

Subscribe today to stay informed and get regular updates from Ordr Cloud

Ready to Get Started?