WannaCry five years on: what have we learned?

On the fifth anniversary of the WannaCry ransomware attack, we explore the lessons that tech leaders have been able to take forward

On the 12th May 2017, a global ransomware attack undertaken by a North Korean hacking group, targeting computers running Windows across 150 countries. Named after the WannaCry ransomware cryptoworm, organisations affected by the attack included the NHS, FedEx, Hitachi and Honda, along with many universities worldwide. Ransomware attacks show no signs of ceasing, with cases of ransom demands made by threat actors continuing to surge.

Five years on from the WannaCry ransomware attack, we explore what tech leaders have learned from the incident, and how organisations can better protect themselves against such incidents.

Remaining vigilant

Cyber attacks such as WannaCry demonstrate the need for ongoing vigilance, with no room for complacency. While many company leaders previously put concerns around possible infiltration of networks down to mere uncertainty and doubt, any possibilities of vulnerability are being addressed more often before an attack can take place. Rising AI and monitoring innovation over the past five years plays a vital part in this mission.

“Five years ago, the WannaCry attack established ransomware as a major cyber-threat vector to reckon with,” explained Neil Jones, director of cyber security evangelism at Egnyte.

“The good news is that cyber security requirements have become more formalised since the WannaCry attack occurred, and there’s broader corporate and societal awareness of ransomware’s impact. However, today’s geo-political events in Europe and global supply chain pressures remind us that service disruptions from ransomware are just as likely now as they were five years ago.

“Also, organisations are now having to manage data infiltration allegations via social media that may not have even occurred.”

Combatting ransomware

Jones went on to identify the following ways in which organisations can effectively combat ransomware attacks:

  1. Develop a comprehensive incident response plan;
  2. Utilise a solution with ransomware detection and recovery;
  3. Educate executive management about ransomware’s impact;
  4. Perform cyber security awareness training, including implementing effective data protection policies like strong password protection and multi-factor authentication.

“It’s also critical that users understand any company can be a potential victim, regardless of size or location,” Jones added.

Security alone isn’t enough

It’s also important to look beyond cyber security measures when maintaining strong company-wide protection.

“The WannaCry ransomware attack was one of the first examples of state-sponsored warfare moving into cyber space. Five years on, this tactic is much more prominent, especially in the past few months as we’ve watched cyber crime become far more commonplace,” said Steve Young, UKI sales engineering director at Commvault.

“Crucially, we cannot totally depend on reactive security solutions for protection. We must prepare for the worst and ensure that, should cyber criminals manage to slip through, our systems can get back up and running as quickly as possible.

Backup and disaster recovery, therefore, are imperative parts of a robust cyber security defence. A fast Recovery Time Objective (RTO) ensures that applications can quickly get back to running mode, reducing lost profits and any negative impact on brand reputation.”

Content Disarm and Reconstruction (CDR)

Going forward, insufficient protection across the organisation can lead to zero-day threats, a new kind of vulnerability that’s becoming more common. Zero-day vulnerabilities do not have patches available and can evade detection from anti-virus tools for as many as 18 days after they are exploited.

To combat this, Paul Farrington, chief product officer at Glasswall, recommends utilisation of file sanitisation tech that has been coming into the market: “File sanitisation technologies, like Content Disarm and Reconstruction (CDR), provide protection that doesn’t wait for detection.

“This is especially important with the growth of file-based threats, which rose by 5.7% between 2020 and 2021, and with continued growth expected in 2022.

“With CDR, files and documents undergo a rapid four-step process in which they are inspected, cleaned, rebuilt, and delivered. During the process, files are rebuilt to the ‘known good’ specification, closing any security blind spots and removing file-based threats so the user can open it with the confidence that it is clean and safe.

“Importantly, the process of CDR does not impact productivity as its instantaneous nature means it occurs without interrupting business operations. For organisations affected by WannaCry five years ago, such as the NHS, this type of solution could help prevent future disasters resulting from increasing file-based threats.”


Utilising a post-breach mindset for ransomware — Rich Armour, senior advisor, and Edgard Capdevielle, CEO of Nozomi Networks, discuss how a post-breach mindset can lend itself towards efficient ransomware attack preparation.

The rise of Ransomware-as-a-Service — James Blake, field CTO security at Rubrik, predicts that the rise in Ransomware-as-a-Service will continue in 2022.

Avatar photo

Aaron Hurst

Aaron Hurst is Information Age's senior reporter, providing news and features around the hottest trends across the tech industry.