WannaCry Was Just a Warning: Here’s What’s Coming Next—And How to Stop It

Posted May 22, 2017

WannaCry Was Just a Warning: Here’s What’s Coming Next—And How to Stop It

Well, that was close.

The WannaCry cyberattack that crippled 200,000 businesses, government agencies and hospitals in 150 countries is now largely tamped down.

The crisis was spawned by ransomware that first infected networked computers at Britain’s National Health Service before quickly spreading around the globe. In a matter of hours, it locked computers, encrypted files and put the vulnerabilities of the world’s most critical systems in sharp relief.

In a world where data drives virtually every aspect of modern business, transportation, telecommunications, national defense and health care systems, this was no small matter.

In Germany, terminal screens in the nation’s train stations were walloped, creating massive delays. In Britain, more than a dozen hospitals were hobbled by the attack, forcing critically ill patients to be transferred to unaffected hospitals — potentially costing lives.

Thankfully, the attack was quickly short-circuited. For all the chaos that ensued, the ransom — $300 in bitcoin — impacted something short of 300,000 machines and, as of this writing, has netted the perpetrators less than $90,000.

While the bad guys made off with meager profits, the attack likely caused billions of dollars in damage.

Only one thing’s for sure. The incident being called “the biggest ransomware offensive in history” could have been exponentially worse — and probably will be next time.

The New (and Unnerving) Normal

There are signs WannaCry may have been the work of amateurs who leveraged a hacking toolset purportedly stolen from the NSA and marketed online by a group called Shadow Brokers.

According to the Los Angeles Times, at least some of the code can be traced back to the notorious Lazarus Group, a state-sponsored cybercrime ring suspected in last year’s $81 million heist at the Bank of Bangladesh and the 2014 Sony hack.

Whatever its origins, breathing a sigh of relief about a string of lucky circumstances that ultimately helped bring about a precipitous end to the crisis would be a mistake.

Instead, WannaCry should serve as a wake-up call. More attacks are sure to come and in fact, are already underway. And, whatever arises next will be driven by three key factors:

  1. Cybercrime Is Mainstream

Beyond shortcuts like those from Shadow Brokers, emerging toolsets often called “cybercrime-in-a-box” are quickly putting turnkey solutions for initiating cyberattacks directly in the hands of even the most tech-illiterate hoodlums.

In fact, researchers are reporting an alarming increase in commercial malware for sale on the dark web.

Among the most troubling is a new form of a highly customizable ransomware-as-a-service (RaaS) solution that enables virtually anyone to launch sophisticated ransomware campaigns from an easy-to-use web interface — all on a subscription basis.

These services have been used to spread all kinds of malicious attacks — from highly specialized viruses attacking centrifuges for separating nuclear material, to financially-motivated malware, such as Zeus and Dridex, to malware targeting point-of-sale devices in retail stores, to sophisticated ramsomware attacks.

Worryingly, Bloomberg reports Shadow Brokers has announced plans to start selling new “in-a-box” toolkits as part of a new “Data Dump of the Month” service, beginning this summer.

In truth, Shadow Brokers and organizations like them have become the arms dealers of the digital age.

The tools they’re hawking will surely spark attacks that will could make WannaCry pale in comparison.

  1. The Threat Is Scaling Fast

Worldwide, there are already more than 4,000 ransomware attacks each day — an increase of 770 percent in just the past 24 months.

The average ransom paid per victim has soared as well, from $294 to more than $1,000.

Indeed, business is booming. According to industry reports, ransomware vendors that market software and RaaS solutions to cyber-crooks are beginning to resemble legitimate, global software companies.

Their UX and back-end systems can be state-of-the-art. Many offer 24/7 support services for their “clientele” and their victims. And some even host chat rooms where “customer service reps” can assist you in getting you files back.

If only your cable provider’s customer service was this good.

Yet it’s not as unexpected as it all sounds. Cybercriminal organizations of all types are quickly scaling their operations to attain the reach they need to pilfer from afar and transfer their spoils across international borders to evade authorities.

They have plenty of incentive. Ransomware, stolen data and intellectual property are outrageously profitable. In total, losses from all forms of cybercrime have topped $3 trillion worldwide — and could double in the next five years.

  1. It Takes a Network to Fight a Network

We fight an asymmetric war. The bad guys only have to find one hole or vulnerability to cause mayhem, while we have to protect every single part of the chain.

This means that we (as the good guys) need to find ways to collaborate better when these attacks occur. This is exactly what the ThreatMetrix Digital Identity Network is all about. When we detect anomalies about particular devices doing transactions, these anomalies are globally shared in real-time, thus providing a real-time intelligence sharing network.

The ThreatMetrix Digital Identity Network, the world’s largest with more than 4,600 member companies, detected and stopped more than 130 million cyberattacks in real time last quarter. The potential savings for these networked organizations could reach billions of dollars.

Cybercrime is more than just random hackers looking to make a quick buck. It has become sophisticated, networked and organized. And, it takes a network to fight a network.


While WannaCry was broad-based, more sophisticated ransomware attacks will appear and could soon target energy grids, air traffic control systems, water treatment plants, or nuclear missile defenses the world over.

In the U.S., more than 70 percent of critical infrastructure organizations indicate they’ve experienced a cyberattack of some kind within the last year.  More are certainly on the way.

Stopping this kind of attack might not be as easy next time. I believe, the “kill switch” that mitigated much of the attack was a deliberate “feature” of the ransomware to defeat automated scanning tools, although the authors didn’t really think this through. The next time, they will — believe me.

ThreatMetrix Team

ThreatMetrix Team

close btn