Visualize: Insights that power innovation

Exploits behind WannaCry and NotPetya attacks continue to linger

By David Geller, Caitlin Plunkett  |  May 29, 2019

Have we seen the last of WannaCry and NotPetya?

The mechanisms behind these massive ransomware attacks that used stolen malware from the US National Security Agency (NSA) in 2017 are reportedly still at large.

WannaCry, per TechCrunch, was the first instance in which ransomware had spread throughout the world in a coordinated cyberattack. In the past, ransomware attacks—which use malware to lock computers until the cyber attacker receives payment—were far more limited in impact.

The WannaCry escapade reportedly impacted hospitals, government systems, and private companies, leading to billions of dollars of damages in just a few hours.

Fortunately, a malware reverse engineer located the kill switch for the malware and ultimately stymied WannaCry in its tracks.

However, a month later, hackers utilized the NSA developed hacking technique to proceed with NotPetya, a ransomware attack that victimized shipping giants, supermarkets, advertising agencies, and other enterprises in a similar fashion as WannaCry.

These attacks, levied in back-to-back months, appeared to have triggered fears that large-scale ransomware occurrences could become the new norm. And while Health IT Security notes that ransomware has emerged into a prominent hacking tactic, accounting for 85% of malware attacks in 2017, qualms over “the big one” continue to persist.

How likely is an even bigger ransomware attack?

Concerns about a larger ransomware attack appear to be warranted. Techcrunch has estimated that “as many as 1.7 million internet-connected endpoints are still vulnerable to the exploits” that were harnessed in the WannaCry and NotPetya attacks. In fact, Techcrunch notes that this projection is likely on the lower end of exposed devices, as the aforementioned tally doesn’t account for the millions of devices that are connected to servers that are already infected.

And it’s not just connected devices. There have reportedly been recent instances in which the exposed NSA tools have been applied to breach servers.

For example, in 2017, per ZDNet, at least five internet-facing city servers in Atlanta were quietly infected with the same exploits that were utilized in the WannaCry and NotPetya attacks. These bugs ultimately led to a 2018 ransomware attack that encrypted city data and led to the shutdown of some services. According to the Wall Street Journal, Atlanta declined complying with the $51,000 ransom demand has subsequently incurred millions of dollars in costs to fortify their defenses.

Recent ransomware attacks

While we have seen firsthand the issues that the malware incorporated into the WannaCry and NotPetya attacks can pose, other variants of ransomware have been causing issues of late. On May 7t, ArsTechnica reported that a “very aggressive RobbinHood ransomware” affected email and all Baltimore government services, with the exception of police, fire, and emergency response systems. As of this posting, the Wall Street Journal reported that roughly 10,000 city government computers had been frozen for two weeks and counting.

A malware attack was also recently levied on a large accounting software enterprise, causing headaches for numerous accountants in the midst of a reportedly busy filing period, according to CNBC. The victimized company, per the article, provides software and services to every single one of the top 100 accounting firms in the U.S., 90% of top global banks, and 93% of Fortune 500 companies. Accounting Today subsequently reported that the nature of the attack compelled the United States Internal Revenue Service (IRS) to grant a seven-day extension for filings to companies that were affected by the attack.

Protecting against ransomware attacks

There are a number of ways that companies can protect against ransomware attacks. These include having strong cybersecurity training in place for all company employees and purchasing cyber insurance.

Verisk offers a robust suite of solutions to help insurers address the challenges of today’s cyber market. To learn more, visit Verisk.com/cyber.


David Geller, CPCU, SCLA, is a senior analyst with the ISO Emerging Issues team. You can contact David at David.Geller@Verisk.com.

Caitlin Plunkett is the cyber lead for Verisk's commercial lines coverage products. You can contact Caitlin at CPlunkett@verisk.com.

Verisk Velocity