BitSight

Assessing the Global Impact of WannaCry Ransomware

Dan Dahlberg | May 26, 2017

Since our initial post during the breakout of WannaCry ransomware, our Research & Development team has learned more about the spread of this malware. While the outbreak of this ransomware surprised the entire security community, the amount of ransoms collected is estimated to only be just over $100,000 dollars. Given the global reach of this attack and the rate of spread, the figure likely could have been much higher had the malware been more complex and harder to remediate. Nonetheless, the spread of WannaCry has taught us a lot about the security culture of organizations across different sectors around the world.

This post explores the countries hit hardest by WannaCry, the network composition of IP addresses exhibiting the infection, the industries and company sizes affected most, and how BitSight Security Ratings changed across industries for organization’s infected with the malware.

global coverage


In the four day period between May 12th and May 15th, the WannaCry ransomware was observed on over 160,000 unique IP addresses. This animated graphic shows the WannaCry events originating from each country as a ratio against events worldwide.

wannacry_gif.gif

Various countries are impacted at different periods, with China, Russia, the United States, France, UK, Brazil, and Peru having notable periods of a high number of infections compared to other countries. After the malware has infected a specific machine, it scans for other vulnerable systems both external and internal to the network. Strong concentrations of infections within countries often occur due to the worm making headway by infecting a large number of machines behind a set of IP addresses.

Request Demo

operating systems

Data from Kaspersky has shown the the majority of infections affected Windows 7 platforms, and some of our research also point in this direction. When we looked at the set of IP addresses affected by WannaCry, we extracted the operating systems that are typically used on the machines behind those IP addresses. The following graphic shows our data representing the composition of networks affected by WannaCry.

network composition_wannacry.png

Note: Recall that this is a distribution of operating systems on machines behind IP addresses that were observed to be affected by WannaCry, and not the individual infected machines. Thus, there might be unaffected machines behind the same IP address as affected machines, and would be present in the distribution above.

There is still ongoing research regarding why Windows 7 is the most popular operating system among victims. It is known that the worm had difficulty infecting Windows XP machines and spreading as it often caused the machine to crash when it attempted to exploit the vulnerabilities. Microsoft has also designed a more seamless automatic update experience for Windows 10 that would have allowed for the MS17-010 patch to be installed on a much larger population of Windows 10 machines compared to older operating systems.

affected industries

In our previous blog post, we presented a breakdown of the percent of companies within each industry that have been observed to be affected by WannaCry. In order to observe any differences in industries by size, we can separate this data into three distinct buckets representing the number of employees at these organizations. Small being any company with less than 250 employees, medium being companies with less than 1,000, and large being anything greater than or equal to 1,000.

wannacry_affected industries.png

The trends for the overall industry breakdown remain relatively consistent. The utilities industry moves from 5th to 3rd place for large companies affected by WannaCry. Excluding Telecommunications, there are roughly the same number of smaller companies affected than there are medium-sized organizations.

However, another way to view this data is not necessarily by the number of companies affected by industry, but the effect that those infections had caused by industry. This bar chart shows the average change of the BitSight security rating per company within each industry sector.

diff bitsight rating_wannacry.png

So while Insurance had ranked fairly low on the percent of companies affected by WannaCry by industry sector, since the Insurance industry performs better overall in comparison to Education and Telecommunications, those companies happen to be hit harder than others. Education and Telecommunication companies are usually rife with various forms of malware and our published industry sector studies have demonstrated this. On the other hand, industry sectors like Healthcare and Finance perform better overall in comparison, and were also more severely hit.

See if organizations you work with were vulnerable or affected to WannaCry infections. Sign up for a demo of the BitSight platform today. 

Request A Demo

Suggested Posts

What Companies Using Cloud Services Need To Know About Their Risk Responsibilities

Cloud computing is not new to the cyber world; it’s here to stay. Web services are common in our everyday lives and workplaces, with things like Facebook, Salesforce, JIRA, Adobe, and GSuite all falling into the cloud-based category. But...

READ MORE »

Joint Effort with Microsoft to Disrupt Massive Criminal Botnet Necurs

Since 2017 BitSight has been working together with Microsoft’s Digital Crimes Unit (DCU) to understand the inner workings of the Necurs malware, its botnets and command and control infrastructure in order to take disruptive action against...

READ MORE »

Forecasting and Advanced Analytics: Building a Solid Security Strategy For 2020

2020 is not only the beginning of a new year, but the start of a new decade, and with it comes the dawn of a new era for the digital world. We’re now in the midst of the once far-off, “futuristic” time periods old books and movies used to...

READ MORE »

Subscribe to get security news and updates in your inbox.