<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1175921925807459&amp;ev=PageView&amp;noscript=1">
Anubis BitSight Labs

Assessing the Global Impact of WannaCry Ransomware

Dan Dahlberg | May 26, 2017

Since our initial post during the breakout of WannaCry ransomware, our Research & Development team has learned more about the spread of this malware. While the outbreak of this ransomware surprised the entire security community, the amount of ransoms collected is estimated to only be just over $100,000 dollars. Given the global reach of this attack and the rate of spread, the figure likely could have been much higher had the malware been more complex and harder to remediate. Nonetheless, the spread of WannaCry has taught us a lot about the security culture of organizations across different sectors around the world.

This post explores the countries hit hardest by WannaCry, the network composition of IP addresses exhibiting the infection, the industries and company sizes affected most, and how BitSight Security Ratings changed across industries for organization’s infected with the malware.

global coverage

In the four day period between May 12th and May 15th, the WannaCry ransomware was observed on over 160,000 unique IP addresses. This animated graphic shows the WannaCry events originating from each country as a ratio against events worldwide.


Various countries are impacted at different periods, with China, Russia, the United States, France, UK, Brazil, and Peru having notable periods of a high number of infections compared to other countries. After the malware has infected a specific machine, it scans for other vulnerable systems both external and internal to the network. Strong concentrations of infections within countries often occur due to the worm making headway by infecting a large number of machines behind a set of IP addresses.

Request Demo

operating systems

Data from Kaspersky has shown the the majority of infections affected Windows 7 platforms, and some of our research also point in this direction. When we looked at the set of IP addresses affected by WannaCry, we extracted the operating systems that are typically used on the machines behind those IP addresses. The following graphic shows our data representing the composition of networks affected by WannaCry.

network composition_wannacry.png

Note: Recall that this is a distribution of operating systems on machines behind IP addresses that were observed to be affected by WannaCry, and not the individual infected machines. Thus, there might be unaffected machines behind the same IP address as affected machines, and would be present in the distribution above.

There is still ongoing research regarding why Windows 7 is the most popular operating system among victims. It is known that the worm had difficulty infecting Windows XP machines and spreading as it often caused the machine to crash when it attempted to exploit the vulnerabilities. Microsoft has also designed a more seamless automatic update experience for Windows 10 that would have allowed for the MS17-010 patch to be installed on a much larger population of Windows 10 machines compared to older operating systems.

affected industries

In our previous blog post, we presented a breakdown of the percent of companies within each industry that have been observed to be affected by WannaCry. In order to observe any differences in industries by size, we can separate this data into three distinct buckets representing the number of employees at these organizations. Small being any company with less than 250 employees, medium being companies with less than 1,000, and large being anything greater than or equal to 1,000.

wannacry_affected industries.png

The trends for the overall industry breakdown remain relatively consistent. The utilities industry moves from 5th to 3rd place for large companies affected by WannaCry. Excluding Telecommunications, there are roughly the same number of smaller companies affected than there are medium-sized organizations.

However, another way to view this data is not necessarily by the number of companies affected by industry, but the effect that those infections had caused by industry. This bar chart shows the average change of the BitSight security rating per company within each industry sector.

diff bitsight rating_wannacry.png

So while Insurance had ranked fairly low on the percent of companies affected by WannaCry by industry sector, since the Insurance industry performs better overall in comparison to Education and Telecommunications, those companies happen to be hit harder than others. Education and Telecommunication companies are usually rife with various forms of malware and our published industry sector studies have demonstrated this. On the other hand, industry sectors like Healthcare and Finance perform better overall in comparison, and were also more severely hit.

See if organizations you work with were vulnerable or affected to WannaCry infections. Sign up for a demo of the BitSight platform today. 

Request A Demo

Suggested Posts

Third-Party Insight into Triada & Related Families

A few weeks ago Google confirmed that there was malware pre-installed on a number of Android devices due to a supply-chain attack. The latest installment was discovered by security researchers from Dr.Web who have been investigating this...


Data Insights on the BlueKeep Vulnerability

On May 14th, Microsoft issued a warning about the BlueKeep vulnerability (CVE-2019-0708) affecting Remote Desktop Services Protocol (RDP), a component common in most versions of Microsoft Windows that allows remote access to its graphical...


Fraudulent Android Advertising SDK Installed In Over 15 Million Devices

Every day, BitSight monitors the global threat landscape in a constant effort to identify software that may be placing users and organizations at risk. The presence of malware — or simply potentially unwanted applications — in an...


Subscribe to get security news and updates in your inbox.