Research | Our Q3 report details what's new in the world of ransomware.
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Find cyber threats that have evaded your defenses.
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Brands of the world trust ReliaQuest to achieve their security goals.
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
The latest threat research report from ReliaQuest Threat Research research team.
The latest white papers focused on security operations strategy, technology & insight.
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
November 30, 2023
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
It has been five years since the dumpster fire we all remember as WannaCry. WannaCry is self-propagating ransomware that held hundreds of thousands of devices around the world hostage in 2017. While the WannaCry attack was catastrophic, the worm-like ransomware attack also served as a lesson for cybercriminals and network defenders alike. From a cybercriminal’s perspective, it was a perfect example of what not to do. For network defenders, WannaCry highlighted the risks associated with destructive, self-propagating malware.
On 12 May 2017, WannaCry ransomware began spreading like wildfire through computer networks across the world, encrypting over 200,000 devices across150 countries in 24 hours. WannaCry was considered “wormable”, meaning the malware could self-propagate without any human interaction. A ransom note was displayed on compromised devices demanding a ransom of $300 – $600, which was much less than the average ransom demands from other ransomware groups at the time.
WannaCry used the “EternalBlue” exploit that had been released by the Shadow Brokers threat group, who allegedly stole it previously from the United States National Security Agency (NSA). EternalBlue exploits a series of vulnerabilities in Microsoft’s Server Message Block (SMB) protocol. Although Microsoft released a patch to address the vulnerabilities in March 2017, several computers remained unpatched.
The backdoor “DoublePulsar” was used to maintain persistence and deliver the final WannaCry ransomware payload. WannaCry could scan the network and worm its way onto other vulnerable Windows devices.
Hours after the campaign began, security researcher Marcus Hutchins discovered a domain name listed in the code of WannaCry. The domain did not already exist, so Hutchins registered the domain name. Registering domains found in malware samples was a familiar practice for Hutchins as part of his role as a malware researcher.
Hutchins and his colleague Jamie Hankins further inspected the code and realized that after deploying, WannaCry attempted to contact the domain. If the malware was unable to make contact with the domain, it would proceed to infect the device and encrypt the files. If the malware was able to make contact with the domain, it would not infect the system. Registering the domain acted as a kill switch, which is a mechanism used to shut down a device or in this case a piece of malware.
By the time the dust had settled, WannaCry had infected over 230,000 devices in 150 countries causing approximately $4 billion in damages. The National Health Service (NHS) in the UK was one organization known to be impacted by the attack, which led to several emergency rooms having to close their doors and thousands of medical appointments to be rescheduled. Routine and emergency surgeries were canceled as NHS staff were unable to access their devices.
The kill switch prevented additional computer systems from being infected, but there were still thousands of systems infected with WannaCry. This spread was exasperated by the minimal chances of victims receiving a decryption key from the attackers even after a ransom payment was made. This was due to WannaCry not having a process for determining which victims paid and which did not.
The world was left wondering who was behind this disruptive attack. Several theories bubbled up to the surface in the days following the attack. On 18 May 2017, Digital Shadows (now ReliaQuest) applied the Analysis of Competing Hypothesis technique to determine the likelihood of each theory. At that time, we assessed that WannaCry may have been launched by an unsophisticated cybercriminal actor for several reasons including the poor coordination and implementation of the attack.
However, in May 2017 security researchers began connecting the dots and attributed the code to “APT38” (aka Lazarus), a North Korean state-sponsored threat group. On 18 Dec 2017, the United States publicly attributed the WannaCry attack to North Korea. Four years later on 17 Feb 2021, three North Korean computer programmers were indicted for their part in several cyber crimes, including the creation of WannaCry ransomware. APT38 is known for carrying out financially-motivated attacks, which is unusual for a nation state threat group. Many North Korean APTs are financially-motivated. This may be due to sanctions that negatively impact North Korea’s economy.
The cybercriminal community also likely learned several lessons from this impactful attack. WannaCry showed ransomware developers the importance of creating mechanisms to differentiate between victims. Failing to deliver a decryption key to a victim after a ransom payment is made is ultimately bad for business and could dissuade future victims from paying. Reputation is important for ransomware groups. Persuading victims that paying a ransom is the best choice allows these groups to make significant profits, which has been demonstrated by the remarkable escalation of ransomware activity since WannaCry.
In combination with the fatal payment flaw, the WannaCry attack had more victims than the attackers could handle, which quickly got out of hand. Communicating with thousands of victims across several time zones is physically and logistically challenging. This has also been demonstrated by the DarkSide ransomware group, who experienced these challenges during the Colonial Pipeline attack. The group had rules prohibiting attacks against critical infrastructure, but DarkSide likely experienced difficulties managing the actions of all of its affiliates.
Finally, the WannaCry attack exposed a worldwide patch management issue. Exploiting a single vulnerability in thousands of devices can have dire consequences. Network defenders know patch management is challenging because every environment has different dependencies and infrastructure. Cybercriminals are aware of this and exploiting vulnerabilities remains a top attack vector for many ransomware groups.
Five years after the infamous WannaCry attack, ransomware remains arguably the biggest threat facing business. When ransomware attacks make headlines or impact an entire supply chain, the cyber security community tries to squeeze every last bit of information and evidence out of these events. This is for several reasons, but mainly for prevention and attribution. However, we have to understand that we are not the only ones watching and learning what not to do. As network defenders get smarter, so do cybercriminals. Ransomware remains one of the largest threats to organizations across the globe not because we are failing, but because cyber security professionals and cybercriminals alike are evolving.
The techniques, tactics, and procedures of ransomware groups have evolved since WannaCry, but several commonly exploiting attack vectors remain such as:
Reviewing and implementing the mitigations listed alongside each of these techniques within the MITRE ATT&CK knowledge base of adversarial techniques, tactics, and procedures can significantly reduce the likelihood of attack. Applying the MITRE ATT&CK framework can enable security teams to make quicker, more confident actions, that are based on up to date cyber threat intelligence.
Digital Shadows (now ReliaQuest) monitors ransomware groups to provide strategic, operational, and tactical intelligence. If you are a network defender looking to stay up to date with the evolving ransomware threat landscape, you can sign up for our Search Light (now ReliaQuest GreyMatter Digital Risk Protection) platform for access to extensive threat profiles, indicators of compromise (IOCs), a daily feed of victims, a comprehensive breakdown targeting by sectors and geographies.