Five years on: The shadow of WannaCry and NotPetya | Viewpoint

cyber risk ransomware

Cyber risk is not new, or stationary, it is complex and evolving. But for all its complexity, like most things human, cyber risk follows a cyclical pattern. New risks may emerge, but the vast majority of risks are just old threats re-imagined for a new age.

WannaCry and NotPetya still cast a heavy shadow over us five years on but older readers will agree these are mere shadows compared to the chaos caused by Conficker, Melissa, ILOVEYOU and SQL Slammer in the early 2000s. 

This older generation of malware worms was significantly more potent but came at a time when both their recognition and insurable impact were considerably moderated as corporate and business processes were far less digitised – in an age before the evolution of cyber insurance.

From these older-generation threats through to more recent events with WannaCry and NotPetya, what do we know now, what have we learned, and what has changed?

“Ransomware is now a mainstream threat. Across all walks of life, we hear about it, with regularity and fear – it is not some niche risk constrained to the IT security industry”

The threat of systemic malware/ransomware still drives the risk we face. Some worry about cloud outages but compared to the impacts of these attacks this is mainly “observation bias” as it is easy to picture a cloud outage. Compared to malware/ransomware, cloud outages are a second-tier peril. 

The good news is the absence of significant malware/ransomware events since WannaCry and NotPetya, but like hurricanes spiralling around the Atlantic without making landfall, we’ve had a selection of headline-grabbing near misses or glancing blows. The last 18 months alone saw SolarWinds, the Microsoft Exchange vulnerability, Kaseya, Blackbaud and, most notably, Log4Shell.

The recent near misses show that when a vulnerability exists it doesn’t mean it will be exploited, or that it is easy to successfully exploit vulnerabilities in a way that can be automated or “wormable”. Threat actors might not want to cause significant amounts of harm, and corporates may urgently mitigate the risk if the threat is so great.

So, what has changed since WannaCry? Ransomware is now a mainstream threat….