What we've learned about ransomware after five years

May 20, 2022

Five years have passed since one of the largest large-scale cyberattacks in history.

Five years ago, on May 12, 2017, Wannacry's tour of half the world's computer systems began, the malware that took advantage of a Windows vulnerability and managed to encrypt files and demand a ransom from users of more than 230,000 computers in 150 countries.

The impact on the world of cybersecurity was transcendental. First of all, Wannacry was one of the first ransomware attacks in recent history to be widely reported in the press, to the point where even non-experts were alerted. Even people who did not play a technical role in companies realized how dangerous and damaging the ransomware threat could be.

Second, the tools used by Wannacry to breach systems could be traced directly to toolkits stolen from states, showing that sophisticated espionage by cybercriminals was becoming increasingly popular among lower-level operators. Wannacry was therefore a wake-up call for security programs, which until then had been interested in maintaining the status quo. It highlighted the need for more proactive security measures, demonstrating the inadequacy of simple firewalls to ensure system protection.

From ransomware to RansomOps

Five years after Wannacry, organizations have acquired a new awareness of computer security. However, in the meantime, ransomware has also evolved and the threat level has continued to grow. More than ransomware, today it would be better to talk about RansomOps. Today's threats rely primarily on modern, interactive tactics implemented by human operators, which have replaced the semi-managed, programmatic approach of a payload worm like Wannacry was. This is an important distinction because it affects how companies must defend themselves.

With previous generations of ransomware, the time between infection and the malicious activity performed by the payload was short and the attack path quite predictable, which meant that security controls - often based on an endpoint function - intervened directly at the scene of the attack or it was discovered fairly quickly that there was a more extensive problem.

Modern ransomware gangs, on the other hand, tend to stalk computer systems for much longer to extract as much value as possible, before making an appearance by encrypting or destroying data. It's not uncommon to wait days or weeks before seeing payloads in action, which means that by the time a problem is detected, it's often too late to take action.

From prevention to detection

Given the current ransomware strategy, a modern protection system must focus on the pre-threat phase, from detecting command and control signals to identifying misused or abused credentials. It's a race against time to find and expel ransomware before it exfiltrates data and destroys the organization.

Preventive controls are crucial, but alone they are no longer enough. In addition to keeping malware authors out, you must now have full visibility into your environments and integrate advanced detection and response capabilities to mitigate threats that are already evading existing controls.

Through the advanced technology of THETA432 services, effective protection against ransomware attacks is provided, among its benefits are:

  1. Detect and combat digital threats at an early stage by exploiting machine learning to detect suspicious behavior.
  2. Warn users.
  3. Effectively protect companies and individuals from fraudulent activities.


  • Domínguez, M. (May 19th, 2022). Cinco años después de Wannacry, lo que hemos aprendido sobre el ransomware. Retrieved from: https://cybersecuritynews.es/cinco-anos-despues-de-wannacry-lo-que-hemos-aprendido-sobre-el-ransomware/

Authored by

Jorge Daniel Tejeda