2017
In May and June 2017, two cyberattacks spread across the globe at a speed that the security industry had never seen. WannaCry and NotPetya were not sophisticated targeted attacks — they were worms that propagated automatically, requiring no user interaction. Within hours of release, each had infected hundreds of thousands of systems across dozens of countries.
WannaCry and NotPetya changed the cybersecurity conversation at the board level permanently. When a single attack could shut down a hospital network, halt shipping operations at the world's largest container carrier, and cause estimated damages of $10 billion, the C-suite could no longer treat cybersecurity as an IT problem.
The EternalBlue Exploit: A Stolen Weapon
Both WannaCry and NotPetya exploited EternalBlue, a vulnerability in Windows' SMB protocol that had been developed by the NSA as a cyberweapon and stolen by the Shadow Brokers hacking group in 2016. Microsoft had patched the vulnerability in March 2017, two months before WannaCry deployed it.
The patch was available. The problem was that patching at scale — particularly in organizations with thousands of systems, legacy Windows installations, and operational technology networks — was harder than security teams had acknowledged.
Healthcare systems ran Windows XP on medical devices that couldn't be updated without vendor certification. Manufacturing plants ran Windows 7 on production control systems where downtime for patching was economically unacceptable. These systems, unpatched and internet-connected, were WannaCry's primary victims.
WannaCry: The Ransomware Worm
WannaCry launched on May 12, 2017. Within 24 hours it had infected over 200,000 systems in 150 countries. The UK's National Health Service was among the worst-affected organizations — hospitals were forced to cancel appointments, divert ambulances, and revert to paper records.
WannaCry encrypted files and demanded $300-600 in Bitcoin for decryption keys. The ransom mechanism was poorly implemented — attackers had difficulty matching payments to victims — and most analysts concluded the financial returns were modest compared to the disruption caused, suggesting the primary motivation may have been sabotage rather than profit.
A security researcher discovered a kill switch — WannaCry checked for the existence of a specific domain before executing, and registering that domain stopped the spread. This accidental discovery limited the damage, but not before WannaCry had demonstrated the global scale of unpatched vulnerability exposure.
NotPetya: The Destructive Cyberweapon
NotPetya followed six weeks later, launching on June 27, 2017. It appeared to be ransomware but was actually designed to destroy. The decryption mechanism was fake — paying the ransom returned nothing. NotPetya was later attributed to Sandworm, a Russian GRU hacking team, and characterized by the US and UK governments as a deliberate act of cyberwarfare against Ukraine that spread globally.
Maersk, the world's largest container shipping company, lost an estimated $300 million. Merck lost $870 million. FedEx's TNT subsidiary lost $400 million. Mondelez, Reckitt Benckiser, and dozens of other multinationals were severely disrupted.
Maersk's recovery story became a case study in incident response. The company rebuilt 45,000 PCs and 4,000 servers in 10 days, reinstalling software and restoring data from the single domain controller that survived because it happened to be offline during a power outage in Ghana.
What Changed After WannaCry and NotPetya
Patching discipline improved dramatically in the years following 2017. The argument that patching was disruptive became untenable when unpatched vulnerabilities caused $10 billion in damages. Organizations that had deferred patching for months began targeting 30-day patch cycles for critical vulnerabilities.
Network segmentation received renewed investment. WannaCry's spread was enabled by flat networks where every system could reach every other system via SMB. Organizations began segmenting operational technology from corporate IT, isolating critical systems, and limiting lateral movement paths.
The attacks accelerated the conversation about nation-state cyber risk as a business risk. NotPetya demonstrated that state-sponsored cyberweapons could cause collateral damage to businesses that weren't the intended targets. Business continuity planning began accounting for scenarios where critical infrastructure or major vendors were compromised by state actors.
The Insurance and Legal Fallout
NotPetya triggered years of litigation over cyber insurance coverage. Mondelez sued Zurich Insurance after the insurer denied its $100 million claim, citing a war exclusion. The case — eventually settled in 2023 — forced the insurance industry to clarify what constituted an act of war in cyberspace.
Most cyber insurance policies now have explicit nation-state exclusions or sublimits for attacks attributed to state actors. Organizations operating in geopolitically sensitive sectors — defense supply chains, critical infrastructure, energy — face higher premiums and more scrutiny of coverage terms.
The Outpace Approach: Resilience Over Prevention
WannaCry and NotPetya taught the security industry a lesson that Outpace builds into every security engagement: assume breach. No organization can guarantee prevention of a sophisticated attack, but every organization can invest in recovery capabilities that limit the impact.
Our security frameworks emphasize resilience as much as prevention. This means tested backup and recovery capabilities, incident response plans that have actually been exercised, network segmentation that limits blast radius, and communication protocols for the first hours of a major incident.
For clients in sectors with operational technology — manufacturing, logistics, utilities — we address the specific challenge of securing OT environments without disrupting operations. The WannaCry lesson is that OT/IT convergence without security consideration is an existential risk.
Moving Forward: Nation-State Risk Is Your Risk
The WannaCry and NotPetya attacks established that nation-state cyberweapons create risks for private organizations regardless of whether those organizations are the intended target. Collateral damage is real, and it's expensive.
The appropriate response is not paranoia but preparation. Patch critical vulnerabilities promptly. Segment networks to limit blast radius. Test recovery capabilities regularly. Understand your cyber insurance coverage terms before you need them. These preparations won't make you immune to the next NotPetya, but they will determine whether it's a recoverable disruption or an existential crisis.
💡 Ready to build a security program that assumes breach and invests in resilience? Outpace Professional Services helps organizations design security architectures that survive sophisticated attacks. Contact us to start.
