By Mary Fernandez and Andy Jabbour
A little over nine years ago, WannaCry reminded the world that a single cyber vulnerability could become a global operational crisis in a matter of hours. Organizations around the world watched a cyberattack spread at unprecedented speed. On 12 May 2017, WannaCry exploited a vulnerability in Microsoft’s Server Message Block (SMB) protocol using the EternalBlue exploit, rapidly propagating from system to system with little or no user interaction. Within hours, more than 230,000 computers across over 150 countries had been infected. Hospitals diverted patients, manufacturers halted production, logistics companies experienced widespread disruption, and governments scrambled to understand what was happening. For many organizations, and even sectors of critical infrastructure, WannaCry became the defining ransomware event. Ransomware hasn’t gone away. And whether it is remembering WannaCry, or the 2021 Colonial Pipeline attack, the evolution of ransomware and extortion threats we continue to see daily, or the developing threats we see as attackers leverage AI to enhance their attacks, we have to continue to focus on the critical fundamentals that can get us through a ransomware event.
Since WannaCry, and very frequently over the last few months, our team has delivered numerous presentations and exercises on cyber threats, with an emphasis on ransomware, and a heavy foot-stomping on the fundamental mitigation and resilience actions leaders should be taking to reduce risk and bolster resilience. Like blocking and tackling in football, cybersecurity fundamentals never go out of style. Threat actors evolve. Technologies change. AI accelerates both offense and defense. But organizations that consistently execute the fundamentals continue to outperform those chasing the newest shiny object.
That message has only become more current. NIST recently published the final version of NIST IR 8374 Revision 1, Ransomware Risk Management: A Cybersecurity Framework 2.0 Community Profile, which maps ransomware risk management to CSF 2.0 outcomes across Govern, Identify, Protect, Detect, Respond, and Recover. CISA has also reinforced the need for faster, risk-based remediation through BOD 26-04: Prioritizing Security Updates Based on Risk, which focuses agencies on factors such as public exposure, known exploitation, exploit automation, and technical impact.
Taken together, these efforts reinforce a key point Gate 15’s Preston Wright made last week in his post, “The End of Routine Patching:” patching is not just IT hygiene. It is a resilience function and a leadership responsibility. Organizations need to know what they own, understand what is exposed, prioritize what is actively exploited, and move quickly when risk changes.
The Lesson Was Never Just About Ransomware
One of the most important lessons from WannaCry wasn’t simply that ransomware could spread quickly. It was that a known vulnerability, left unresolved at scale, could become an operational crisis. Organizations that had visibility into their environment, applied available patches, and acted quickly were better positioned. Organizations that didn’t were forced into response mode after the damage had already started.
WannaCry also showed the value of timely information sharing. During a fast-moving incident, defenders need to understand what is happening, whether they are exposed, what indicators to look for, and what mitigations are working. No single organization has the full picture alone. Trusted information sharing helps turn isolated observations into collective action.
Those two lessons still hold. Vulnerability management and information sharing are not side activities. They are core resilience capabilities. The time between vulnerability disclosure and active exploitation continues to compress, and organizations that can’t quickly identify, prioritize, and remediate known risks are accepting unnecessary exposure before a ransomware event ever begins. Patch management is no longer simply an IT maintenance function. It is an operational resilience capability. Every day that a known exploited vulnerability remains unpatched is another day attackers have an opportunity to succeed. Reducing that window has become one of the simplest—and most impactful—ways organizations can improve resilience.
That does not mean every vulnerability carries the same urgency. Mature vulnerability management requires organizations to understand what they own, what is exposed, what is business-critical, what is being actively exploited, and what would create operational impact if compromised. The organizations that continue to suffer the most are rarely compromised because they failed to buy another security product. They are often compromised because known risks remained unresolved for too long.
Ransomware Isn’t What It Used to Be
The ransomware of 2017 was largely about denying access to systems. Today’s ransomware is about denying organizations options. Modern attacks frequently begin with data theft, identity compromise, or social engineering long before encryption is deployed—if encryption is even deployed at all. Threat actors may steal sensitive information first, threaten public disclosure, contact customers or business partners, pressure executives, and leverage regulatory reporting requirements to increase the likelihood of payment. Extortion has become the business model. Encryption has become one tool. Today, the objective isn’t simply to encrypt systems—it’s to create business pressure.
Weekly reporting from our partners at eCrime continues to demonstrate the scale of this activity. As of reporting on 30 June, there were 146 publicly disclosed ransomware and data leak claims over the last seven days involving 36 active threat groups, underscoring that leak sites and extortion remain central components of today’s criminal ecosystem.
Likewise, industrial organizations continue to face sustained operational pressure. In their Industrial Ransomware Analysis for the First Quarter of 2026, Dragos documented 1,020 ransomware incidents affecting industrial organizations during the first quarter of 2026; “manufacturing, transportation, industrial control system (ICS) equipment manufacturers, and engineering firms once again represented the most affected sectors.” These incidents are no longer simply IT problems, they increasingly threaten operational continuity, supply chains, and critical infrastructure with broad and often painful cascading effects.
The New Initial Access Vector Is Trust
Perhaps the biggest evolution since WannaCry is how attackers gain access. Rather than relying exclusively on software vulnerabilities, today’s threat actors increasingly exploit trusted relationships. They call IT help desks pretending to be employees. They use voice phishing (vishing) to convince support staff to reset passwords or enroll new multifactor authentication devices. They compromise cloud identities rather than domain controllers. They abuse remote management software instead of exploiting operating systems. They target vendors, contractors, and third parties with privileged access.
Recent reporting from Google Threat Intelligence M-Trends 2026 has highlighted the continued success of sophisticated social engineering campaigns that bypass technical controls by targeting people rather than systems. In their summary, Google wrote, “exploits remained the most common initial infection vector for the sixth consecutive year, accounting for 32% of intrusions. However, highly interactive voice phishing saw a significant surge to 11%, becoming the second-most commonly observed vector.” That matters because these attacks don’t just test technology. They test how organizations verify identity, approve access, support users, manage vendors, and make decisions under pressure. Technology remains critical. But increasingly, attackers are attacking organizational trust.
Convergence Is Accelerating
Another important change since 2017 is the convergence of cyber threats. The lines separating ransomware operators, financially motivated cybercriminals, nation-state actors, hacktivists, and influence operations continue to blur. Recent intelligence reporting has highlighted ransomware groups using social engineering, cloud compromise, supply chain attacks, and physical access attempts alongside more traditional cyber techniques. Other reporting has examined how geopolitical tensions may increasingly drive convergence between cyber operations, physical disruption, influence campaigns, and financially motivated criminal activity. Increasingly, cyber incidents don’t remain cyber incidents. They evolve into communications crises, legal matters, regulatory investigations, physical security concerns, executive decision-making challenges, and reputation management events. Organizations that prepare only for technical recovery are preparing for only part of the incident.
Organizations should prepare for incidents that extend well beyond technology. Today’s ransomware event may quickly become tomorrow’s communications and corporate crisis, regulatory investigation, legal challenge, supply chain disruption, or executive leadership issue. That is no longer hypothetical. It is becoming routine. It is happening to organizations across critical infrastructure, faith-based organizations, non-profits, small and medium sized businesses, everywhere around the world – daily.
Speed Has Become a Security Control
One consistent theme has emerged across ransomware and extortion incidents over the past several years: Speed matters.
Attackers:
- Move faster.
- Exploit development is faster.
- Credential abuse is faster.
- Cloud compromise is faster.
- Public extortion is faster.
Organizations must respond faster as well. That means Defenders need to:
- Patch faster.
- Detect faster.
- Communicate faster.
- Make executive decisions faster.
- Recover faster.
The organizations that consistently perform well are not necessarily those with the largest security budgets. They are often those that have reduced the time between identifying risk and effectively taking action. Speed has become one of the most important security controls an organization possesses.
We often tell clients that resilience isn’t measured by whether you experience a ransomware incident. It’s measured by how effectively your organization continues operating while responding to one.
Resilience Is the Competitive Advantage
Resilience isn’t measured only by whether an organization experiences a ransomware incident. It is measured by how effectively the organization continues operating while responding to one.
Information sharing is part of that resilience. During a fast-moving incident, timely sharing helps organizations understand what is happening, determine whether they are exposed, identify indicators of compromise, prioritize mitigations, and learn from others’ response actions. No single organization has the full picture alone. Trusted information sharing helps turn isolated observations into collective action.
Nine years after WannaCry, the fundamentals still matter.
- Complete a cybersecurity assessment and understand where the organization is exposed.
- Maintain an accurate inventory of assets, identities, critical systems, and vendors.
- Patch aggressively, with priority given to exposed systems and actively exploited vulnerabilities.
- Reduce your attack surface.
- Protect identities, especially privileged accounts and help desk processes.
- Back up critical systems and test restoration.
- Exercise your incident response, crisis management, legal, communications, and executive decision-making.
- Exercise your security teams, your executives, and with your vendors and key partners.
- Include vendors and key partners in resilience planning and exercises.
- Prepare executives to make difficult decisions under pressure.
- Test crisis communications before a public incident occurs.
- Understand your third-party risk and dependency risk.
- Routinely conduct event and incident post-mortems and apply lessons-learned.
Know how your organization will operate if critical technology becomes unavailable. That includes understanding which business functions must continue, which systems support them, who needs to make decisions, and how the organization will communicate when normal tools are disrupted.
Most importantly, recognize that ransomware resilience is no longer solely the responsibility of IT (it never really was). It belongs to legal, human resources, communications, operations, executive leadership, and the board because ransomware is ultimately a business disruption—not simply a technology problem. The organizations best positioned to withstand ransomware are the ones that treat resilience as an enterprise responsibility before an incident occurs.
At Gate 15, we often remind our clients that our goal is not simply preventing cyber incidents. It is helping organizations anticipate disruption, make informed decisions during crises, continue delivering critical business functions under pressure, and recover stronger afterward. The next WannaCry probably won’t spread through an unpatched SMB vulnerability. It may begin with: a phone call to your help desk, a compromised cloud identity, a trusted vendor, an AI-assisted phishing campaign, or stolen data quietly appearing on an extortion site weeks before anyone realizes an intrusion occurred. Nine years after WannaCry, the lesson remains remarkably consistent. The organizations that combine strong cybersecurity fundamentals with operational resilience—by preparing their people, processes, leadership, and technology together—will be best positioned to withstand whatever comes next. Because the next WannaCry won’t look like WannaCry. But it will demand the same urgency to understand the threats, assess the risks, share information, and take action.
Gate 15 works across Critical Infrastructure sectors to help organizations protect their people, places, data, and dollars. The threat environment is constantly shifting, and we are here to boost your resilience with plans, exercises, threat analysis, and operational support against both emerging and enduring threats. Contact our team at Gate15@gate15.global to see how we can assist you in delivering on your mission. Join Gate 15’s Resilience and Intelligence Portal (the GRIP)! Sign up today to stay informed of what’s new in all-hazards homeland security and join us in securing America’s people, places, data, and dollars.
Gate 15: Technology-enhanced, human-driven, homeland security risk management.
Understand the Threats.
Assess the Risks.
Take Action.