Ransomware was adapting well to its new environment. It had mastered the art of paralyzing its victims and extortion their money, however it was still inefficient in its distribution. Most ransomware relies on distribution through emails and browsers, targeted at users through spam or phishing attacks. While this approach has always been dangerous, it has never been truly catastrophic, as single users were the targets rather than whole organizations.

This all changed in 2017 with WannaCry. WannaCry was still relying on a phishing attack for the initial infection – but then it spread through networks using SMB vulnerability. This exploit (EternalBlue) was leaked by the Shadow Brokers hacker group in April 2017, and only 28 days later, it was weaponized as part of WannaCry. It was used again in the NoPetya cyberattack and as part of the Retefe banking Trojan.

EternalBlue allowed ransomware to spread massively without any interaction from the users (aside from the initial infection). Defenders had to be right 100 percent of the time, while attackers need to find just one weak entry point.