On Friday, May 12, 2017, I received, like many colleagues across the region, a stream of messages that boded nothing good: hospitals in Europe shutting down equipment, factories halting production lines, and screens glowing red demanding a ransom in bitcoin. Within hours, a piece of malware called WannaCry had turned what looked like a minor technical issue into a global crisis. I will admit that, beyond the headlines, what kept me up that night was an uncomfortable question: how many of the organizations I work with across LATAM would have survived that Friday? I want to share what we learned, without empty jargon and without alarmism.
The short version: WannaCry was a ransomware attack that encrypted files on more than 200,000 machines in nearly 150 countries, exploiting a known vulnerability in the SMB network protocol of unpatched Windows systems. The lesson is not new, but it is urgent: patching on time, segmenting the network, monitoring continuously, and maintaining tested backups is the only thing that separates a scare from a catastrophe.
WannaCry belongs to a family of malware known as ransomware: programs designed to encrypt the files on a machine and demand a payment in exchange for the decryption key. So far, nothing radically different from earlier threats. What made this case a turning point was its ability to spread on its own, without requiring a user to click on a booby-trapped email.
The attack exploited a weakness in EternalBlue, a vulnerability in the SMB (Server Message Block) protocol, the mechanism Windows uses to share files and printers within a network. Microsoft had released the corrective patch in March 2017, nearly two months before the outbreak. In other words, the flaw already had a fix available. The problem was not the absence of a cure, but that too many organizations had not applied it.
WannaCry's speed comes down to a combination of factors that, unfortunately, are still present in many companies across the region. It was not magic or genius: it was the methodical exploitation of everyday oversights.
In other words, WannaCry did not knock down a wall: it found the door we left open and walked down hallways we never closed. That, to me, is the real discomfort of this case.
The good news is that the defenses against an attack of this kind are well known and within reach of any company that decides to take them seriously. At SUMāTO we approach cybersecurity as a system of layers, not as a single product you install and forget. These are the priorities.
It sounds obvious, but it is the most common failure. Every security patch you postpone is an open window. I recommend establishing a formal update cycle, with clear owners and defined timelines, especially for vulnerabilities rated as critical. If a system is too old to receive patches, it should be isolated or replaced; keeping it connected means accepting a risk that is rarely justified.
Dividing the network into zones with controls between them limits the lateral movement of a threat. Had WannaCry been forced to overcome internal barriers at every hop, its ability to spread would have been drastically reduced. Segmentation turns a wildfire into a series of containable fires.
Detecting early makes the difference between a minor incident and a disaster. A scheme of permanent surveillance, ideally supported by a security operations center (SOC), makes it possible to identify anomalous behavior (a machine that suddenly begins encrypting files en masse, for example) and react before the damage spreads. Response capability is measured in minutes, not days.
Although WannaCry spread without clicks, many ransomware threats do enter through phishing emails. People are the first point of contact with the attacker. Training your team to recognize suspicious messages is not an expense: it is one of the highest-return investments in security.
I want to pause here, because this is the point most often underestimated. All of the measures above aim to prevent the attack. But mature security accepts an uncomfortable truth: sooner or later, something will fail. The question stops being "can I be breached?" and becomes "how quickly do I recover when it happens?".
Against ransomware, a reliable backup completely changes the negotiation equation. If you have a clean, recent copy of your information, the ransom note loses almost all its power: instead of paying an extortionist, you restore your systems and keep operating. Without a backup, you are trapped between two bad options, paying with no guarantee of recovering anything, or losing the information permanently.
But not just any backup will do. I have seen too many cases of companies that believed they were protected and discovered, at the worst possible moment, that their copies were incomplete, corrupted, or infected. A backup only counts if it meets certain conditions:
That is why we design backup and recovery solutions such as SyncDR, built so that restoration is reliable and verifiable, not an act of faith. A good continuity plan goes unnoticed when everything is going well; it becomes invaluable the day something goes wrong.
Beyond the technical, this episode marked a shift in mindset. It demonstrated that cybersecurity is no longer the exclusive concern of the technology function, but a strategic business variable. A hospital that cannot access medical records, a factory brought to a standstill, or a services company paralyzed are not facing an IT problem: they are facing an operational, financial, and reputational one.
It also made clear that security is not a state you reach, but a practice you sustain. Threats evolve; so do oversights. The organization that understands this stops chasing the false comfort of "being protected" and adopts a posture of continuous improvement, vigilance, and preparedness. That, in my experience, is the difference between those who lived through that May of 2017 as an anecdote and those who remember it as a wound.
Is WannaCry still a threat today?
The original outbreak was contained, but the vulnerability it exploited remains present in any unpatched machine. Moreover, its success inspired numerous variants and a new generation of ransomware. The technique lives on; that is why the lessons still apply.
Should I pay the ransom if ransomware hits me?
We do not recommend it. There is no guarantee of recovering the information, you fund whoever committed the attack, and you confirm that you are a profitable target. A reliable, isolated backup is the answer that lets you avoid having to make that decision.
Is my company too small to be a target?
This is one of the most dangerous myths. Modern ransomware does not discriminate by size: it spreads in an automated, opportunistic way. Small and midsize organizations are often the preferred target precisely because they tend to have fewer defenses.
Where do I start if I don't know how strong my protection is?
With an honest assessment. Before investing in tools, it is worth knowing where the real gaps are: patch status, segmentation, monitoring, and, above all, whether your backups actually work.
If WannaCry taught us anything, it is that the difference between the organizations that held firm and those that collapsed was not luck, but preparation. And preparation begins with clearly understanding where you stand today.
At SUMāTO we work alongside companies across LATAM to assess their exposure, close the critical gaps, and build a recovery capability that truly holds up. I propose starting with a security and continuity assessment, with no strings attached, to identify your vulnerable points before someone else does. Let's talk about how to protect your operation and turn the next crisis into, at most, an anecdote worth telling.