▸ DEEP DIVE // INCIDENT ANALYSIS

INSIDE WANNACRY
ANATOMY OF A GLOBAL ATTACK

In May 2017, a single piece of ransomware infected 230,000 computers across 150 countries in 72 hours. This is the full technical story of how it happened — and how it was stopped by accident.

THE DAY THE NHS WENT DARK

On the morning of Friday, 12 May 2017, staff at hospitals across the United Kingdom watched their computer screens turn red one after another. A message demanded payment in Bitcoin to unlock files that had suddenly become inaccessible. Within hours, the National Health Service was in crisis: appointments were cancelled, ambulances were diverted, and surgeons were locked out of patient records in the middle of procedures. The same red screen was appearing simultaneously in Spain, Russia, Taiwan, Ukraine, and dozens of other countries.

By the time the dust settled, WannaCry had infected an estimated 230,000 systems in more than 150 countries, making it one of the fastest-spreading and most disruptive cyberattacks in history. What made it extraordinary was not the ransom demand — it was how the malware moved. WannaCry did not need anyone to click a link or open an attachment. It spread on its own, machine to machine, like a digital plague.

THE WEAPON: A LEAKED NSA EXPLOIT

WannaCry's terrifying speed came from a tool it did not create. At its core was an exploit called EternalBlue, which targeted a vulnerability in a Windows networking protocol called SMB (Server Message Block), used by computers to share files and printers across a network.

EternalBlue was not developed by criminals. It was built by the United States National Security Agency as part of its offensive cyber arsenal. In early 2017, a mysterious group calling themselves the Shadow Brokers stole a cache of NSA hacking tools and leaked them publicly. EternalBlue was among them. Suddenly, one of the most powerful cyber weapons ever created by a nation-state was freely available to anyone on the internet.

ℹ THE PATCH THAT CAME TOO LATE FOR MANY

Microsoft had actually released a patch for the SMB vulnerability in March 2017 — two months before WannaCry. But countless organizations had not applied it. Many were running outdated systems like Windows XP, which was no longer officially supported. WannaCry did not exploit a mystery; it exploited neglect.

HOW WANNACRY SPREAD

Understanding WannaCry's mechanics reveals why it moved so fast. It combined two distinct capabilities: the ability to encrypt files (ransomware) and the ability to self-replicate across networks (a worm). This combination is what turned a routine ransomware program into a global event.

Step 1: Infection

Once WannaCry reached a vulnerable Windows machine — often through an exposed SMB port on the internet — EternalBlue exploited the flaw to run the malware's code without any user interaction. No email, no click, no download. Simply being a vulnerable, network-connected machine was enough.

Step 2: Encryption

After landing, WannaCry systematically encrypted the victim's files — documents, images, databases, spreadsheets — using strong encryption. The original files became unreadable, replaced by encrypted versions the victim could not open. It then displayed its ransom note demanding roughly 300 to 600 US dollars in Bitcoin, with a countdown timer threatening to delete the files permanently.

Step 3: Propagation

This is where WannaCry became a catastrophe. As soon as it infected one machine, it scanned both the local network and random addresses across the internet for other machines with the same SMB vulnerability. When it found one, it copied itself over and repeated the whole cycle. Each infected machine became a launch point for hundreds more. The result was exponential growth — the number of infections roughly doubling and doubling again within hours.

THE ACCIDENTAL HERO AND THE KILL SWITCH

WannaCry's global spread was halted not by governments or security firms, but by a 22-year-old British security researcher analyzing the malware from his bedroom. While reverse-engineering WannaCry's code, he noticed it was trying to contact a specific, nonsensical, unregistered web domain before running. Out of curiosity, he registered the domain for about ten dollars.

Unknowingly, he had triggered a hidden kill switch. WannaCry was written so that if that domain ever responded, the malware would stop spreading. The creators may have built it as an anti-analysis measure or a safety valve, never expecting anyone to find and register the domain. The moment it went live, new infections around the world ground to a halt. It was one of the most consequential accidents in the history of cybersecurity.

⚠ IT WASN'T FULLY OVER

The kill switch stopped the original strain, but variants without the kill switch soon appeared. And machines already encrypted stayed encrypted. The kill switch prevented further spread — it did not undo the damage already done to hundreds of thousands of systems.

ATTRIBUTION AND AFTERMATH

Investigators, including those at the NSA and multiple private security firms, attributed WannaCry to the Lazarus Group, a hacking unit tied to North Korea. The same fingerprints found in WannaCry's code matched earlier Lazarus operations, including the 2014 Sony Pictures attack and the 2016 Bangladesh Bank heist.

Curiously, WannaCry was a poor money-maker. Its payment and decryption system was clumsy, and it ultimately collected only around 130,000 dollars in ransom — a trivial sum compared to the billions in damage it caused. This has led many analysts to conclude it may have been released prematurely, or was as much an act of disruption as an attempt at profit.

The total economic damage from WannaCry has been estimated at up to four billion dollars worldwide, factoring in downtime, recovery, and lost productivity. For the NHS alone, thousands of appointments and operations were cancelled, demonstrating for the first time on a global scale that a cyberattack could directly threaten human health and safety.

THE LESSONS THAT STILL MATTER

WannaCry became a permanent case study in cybersecurity for reasons that remain relevant today. It showed that patching is not optional — a fix existed two months before the attack, and organizations that had applied it were untouched. It demonstrated the danger of cyber weapons escaping into the wild, as an NSA tool ended up in a North Korean worm. And it proved that ransomware combined with self-propagation could inflict damage on a scale previously associated only with nation-state warfare.

Perhaps most importantly, WannaCry was a wake-up call about legacy systems. The hospitals hit hardest were often those running old, unsupported software because upgrading was expensive or disruptive. That trade-off — convenience and cost versus security — is one that organizations everywhere still wrestle with, and WannaCry remains the starkest illustration of what happens when security loses that argument.