Chronicles of Compromise

The Day the Internet Held Its Breath: The WannaCry Ransomware Attack

On the morning of Friday, 12 May 2017, something unusual began happening across the world. Computer screens started turning red.

Hospitals in the United Kingdom suddenly couldn’t access patient records. Manufacturing plants halted production lines. Rail displays froze. Within hours, IT teams across the globe were staring at the same message:

“Oops, your files have been encrypted.”

To recover their data, victims were told to pay $300 in Bitcoin, rising to $600 after three days. The malware responsible was called WannaCry, and by the end of the day it had triggered one of the largest cyber incidents in modern history.

A Digital Wildfire

The attack began around 07:44 UTC on 12 May 2017, likely starting from vulnerable systems exposed to the internet. Within hours, the infection spread at a speed rarely seen before in cybercrime.

By the time the initial outbreak slowed, the numbers were staggering:

  • 300,000+ computers infected
  • 150 countries affected
  • Estimated global damages up to $4 billion

Organizations ranging from telecom providers to logistics companies were hit. In the UK, the National Health Service (NHS) was among the most visible victims, forcing hospitals to cancel appointments and divert ambulances because critical systems were unavailable.

What made WannaCry so disruptive wasn’t just the ransom demand—it was how aggressively it spread.

The Exploit That Powered the Attack

At the heart of WannaCry was a powerful vulnerability in Microsoft Windows.

The malware exploited a flaw in the Server Message Block (SMB) protocol—a core networking feature that allows Windows machines to share files and printers across a network.

The specific exploit used was known as EternalBlue, a tool originally developed by the U.S. National Security Agency (NSA) for cyber operations. In 2017, the exploit was leaked online by a mysterious group known as The Shadow Brokers.

Once WannaCry infected a single machine, it behaved like a worm:

  1. It scanned networks for other computers with the SMB vulnerability.
  2. It used EternalBlue to break into those systems automatically.
  3. It installed the ransomware payload and repeated the process.

Unlike traditional ransomware that spreads through phishing emails, WannaCry could propagate autonomously across networks, allowing it to spread globally in a matter of hours.

Encryption and Extortion

Once inside a system, WannaCry did what ransomware does best.

It encrypted files using strong cryptography, locking victims out of their data and replacing the desktop wallpaper with a ransom note. Victims were instructed to pay the attackers in Bitcoin to receive a decryption key.

However, despite the global scale of the attack, relatively few victims actually paid the ransom. Many systems were either restored from backups or permanently lost.

Ironically, the attackers likely earned far less money than the disruption they caused.

The Accidental Discovery That Stopped It

As the attack spread on that Friday afternoon, cybersecurity researchers across the world were scrambling to understand what was happening.

One of them, Marcus Hutchins, a British security researcher, noticed something strange while analyzing the malware. The code attempted to connect to a seemingly random domain name.

Curious, Hutchins registered the domain.

Almost immediately, the spread of the worm slowed dramatically.

It turned out the malware contained a “kill switch.” If the domain existed, the malware would stop executing. Registering the domain effectively disabled the worm’s propagation mechanism, buying time for organizations to patch their systems and contain the outbreak.

It was a rare moment in cybersecurity: a global crisis partially halted by a $10 domain registration.

Who Was Responsible?

Attribution in cyberattacks is rarely straightforward. But investigations eventually pointed toward a known threat actor.

In December 2017, the United States and United Kingdom governments publicly attributed the attack to North Korea, specifically a hacking group known as the Lazarus Group.

North Korea denied involvement, but many security researchers agreed that the malware’s code shared similarities with previous Lazarus operations.

The motive may have been financial—North Korea has previously been linked to cyber operations designed to generate revenue for the sanctioned state.

What Did the World Learn?

WannaCry left behind more than damaged systems and encrypted files. It exposed deep weaknesses in global cybersecurity.

Several key lessons emerged:

1. Patching matters

Microsoft had already released a security update in March 2017 to fix the SMB vulnerability. Organizations that applied the patch were largely protected. Many victims simply hadn’t updated their systems.

2. Legacy systems are dangerous

Many affected organizations were running outdated operating systems with limited security support.

3. Cyber weapons can escape

The EternalBlue exploit originated from a government cyber arsenal. Its leak demonstrated how powerful digital weapons can cause global collateral damage when released into the wild.

4. Cyber resilience is critical

Backups, network segmentation, and rapid patching became central themes in security strategies after the attack.

A Turning Point in Cybersecurity

WannaCry lasted only a few days at its peak, but its impact continues to shape cybersecurity policy and practice today.

It forced governments to rethink how vulnerabilities are handled. It exposed how fragile global digital infrastructure can be. And it demonstrated that a single piece of code can bring hospitals, factories, and transport systems to a halt.

In the history of cybercrime, WannaCry stands as a reminder of something both simple and unsettling:

Sometimes the biggest disasters don’t begin with sophisticated espionage or long-term infiltration.

Sometimes they begin with a single unpatched computer.

Sources & Further Reading

UpGuard – WannaCry attack overview
https://www.upguard.com/blog/wannacry

Cloudflare – WannaCry ransomware overview
https://www.cloudflare.com/learning/security/ransomware/wannacry-ransomware/

Wikipedia – WannaCry ransomware attack
https://en.wikipedia.org/wiki/WannaCry_ransomware_attack

Kaspersky – What is WannaCry ransomware?
https://www.kaspersky.com/resource-center/threats/ransomware-wannacry

Google Threat Intelligence – WannaCry campaign analysis
https://cloud.google.com/blog/topics/threat-intelligence/wannacry-ransomware-campaign/

Fortinet – WannaCry ransomware explanation
https://www.fortinet.com/resources/cyberglossary/wannacry-ransomware-attack

MITRE ATT&CK – WannaCry malware details
https://attack.mitre.org/software/S0366/

Stephen Daly
,
, , ,

Leave a comment

Designed with WordPress