2017: WannaCry: The Ransomware Attack That Paralyzed the World
On the morning of Friday, May 12, 2017, computers across the world began displaying a red screen with a simple, terrifying message: “Oops, your files have been encrypted!” The WannaCry ransomware demanded $300 in Bitcoin to unlock each affected machine, with the price doubling after three days and files permanently destroyed after seven. Within hours, the attack had spread to over 200,000 computers in 150 countries. Within days, that number would exceed 300,000. The estimated global damage would reach into the billions.
The Kill Chain
WannaCry’s initial infection vector was email. Phishing messages carrying malicious attachments landed in inboxes worldwide, and when recipients opened the attachments, the ransomware activated. But WannaCry was not just ransomware — it was a worm, meaning it could spread automatically across networks without any additional human interaction.
The worm component exploited a vulnerability in Microsoft Windows called EternalBlue. This was not some obscure bug discovered by criminal hackers in a basement. EternalBlue was a cyberweapon developed by the National Security Agency of the United States. The NSA had discovered the vulnerability in Windows’ Server Message Block (SMB) protocol and, rather than reporting it to Microsoft for patching, had kept it secret and developed it into an exploitation tool for intelligence operations.
In April 2017 — one month before WannaCry — a mysterious group called the Shadow Brokers publicly released a trove of stolen NSA hacking tools, including EternalBlue. Microsoft had actually issued a patch for the vulnerability (MS17-010) in March 2017, apparently after being tipped off by the NSA that its tools had been compromised. But millions of Windows computers worldwide had not installed the patch.
WannaCry weaponized EternalBlue. Once a single machine on a network was infected — typically through the email vector — the worm scanned for other computers on the same network running vulnerable versions of Windows and infected them automatically. No clicks required. No phishing emails needed. Just unpatched Windows machines connected to the same network.
The Damage
The UK’s National Health Service (NHS) was among the hardest hit. Approximately 80 of the NHS’s 236 trusts were affected, along with 603 primary care organizations. Hospitals were forced to divert ambulances, cancel surgeries, and turn away patients. Doctors resorted to pen and paper. Medical records were inaccessible. It was the largest disruption to the NHS since its founding.
Telefonica, Spain’s largest telecommunications company, was hit. FedEx’s European operations through TNT Express were severely disrupted, costing the company an estimated $300 million. Renault shut down production at multiple factories. Deutsche Bahn’s passenger information displays went dark. Russia’s Interior Ministry reported 1,000 infected computers.
The attack was indiscriminate. It hit large corporations and small businesses, government agencies and individuals, developed nations and developing ones. Any organization running unpatched Windows computers was vulnerable, and as the worm spread automatically across networks, the infection rate was explosive.
The Accidental Hero
The attack’s spread was dramatically slowed by a 22-year-old British cybersecurity researcher named Marcus Hutchins, who worked under the online pseudonym MalwareTech. While analyzing the WannaCry code, Hutchins noticed that the malware was trying to connect to a specific unregistered domain name before activating. If the connection failed (because the domain didn’t exist), the malware proceeded with encryption. If the connection succeeded, the malware shut itself down.
Hutchins registered the domain for roughly $10.69, and suddenly, WannaCry infections worldwide began deactivating. The domain functioned as a “kill switch” — a dead man’s switch built into the malware, likely intended by its creators as a way to prevent the malware from running in sandboxed analysis environments (which typically allow all DNS queries to resolve).
Hutchins’ discovery didn’t stop the damage already done, and it didn’t protect systems that couldn’t reach the internet. But it dramatically slowed the worm’s continued spread and prevented what could have been an even worse catastrophe.
The Attribution
Multiple governments formally attributed WannaCry to North Korea. The United States, United Kingdom, Australia, Canada, Japan, and New Zealand all publicly blamed the Lazarus Group, a hacking organization tied to North Korea’s Reconnaissance General Bureau. In September 2018, the US Department of Justice indicted Park Jin Hyok, a North Korean programmer, for his alleged role in the attack.
The attribution raised uncomfortable questions about state-sponsored cybercrime. North Korea, one of the poorest and most isolated nations on earth, had developed offensive cyber capabilities sophisticated enough to cause billions of dollars in damage worldwide — and had used a tool originally developed by the United States’ own intelligence agency to do it.
The Email Connection
While WannaCry’s most dramatic spread was through the EternalBlue network worm, email was the critical initial infection vector. Phishing emails carrying WannaCry payloads provided the first foothold in organizations worldwide. Once inside a network through a single email-compromised machine, the worm took over.
This pattern — email as the entry point, followed by lateral movement through network vulnerabilities — is the standard playbook for modern cyberattacks. It underscores why email security is the first and most important line of defense. Blocking a phishing email before it reaches an inbox prevents not just the direct damage of that email but the cascading network compromise that can follow.
Legacy
WannaCry was a wake-up call for organizations worldwide. It demonstrated that ransomware was not just a nuisance affecting individual users — it was a weapon capable of disrupting critical infrastructure on a global scale. The attack accelerated investment in cybersecurity, particularly around patch management and email security.
The incident also reignited the debate about government agencies stockpiling software vulnerabilities rather than disclosing them to vendors. Microsoft president Brad Smith directly criticized the NSA, writing that the attack was the equivalent of “the U.S. military having some of its Tomahawk missiles stolen.” The debate about whether intelligence agencies should prioritize offensive capability (keeping vulnerabilities secret for use in espionage) versus defensive security (reporting them so they can be patched) remains unresolved.
For email security professionals, WannaCry reinforced an uncomfortable truth: a single opened attachment in a single phishing email can bring an entire organization — or an entire healthcare system — to its knees.
Infographic
Share this visual summary. Right-click to save.
Related Events
Frequently Asked Questions
What was the WannaCry ransomware attack?
WannaCry was a ransomware cryptoworm that struck on May 12, 2017, encrypting files on infected Windows computers and demanding Bitcoin ransom payments. It spread to over 300,000 computers across 150 countries within days, causing billions of dollars in damage and crippling organizations including the UK's National Health Service.
How did WannaCry spread?
WannaCry primarily spread through a Windows vulnerability called EternalBlue, which exploited a flaw in the SMB (Server Message Block) protocol. Initial infections were delivered via phishing emails with malicious attachments, but the worm could then spread automatically across networks without any user interaction. EternalBlue was originally developed by the NSA and leaked by a group called the Shadow Brokers.
Who was behind the WannaCry attack?
The United States, United Kingdom, and several other nations formally attributed the WannaCry attack to North Korea's Lazarus Group, a state-sponsored hacking organization. In September 2018, the US Department of Justice charged a North Korean programmer named Park Jin Hyok in connection with the attack.