Telefónica WannaCry ransomware outbreak
On the day WannaCry erupted worldwide, the worm tore through the corporate network of Spanish telecom giant Telefónica, forcing the company to order thousands of staff at its Madrid headquarters to shut down their PCs.
- Victim
- Telefónica
On 12 May 2017, the global WannaCry ransomware worm swept across more than 150 countries — and one of its most visible early corporate victims was Telefónica, Spain's largest telecommunications operator. The Spanish angle became a defining image of the outbreak: staff streaming out of Telefónica's Madrid headquarters after being told to switch off their machines.
What happened
WannaCry spread using EternalBlue, a leaked NSA exploit targeting CVE-2017-0144, a flaw in the legacy SMBv1 file-sharing protocol. Microsoft had patched the vulnerability two months earlier in bulletin MS17-010, but countless enterprise machines — including many on Telefónica's internal Windows estate — remained unpatched.
Mid-morning, the worm began encrypting workstations on Telefónica's corporate network. Internal alerts, reportedly including loudspeaker announcements inside the Madrid headquarters, instructed employees to shut down their computers and disconnect from internal Wi-Fi to stop the self-propagating malware. External partners connecting over VPN were also told to disconnect. Infected screens displayed the trademark WannaCry ransom note demanding roughly $300 in Bitcoin per machine.
Impact
- A large share of internal corporate workstations at affected sites were taken offline as a containment measure; employees at the Madrid headquarters were sent home.
- Crucially, Telefónica stated that its customer-facing services — fixed and mobile telephony and internet connectivity — were not affected. The damage was confined to the internal corporate IT environment.
- The incident triggered an emergency response involving Spain's CCN-CERT and INCIBE, and made Telefónica a focal point of national and international coverage of the outbreak.
Attribution
WannaCry was later attributed by the U.S., U.K. and others to the Lazarus Group, a hacking unit linked to North Korea (DPRK). The worm's global spread was halted within hours when researcher Marcus Hutchins registered a kill-switch domain hard-coded in the malware, limiting further encryption.
Why it matters
Telefónica's experience crystallised a hard lesson about patch management at scale: a fix had existed for two months, yet a single wormable, unpatched vulnerability was enough to paralyse the internal network of a major telecom. The episode accelerated the retirement of SMBv1 across enterprises worldwide and is routinely cited — alongside the U.K. NHS disruption the same day — as the moment ransomware became a board-level, national-security concern in Europe.
Financial impact
Reported costs in USD
Timeline
Microsoft releases security bulletin MS17-010, patching the SMBv1 vulnerability (CVE-2017-0144) that WannaCry would later exploit via the EternalBlue exploit.
The WannaCry worm spreads globally; mid-morning it begins encrypting machines on Telefónica's internal network in Spain.
Telefónica orders employees at its Madrid headquarters to power down PCs and disconnect from internal Wi-Fi; loudspeaker announcements reinforce the order.
A demand for roughly $300 in Bitcoin per machine appears on infected screens. Telefónica says customer-facing telephony and internet services are unaffected.
Spain's CCN-CERT and INCIBE publish guidance; Telefónica restores operations and helps coordinate the national response.
Sources
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/telefonica-tells-employees-to-shut-down-computers-amid-massive-ransomware-outbreak/
- incibe.eshttps://www.incibe.es/en/incibe-cert/publications/cybersecurity-highlights/telefonica-affected-ransomware
- tripwire.comhttps://www.tripwire.com/state-of-security/wannacryptor-ransomware-strikes-nhs-hospitals-telefonica-and-others
- fortune.comhttps://fortune.com/2017/05/12/ransomware-attack-targeting-microsoft-windows-hits-spanish-telco-giant-telefonica/