WannaCry ransomware worm

On 12 May 2017, a North Korean ransomware worm called WannaCry began propagating across the public internet via the EternalBlue SMB exploit. Within 24 hours it had encrypted systems at roughly 200,000 organizations across 150 countries — the most rapid mass-encryption event in history and the first to seriously disrupt a national health service.

What happened

WannaCry's propagation relied on EternalBlue (CVE-2017-0144), the NSA's SMBv1 exploit leaked by the Shadow Brokers group on 14 April 2017. Microsoft had released a patch (MS17-010) on 14 March, two months before the worm. The systems that fell were those that had not applied the patch — overwhelmingly Windows 7 / Server 2008 R2 estates with legacy SMBv1 still enabled.

The worm scanned for accessible SMB ports across the public internet, dropped its encryptor (named wcry.exe), and demanded $300 in bitcoin per host. It also harvested for additional internal targets, allowing the infection to spread rapidly within a compromised network — a behaviour previously seen in destructive worms but never weaponized for ransomware.

Propagation halted abruptly when security researcher Marcus Hutchins (then known online as MalwareTech) noticed that the worm queried an unregistered domain before encrypting and registered it himself. The query had been intended as a sandbox-detection check; registering the domain accidentally activated a kill switch that stopped further encryption.

Impact

• U.K. National Health Service: at least 80 of 236 NHS trusts disrupted. 19,000 appointments cancelled, including cancer treatments and elective surgery. Ambulance diversions across multiple regions. NAO post-mortem estimated direct cost at £92 million.
• Telefónica (Spain): ~85% of staff workstations infected; major operations halted for a day.
• Renault: French automotive production lines paused at multiple plants for safety review.
• Deutsche Bahn: ticket machines and arrival/departure boards displayed ransom messages across Germany.
• FedEx, Honda, Nissan, Hitachi, Boeing: each reported localized production or distribution disruption.
• Russian Interior Ministry: roughly 1,000 computers compromised.

Total estimated global damage: $4-8 billion. About $140,000 in ransom payments were collected across just three bitcoin wallets — derisory compared to the damage, evidence that WannaCry was either a poorly engineered ransomware operation or (more likely per subsequent attribution) a North Korean revenue / destructive operation that used ransomware framing as cover.

Attribution

In December 2017, the U.S., U.K., Canada, Australia, Japan, New Zealand, and Denmark jointly attributed WannaCry to North Korea. In September 2018, the U.S. Department of Justice unsealed an indictment naming Lazarus Group operator Park Jin Hyok as a programmer who participated in WannaCry, the 2014 Sony Pictures attack, and the 2016 Bangladesh Bank SWIFT heist. The forensic case linked the three operations via shared malware code, certificate reuse, and command-and-control infrastructure overlap.

Why it matters

WannaCry is the canonical case for unpatched perimeter vulnerabilities causing systemic damage. The Microsoft patch had existed for two months. The NSA tool had been public for one month. Every infected system represented a failure to apply known-critical updates to known-exposed infrastructure.

The attack also catalysed:

• The U.K. NHS's multi-billion-pound cyber security improvement programme and the establishment of NHS Digital's SOC.
• The U.S. Vulnerabilities Equities Process review that put pressure on intelligence agencies to disclose 0-days rather than stockpile them.
• The doctrinal recognition of ransomware-as-state-cover — a North Korean operation that used the ransomware framing to obscure intent and complicate response.