The WannaCry ransomware attack was one of history’s most destructive and fast-moving cyberattacks. It highlighted the dangers of unpatched systems, weaponized exploits, and the growing sophistication of ransomware as a tool for cyberwarfare and extortion. Here is how it changed the history of cybersecurity.
What is WannaCry?
WannaCry (also written WannaCrypt, WannaCryptor, or Wcry) is a ransomware worm that spread rapidly across networks. It encrypts files on infected machines and demands Bitcoin ransom payments for their decryption. The worm was first detected on May 12, 2017 and targeted Microsoft Windows systems (especially outdated or unpatched versions). The demanded ransom was ~$300–$600 in Bitcoin per infected system.
How did it spread?
The worm was developed by the U.S. National Security Agency (NSA) and was leaked publicly by the hacking group Shadow Brokers in April 2017. On May 12, 2017, the WannaCry outbreak began globally.
Interestingly enough, just one day after the outbreak, a researcher accidentally discovered a kill switch domain that halted the spread of the worm. However, between June and July, WannaCry variants emerged, with reduced success compared to the original payload.
The impact
Despite its limited time frame, WannaCry affected over 200,000 systems in more than 150 countries. It impacted key sectors, such as healthcare, telecommunications, transportation, finance and education. The UK’s NHS was forced to cancel surgeries and shut down systems. Telefónica (in Spain) had infected endpoints, Deutsche Bahn (Germany), FedEx, and Maersk experienced outages. Banks in Russia and Asia, as well as public institutions worldwide, were affected.
The estimated economic damages ranged from $4 billion to $8 billion USD globally.
How does WannaCry work?
WannaCry used an exploit called EternalBlue, which took advantage of a vulnerability in Microsoft’s SMBv1 protocol (Server Message Block), identified as CVE-2017-0144. The vulnerability allowed remote code execution over SMB without authentication.
The worm’s payload functionality scans for vulnerable machines on the network, uses EternalBlue to gain access, drops, and executes the WannaCry ransomware payload. It then encrypts files with strong RSA+AES encryption and displays a ransom note asking for Bitcoin payment. It then spreads autonomously across networks.
Technical details:
- Vulnerability: CVE-2017-0144 (EternalBlue)
- Encryption: RSA-2048 and AES-128
- Communication: Uses Tor and hardcoded Bitcoin wallet addresses
- Kill switch: Malware pinged an unregistered domain — if reachable, it shut down.
Indicators of Compromise:
- File extension: .wncry
- C2 Domain: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
- Bitcoin Wallet: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
Why was WannaCry so devastating?
Wannacry was devastating because it used a leaked NSA weapon, built on a military-grade exploit. At the time, many organizations still ran on Windows XP or unpatched systems, spreading it globally in a matter of hours.
The attack was ultimately attributed to Lazarus Group, a North Korean state-sponsored hacking team. The U.S. and UK governments formally stated in December 2017 that North Korea was responsible.
The legacy of WannaCry
Wannacry prompted several improvements in cybersecurity procedures, including updating systems (especially legacy ones) and adopting emergency cybersecurity protocols in the public and private sectors. Microsoft exceptionally released emergency patches for unsupported systems (Windows XP) to stop the spread of ransomware attacks.
Most of all, the cyberattack sparked debate over the stockpiling of cyberweapons by intelligence agencies.
