Ransomwarecritical

WannaCry Global Ransomware Attack

A self-propagating ransomware worm exploiting a leaked NSA exploit infected 200,000 computers across 150 countries in 24 hours, crippling hospitals, telecoms, and logistics companies.

NHS / Global·2017·2 min read

Background

WannaCry was not a targeted attack on a single organization — it was a global ransomware worm that spread autonomously using EternalBlue, a Windows exploit developed by the US National Security Agency and leaked by the Shadow Brokers group. Microsoft had issued a critical patch two months earlier, but millions of systems remained unpatched.

The Attack

WannaCry exploited the EternalBlue vulnerability in Windows SMB to self-replicate across networks without any user interaction. Once on a system it encrypted files and demanded Bitcoin ransom. Within 24 hours it had infected hospitals in the UK's National Health Service, Spanish telecom Telefónica, FedEx, and Renault factories. A researcher discovered and activated a "kill switch" domain that halted new infections.

Response

A 22-year-old UK security researcher Marcus Hutchins discovered that WannaCry checked for an unregistered domain as a kill switch. He registered the domain for $10.69, stopping the spread of new infections. Microsoft released emergency patches for unsupported Windows versions including XP. Law enforcement agencies attributed the attack to North Korea's Lazarus Group.

Outcome

Over 200,000 computers in 150 countries were infected. The UK's NHS cancelled approximately 19,000 appointments. Total damages were estimated at $4-8 billion globally. The attack exposed the dangerous consequences of hoarding offensive cyber capabilities — and the catastrophic cost of delayed patching.

Key Takeaways

  1. Delayed patching is never "acceptable risk" — it's deferred liability
  2. Government-developed exploits can cause civilian harm when leaked
  3. Network segmentation limits worm propagation dramatically
  4. Kill switches and threat intelligence sharing can stop attacks at scale
  5. Legacy and unpatched systems are a systemic risk to entire organizations

How to Prevent This

All guides
intermediate

Test patches in staging, but do not let testing be a reason to delay production deployment

Patch testing exists to prevent broken production deployments — not to create a delay buffer. Security teams frequently report that patches are held in "testing" for weeks or months, negating the purpose of having a patch cycle. The WannaCry attack exploited EternalBlue — a vulnerability Microsoft had patched two months earlier. Most organisations that were hit had been holding the patch in their testing process. Establish a maximum testing window: 72 hours for critical patches. If a critical patch cannot complete testing in that window, deploy it with a rollback plan rather than waiting for testing to complete.

See: WannaCryPatch Management
ransomwarewormEternalBlueNSANHSNorth Koreapatch management

More in Ransomware

2019critical

Norsk Hydro: Ransomware Shuts Down Aluminium Plants Across 3 Continents

2 min readRansomware
2016high

Hollywood Presbyterian: Hospital Pays $17,000 to Get Patient Records Back

2 min readRansomware
2019critical

Baltimore City RobbinHood: Ransomware Locks City Government for 5 Weeks

2 min readRansomware