WannaCry — global SMB-worm ransomware

On Friday 12 May 2017, a self-propagating ransomware worm named WannaCry began encrypting Windows systems globally. The malware combined two NSA tools — EternalBlue, a remote-code-execution exploit against the Windows SMBv1 protocol, and DoublePulsar, a kernel-mode backdoor — that had been leaked by the Shadow Brokers group in April 2017. Microsoft had patched the underlying vulnerability (MS17-010) in March, but vast numbers of systems globally remained unpatched, and the patch was not initially available for end-of-support Windows versions including Windows XP and Windows Server 2003.

The infection peaked over the weekend at approximately 200,000 systems across 150 countries. The most operationally significant Western victim was the UK’s National Health Service, where 80 of 236 NHS Trusts and many GP surgeries lost access to clinical systems, forcing the cancellation of 19,000 appointments and procedures. Telefónica in Spain, Renault and Nissan production lines in Europe, Deutsche Bahn information displays, FedEx, and Russian banks and railways were all affected. The malware demanded $300-600 in Bitcoin per encrypted host and contained a hard-coded kill-switch — an HTTP request to a specific domain that, if successful, would terminate the worm. UK-based researcher Marcus Hutchins identified the kill-switch domain in the malware’s code on 12 May, registered it for $10.69, and effectively halted the global spread within hours. Subsequent variants without functional kill-switches continued to circulate at lower volume.

In December 2017 the US, UK, Canada, Australia, New Zealand, Japan and Microsoft jointly attributed WannaCry to North Korea. The DOJ subsequently indicted Park Jin Hyok of Lab 110, the same DPRK Reconnaissance General Bureau unit responsible for the 2014 Sony Pictures attack and the 2016 Bangladesh Bank heist. Estimated global damage from WannaCry was $4-8 billion, with the NHS portion costed by UK government at approximately £92 million.

Defender takeaway: every Windows machine that fell to WannaCry was unpatched against MS17-010, two months after the patch was issued. The lesson is the same one taught by Conficker (2008) and SQL Slammer (2003) and reinforced every few years since: the patch lifecycle for internet-facing or network-reachable services has to be measured in days, not months. The deeper architectural lesson is that SMBv1 should not have been reachable across enterprise networks in 2017, and Windows XP should not have been reachable from the internet at all. The NCSC’s post-incident analysis of the NHS situation specifically called out flat networks and mixed estate management — clinical systems sharing networks with administrative systems, with end-of-life devices commingled — as the conditions that turned an avoidable patch lapse into an operational catastrophe affecting patient care.