Summary
On the morning of 12 May 2017, WannaCry became the fastest-spreading ransomware in history, encrypting files on more than 230,000 Windows machines across 150-plus countries in a single day and demanding a few hundred dollars in Bitcoin per machine. It needed no phishing and no clicks. It was a worm: it spread itself from one unpatched computer to the next using EternalBlue, an exploit for a flaw in Windows' ancient SMBv1 file-sharing protocol that the US National Security Agency had quietly stockpiled and that a group called the Shadow Brokers had leaked weeks earlier. Microsoft had shipped a patch (MS17-010) two months before, but the unpatched and the end-of-life machines, most famously across the UK's National Health Service, which diverted ambulances and cancelled thousands of operations, were swept up regardless. The global rampage was then halted almost by accident when a 22-year-old researcher registered a single gibberish domain for about ten dollars, not yet knowing it was the worm's kill switch. WannaCry is the textbook lesson in patching fast and killing legacy protocols, with a stranger-than-fiction ending.
How it worked
WannaCry was two old ideas bolted together: ransomware and a network worm.
The ransomware part was ordinary. Once on a machine it encrypted documents, photos, and databases, dropped a red ransom note demanding around $300 in Bitcoin (rising to $600, then threatening deletion), and locked the screen. Ransomware like this was already common by 2017.
What made WannaCry catastrophic was the worm wrapped around it. It carried two leaked NSA cyberweapons: EternalBlue, an exploit for a remote-code-execution flaw in the SMBv1 file-sharing protocol (CVE-2017-0144), and DoublePulsar, a backdoor it installed to run its payload. With these, an infected machine scanned its own network and the wider internet for other Windows hosts with port 445 open, exploited them with no user interaction at all, and copied itself across. One unpatched laptop plugged into a hospital network could seed the whole estate in minutes. The exploit had been a zero-day hoarded by the NSA for several years; when the Shadow Brokers dumped it publicly in April 2017, it became a weapon anyone could fire, and a month later someone did.
The damage
WannaCry did not steal data or target anyone in particular; it just burned through everything reachable, which made its victim list almost random and global. Spain's Telefónica, FedEx, the German rail operator Deutsche Bahn, Renault and Nissan car plants (which halted production), Russia's interior ministry, and universities in China all went down.
The defining casualty was the UK's National Health Service. WannaCry knocked out computers, MRI scanners, and blood-storage fridges across at least 80 hospital trusts and hundreds of GP surgeries. Ambulances were diverted, an estimated 19,000 appointments and operations were cancelled, and the UK's National Audit Office later put the direct cost to the NHS at about £92 million, roughly £20 million in lost output during the week of the attack and £72 million on IT recovery afterward. The NAO's verdict was damning: the attack was unsophisticated and entirely preventable, and NHS bodies had been warned about exactly this SMB vulnerability weeks earlier. So severe was the outbreak that Microsoft took the rare step of shipping an emergency patch for Windows XP, Windows 8, and Server 2003, operating systems it had already stopped supporting. Worldwide damage estimates run from $4 billion to $8 billion.
The accidental kill switch
WannaCry's global spread was stopped, by luck, within hours, by a then-22-year-old British researcher named Marcus Hutchins (known online as MalwareTech). Reverse-engineering the worm on the day of the outbreak, he noticed it tried to contact one specific, unregistered, gibberish domain before doing anything else, and exited if the domain answered. Following his usual practice of sinkholing malware to track it, he registered the domain for about $10.69, only to realise afterwards that doing so had switched the worm off: every new infection now reached a live domain, read it as "stop," and shut itself down. The whole episode took about seven hours from the worm's first spread to the kill switch taking hold, though it did nothing for machines already encrypted. In a twist that became its own cautionary tale, Hutchins was arrested in the US months later on unrelated charges tied to banking malware he had written years earlier as a teenager.
Who was behind it
In December 2017 the United States, joined by the United Kingdom, Canada, Australia, New Zealand, and Japan, publicly attributed WannaCry to North Korea, specifically the Lazarus Group, the same state-backed crew tied to the 2014 Sony Pictures hack and the 2016 theft from Bangladesh's central bank. Security firms had already found code shared between WannaCry and earlier Lazarus malware. The result is one of the strangest provenance chains in security history: a North Korean ransomware worm, built on a cyberweapon stolen from the American NSA and leaked by a still-unidentified group, that ended up paralysing British hospitals. The ransom, tellingly, brought in only around $130,000 (about 51 Bitcoin across 327 payments), a trivial sum next to the damage, which suggests WannaCry may have been released before it was even finished.
Why WannaCry still matters
WannaCry is the case everyone points to when they say "patch faster," because the patch was already there. MS17-010 had shipped two months earlier; nearly every victim was hit through a hole that a single update would have closed. It is also the moment "wormable" re-entered the vocabulary: a vulnerability that lets malware spread with no human in the loop turns a slow problem into an instant, global one. And it kept on giving, the very same EternalBlue exploit went on to power NotPetya six weeks later and BadRabbit after that. The lessons are unglamorous and still routinely ignored: patch network-facing flaws on a clock, retire legacy protocols like SMBv1, segment the network, and keep offline backups so recovery never depends on paying a stranger.
How to fix it
- Apply MS17-010 to every supported Windows host; for end-of-life systems (XP, Server 2003) apply Microsoft's separate emergency update or retire them behind strict compensating controls, since MS17-010 itself never covered those.
- Disable SMBv1 entirely; it is obsolete and was the propagation channel.
- Isolate infected hosts, rebuild them, and restore from clean offline backups; do not pay, the keys are unreliable and you are funding the next attack.
- Block inbound SMB (TCP 445) at the network edge and between internal segments.
How to avoid it
- Patch internet-facing and laterally-reachable vulnerabilities on a short, enforced SLA; a two-month-old fix saved no one who skipped it.
- Remove or tightly segment end-of-life and unmaintainable systems that can no longer be patched.
- Disable legacy protocols like SMBv1 and restrict SMB to the few places that genuinely need it.
- Keep tested, offline, immutable backups so ransomware recovery never depends on paying.
- Segment the network so a single wormable flaw cannot reach the entire estate.
References
- https://www.nao.org.uk/reports/investigation-wannacry-cyber-attack-and-the-nhs/
- https://learn.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010
- https://www.securityweek.com/microsoft-issues-emergency-patch-response-massive-ransomware-outbreak/
- https://trumpwhitehouse.archives.gov/briefings-statements/press-briefing-on-the-attribution-of-the-wannacry-malware-attack-to-north-korea-121917/
- https://en.wikipedia.org/wiki/WannaCry_ransomware_attack
Related vulnerabilities
All Infra →- CRITICALINFRA-NOTPETYA-2017
On 27 June 2017 NotPetya became the most destructive cyberattack in history, causing more than $10 billion in global damage. It looked like ransomware but was a wiper: even victims who paid could not recover, because its encryption kept nothing needed to decrypt. It entered through a poisoned update to M.E.Doc, a Ukrainian tax application, then spread inside networks at machine speed using the EternalBlue and EternalRomance SMB exploits plus Mimikatz to harvest credentials and move laterally, so even fully patched machines fell once one neighbour was compromised. The blast radius was global: Maersk had to reinstall roughly 45,000 PCs and 4,000 servers and was saved only because a single domain controller in Ghana had been offline during a power cut and held a clean copy of Active Directory; Merck's losses reached about $1.4 billion. The US, UK, and allies attributed it to Russia's GRU (Sandworm). It is the lesson in patching, stopping credential reuse, segmentation, and truly offline backups.
- CRITICALCVE-2025-1974
IngressNightmare was a chain of five vulnerabilities in the Ingress-NGINX Controller for Kubernetes disclosed on 24 March 2025 by the Wiz Research team, the most severe being CVE-2025-1974 (CVSS 9.8), which enabled unauthenticated remote code execution from the pod network. Wiz estimated about 43% of cloud environments were vulnerable and identified over 6,500 publicly exposed clusters, including Fortune 500 organizations. The controller's validating admission webhook ran as an unauthenticated HTTP endpoint reachable by any workload on the pod network, accepting attacker-supplied AdmissionReview requests containing crafted Ingress objects. The supporting CVEs (CVE-2025-24514 auth-url, CVE-2025-1097 auth-tls-match-cn, CVE-2025-1098 mirror UID, CVE-2025-24513 path bypass) injected unsanitized NGINX configuration directives via annotations into a temporary config the controller validated with nginx -t. The attacker uploaded a shared-library payload by abusing NGINX client-body buffering (an oversized Content-Length keeps the request file descriptor open in ProcFS) and then used the injected ssl_engine directive to load that library during validation, achieving code execution in the controller pod whose service account could read all cluster secrets across namespaces, enabling full cluster takeover.
- HIGHCLOUD-ENVFILE-EXTORTION-2024
On August 15, 2024, Palo Alto Networks Unit 42 detailed a large-scale extortion campaign that compromised cloud environments by harvesting exposed environment variable files. Attackers scanned at least 110,000 domains and collected over 90,000 unique variables, including roughly 7,000 cloud service credentials and 1,515 social media credentials, with their infrastructure probing around 230 million targets. The vector was a web server misconfiguration: .env files inside the web root were served as plaintext over HTTP because the servers had no rule denying access to dotfiles, exposing the long-lived AWS IAM access keys hardcoded inside. The initial IAM principals lacked full admin but retained permission to create roles and users, so attackers called CreateRole and attached AdministratorAccess to escalate, then spun up Lambda functions across regions to automate further internet-wide scanning. They used the victims' own AWS accounts to exfiltrate and delete S3 objects, then uploaded ransom notes demanding payment. The failure chain combined exposed dotfiles, long-lived hardcoded credentials, and over-permissioned IAM, not any cloud-provider flaw.
- CRITICALCLOUD-BUCKET-MONOPOLY-2024
In research disclosed to AWS on February 16, 2024 and presented at Black Hat USA and DEF CON 32 in August 2024, Aqua Security's Nautilus team described a class of S3 bucket-name takeover attacks they called Bucket Monopoly, affecting CloudFormation, Glue, EMR, SageMaker, Service Catalog, and CodeStar. These services auto-created S3 buckets with predictable names built from static prefixes plus the account ID and region, such as cf-templates-{hash}-{region}, aws-glue-assets-{account-id}-{region}, and sagemaker-{region}-{account-id}, where account IDs are discoverable from ARNs, access keys, and public repos. Because S3 bucket names are globally unique, an attacker could pre-create a victim's predictably named bucket in a region the victim had not yet used (a Shadow Resource), then the victim's service would later read attacker-controlled content from it. This enabled data tampering, information disclosure, remote code execution by injecting malicious Glue or CloudFormation content, and in some cases full account takeover via planted admin roles; AWS remediated by adding randomized suffixes to bucket names and enforcing aws:ResourceAccount conditions. The class also covers reuse of abandoned or dangling bucket names that a victim configuration still references.
- HIGHCVE-2024-6387
A signal-handler race condition in OpenSSH's server (sshd) on glibc-based Linux. If a client fails to authenticate within the LoginGraceTime window, the SIGALRM handler calls async-signal-unsafe functions, which an attacker can interrupt at a precise moment to corrupt the heap and achieve unauthenticated remote code execution as root. It is a regression of the 2006 CVE-2006-5051, reintroduced in OpenSSH 8.5p1. Exploitation is non-trivial, requiring thousands of race attempts, but Qualys reported roughly 4.8 million internet-exposed instances as potentially affected.
- CRITICALCONTAINER-EXPOSED-DOCKER-API
Exposed Docker API is a recurring misconfiguration class in which the Docker remote API (default TCP 2375 plaintext, 2376 TLS) is published to untrusted networks without TLS or authentication, granting anyone who reaches it full control of the daemon. Because dockerd runs as root and the unauthenticated API permits arbitrary container creation, an attacker can launch a privileged container that bind-mounts the host root filesystem and then chroots into it to escape to the host. The Commando Cat campaign, reported in 2024 by Cado Security and analyzed by Trend Micro (advisory dated 13 June 2024), abused exactly this exposure: it deployed a benign image (cmd.cat/chattr) generated by the open-source Commando project, then used chroot and volume binding of the host's root directory into the container to break out and run host-level payloads. The delivered payloads installed cryptocurrency miners, registered persistence and a stealthy backdoor (including DropBear SSH on TCP 3022), and exfiltrated host and cloud-service-provider credentials. Shell-script and command-and-control infrastructure overlapped with the TeamTNT cryptojacking group.