WannaCry: How a Stolen Cyberweapon Locked Up the World in a Weekend
On a Friday in May 2017, hospitals in the UK started turning patients away. Screens across the National Health Service (NHS) lit up with the same message: your files are locked, pay us $300 in Bitcoin, and the clock is ticking. Surgeries were canceled, ambulances diverted, MRI scanners and lab systems frozen. Within a single weekend, the same message had appeared on more than 200,000 computers in over 150 countries.
This was WannaCry, and it's the case study that introduces the threat you are most likely to face in the real world: ransomware. It's also a story with an unusually rich set of lessons - about extortion, about the danger of unpatched systems, and about what happens when a government's secret hacking tools get stolen and handed to the world.
Let’s break it down.
What Happened?
WannaCry was ransomware: malicious software that locks up the victim's files and demands payment to unlock them. But what made it so explosively destructive wasn't the ransom part, it was how it spread.
Most ransomware needs a little help getting in, usually by tricking someone into clicking a bad link or opening an infected attachment. WannaCry didn't need any of that. It spread on its own, machine to machine, with no human clicking anything. It did this by exploiting a flaw in an old Windows feature used for sharing files across a network. Once WannaCry infected one computer, it automatically scanned for other vulnerable machines nearby and on the internet, jumped to them, locked them up, and repeated. It spread at a reported rate of thousands of machines per hour.
Here's the part that stings: Microsoft had already released a fix for that flaw nearly two months earlier. Every computer that had installed the March 2017 update was safe, but WannaCry tore through the machines that hadn't.
And there's one more twist that makes this story remarkable. The flaw WannaCry exploited was weaponized using a hacking tool called EternalBlue, a tool that had been developed and kept secret by the U.S. National Security Agency. It was stolen by a group called the Shadow Brokers and dumped onto the public internet. A few weeks later, someone built it into WannaCry. A government's own cyberweapon was turned loose on the world.
The rampage was eventually slowed by an almost accidental discovery (we'll cover the famous "kill switch" below), but by then the damage was done.
Concepts Explained
A handful of terms unlock this whole story.
Ransomware. This is the headline concept. Ransomware is malware that takes something of yours hostage (almost always by encrypting your files) and demands a payment, usually in cryptocurrency, in exchange for giving it back. Think of a burglar who doesn't steal your belongings but instead welds an unbreakable safe around them and sells you the combination. The data never leaves; it's just locked where you can't reach it. Ransomware is now one of the most common and costly threats in all of cybersecurity, hitting hospitals, schools, city governments, and businesses of every size.
Encryption. Ransomware works because of encryption, which is the process of scrambling data using a mathematical key so that it's unreadable to anyone without that key. Encryption is normally a good thing - it's what keeps your bank details safe online. Ransomware abuses it by encrypting your files with a key that only the attacker holds, turning a protective tool into a weapon against you.
Exploit. An exploit is a piece of code that takes advantage of a specific vulnerability to make a system do something it shouldn't, like run the attacker's commands. If a vulnerability is an unlocked window, the exploit is the specific technique for climbing through it. EternalBlue was the exploit here, and it targeted a weakness in a Windows file-sharing feature.
SMB (Server Message Block). This is the Windows feature WannaCry abused. SMB is a protocol (a set of rules) that lets computers on a network share files and printers with each other. It's genuinely useful and extremely common in offices. Because SMB is commonly enabled inside corporate networks, a single infected machine often has a large number of potential targets nearby. The problem was an old, flawed version of it that, when left unpatched and exposed, let WannaCry leap from machine to machine without permission.
Worm. A worm is malware that copies and spreads itself across machines automatically, with no human action required. WannaCry was technically ransomware combined with worm-like spreading, which is exactly why it moved so far and so fast. Most ransomware infects one organization at a time; a worm infects everything it can reach.
Kill switch. A kill switch is a built-in mechanism that shuts something down. In WannaCry's case, the malware contained code that checked whether a particular nonsense web address existed; if it could reach that address, the malware would stop. This was likely meant as an anti-analysis trick, but it became the attack's undoing as you'll see in a moment.
Why It Matters
WannaCry mattered for a few reasons:
First, it dragged ransomware into the public spotlight as a threat to life and safety, not just data. When a hospital's systems freeze, the consequences aren't measured in lost files, they're measured in canceled surgeries and diverted ambulances. WannaCry made it undeniable that cyberattacks can put real people in physical danger, especially when they hit healthcare, utilities, and other essential services.
Second, it was a brutal lesson in the cost of not patching. This wasn't a mysterious, undefendable attack. The fix had been available for two months. Organizations were hit because of a gap between "a patch exists" and "the patch is actually installed everywhere it needs to be" - the same gap that doomed Equifax. WannaCry showed that gap could be exploited not just by patient, targeted attackers, but by an automated worm that punished every unpatched machine indiscriminately and all at once.
Third, it raised a hard question that's still debated: what responsibility do governments have when they discover and stockpile vulnerabilities? The NSA found this flaw and kept it secret to use as an intelligence tool, rather than telling Microsoft so it could be fixed. When that secret tool leaked, it was turned against ordinary hospitals and businesses. WannaCry became the prime example of why hoarding powerful exploits is a gamble. Because if they escape, they don't stay pointed at the intended targets.
What Defenders Would See
For defenders, WannaCry was terrifyingly fast. However, in hindsight it was also full of signals they could learn to recognize.
On an infected network, the most visible sign would have been the spread itself: a sudden burst of internal network traffic as the worm scanned for and reached out to other machines over the file-sharing ports. One machine talking to dozens of others in rapid succession, probing that specific service, is exactly the kind of pattern that should set off alarms. This is a recurring theme across these case studies - catching an attack often comes down to noticing a normal-looking thing happening in an abnormal pattern or volume. It pays to “know normal”.
The other thing a defender would have seen, painfully, is the ransom note itself appearing on screen after screen. Ransomware is unusual among cyberattacks in that the attacker wants you to know they're there. The whole business model depends on announcing themselves. That's different from Stuxnet or SolarWinds, which fought to stay hidden. With ransomware, by the time you "detect" it the obvious way, the encryption has already happened. Which is why real defense against ransomware happens before the note appears: patching the holes it spreads through, segmenting networks so it can't roam freely, and above all keeping good backups so that locked files can be restored without paying anyone.
The attack was ultimately blunted by a 22-year-old security researcher who was analyzing the malware and noticed it kept trying to contact that strange, unregistered web address. On a hunch, he registered the domain himself - for about ten dollars. Because the malware was designed to shut down if it could reach that address, registering it acted as a global off switch for that version of WannaCry (the killswitch). It was a brilliant, lucky catch. But know this: later versions stripped the kill switch out entirely, and the only durable protection was the patch that had been available all along.
Lessons Learned
WannaCry's takeaways are some of the most practical in the whole series.
1. Patch promptly, especially for anything network-facing. A two-month-old, freely available patch would have stopped this cold. The lesson isn't just "patch", it's that the window between a fix being released and attackers weaponizing the flaw can be short, so speed matters.
2. Back up your data, and test that the backups work. I can’t stress this one enough! Ransomware's entire leverage is that you can't get your files back. If you have clean, recent, offline backups, you can restore your systems and just tell the attacker to go fly a kite. Backups are the single most effective defense against ransomware, but only if they actually work when you need them, which means testing them.
3. Don't run unsupported software for critical jobs. Many WannaCry victims were running old, no-longer-supported versions of Windows that stopped receiving security fixes.This is, unfortunately, not uncommon. Legacy systems running essential operations are a standing liability; they need to be replaced, isolated, or very carefully protected.
4. Limit how freely things can spread inside your network. WannaCry's worm behavior was only devastating because, once inside, it could reach so many other machines. Segmenting networks and restricting unnecessary internal access (the same defense-in-depth idea we keep returning to) turns a potential wildfire into a contained spark.
Plain English Summary
WannaCry was a ransomware attack. Malicious software that locks up your files and demands payment to release them. What made it so destructive is that it spread by itself, like a worm, jumping from computer to computer with no one required to click anything. It did this using a Windows flaw for which a fix already existed, so the machines that got hit were largely the ones that hadn't installed an update released two months earlier.
The tool used to exploit that flaw, EternalBlue, was originally a secret hacking weapon built by the U.S. government, which had been stolen and leaked online weeks before. In a single weekend, WannaCry locked up over 200,000 computers worldwide, hitting hospitals especially hard. The attack was slowed almost by accident when a researcher discovered and triggered a hidden "kill switch," but the real protection was the patch people hadn't applied.
The lasting lessons are simple and powerful: install your security updates quickly, keep tested backups so ransomware can't hold you hostage, retire outdated systems, and don't let one infected machine reach your entire network. Ransomware works by taking away your options, good security is about making sure you always have a way to say no.
WannaCry struck in May 2017 and was later attributed by the U.S. and U.K. governments to North Korea, widely associated with a state-linked group known as Lazarus, though some researchers continue to debate the precise attribution. Relatively few victims paid the ransom, and the attack is now studied as a landmark moment that pushed ransomware to the top of the global cybersecurity agenda — and fueled a lasting debate over whether governments should stockpile software vulnerabilities or disclose them so they can be fixed.
