WannaCry Ransomware: The 2017 Attack That Changed Cybersecurity Forever

• What Is WannaCry Ransomware?
• How the 2017 WannaCry Attack Unfolded
• EternalBlue: The Exploit That Made WannaCry So Destructive
• The Kill Switch That Stopped WannaCry
• The Real Cost of WannaCry
• What the WannaCry Ransomware Attack Teaches SMBs Today
• Strengthen Your Defenses Before the Next Outbreak

On May 12, 2017, a ransomware attack infected more than 230,000 machines across 150 countries in a single day. According to Europol, no type of organization was spared: hospitals, telecoms, railway networks, and government agencies all fell within the same hours, without anyone clicking a single malicious link.

This article traces the full story of WannaCry: from the stolen NSA exploit that made it possible to the $10 domain registration that stopped it. It also extracts the patch-management and backup lessons every business owner needs to act on today.

What Is WannaCry Ransomware?

WannaCry is a cryptoworm: ransomware that encrypts files on infected machines and demands payment in bitcoin to restore access. According to CISA, the ransom ranged from $300 to $600 per machine, with a deadline that doubled the price if unpaid.

What separates WannaCry from typical ransomware is its propagation method:

• No phishing required. Traditional ransomware needs an employee to open a malicious attachment. WannaCry needs nothing from users at all.
• No attachment to avoid. There is no email for employees to spot, no link to refuse.
• Patch management is the only real control. WannaCry targets unpatched Windows endpoints. Security awareness training, however thorough, offers no protection here.

Compared to screen-lockers or scareware, WannaCry operates in a categorically higher risk tier. Different types of ransomware carry different threat profiles, and WannaCry’s autonomous propagation puts it at the top.

How the 2017 WannaCry Attack Unfolded

The attack moved with a speed that left responders almost no time to react. More than 230,000 machines across 150 countries were compromised within the first 24 hours, with no industry sector left untouched.

Early casualties included:

• NHS trusts across the United Kingdom, forcing hospitals to divert ambulances, cancel appointments, and return to paper records
• Spanish telecommunications giant Telefónica
• FedEx’s international logistics operations
• Deutsche Bahn, Germany’s national railway

Microsoft had issued the critical MS17-010 patch approximately two months before the attack launched. Every organization that fell victim had access to that fix. Not one had applied it.

The U.S., UK, and Australian governments formally attributed the attack to Lazarus Group, a threat actor tied to North Korean state interests. WannaCry was not opportunistic criminal malware. It was a nation-state-grade weapon that had escaped its original context and become available to any threat actor willing to use it.

EternalBlue: The Exploit That Made WannaCry So Destructive

WannaCry’s reach was not the product of social engineering. It spread because it carried a cyberweapon the NSA had developed for offensive intelligence operations.

EternalBlue exploits a critical vulnerability in the Windows Server Message Block (SMB) protocol, the mechanism Windows machines use to share files and printers across a network. The exploit enables remote code execution on unpatched machines through port 445, with no user interaction required. In April 2017, a group calling itself the Shadow Brokers leaked EternalBlue publicly, placing a nation-state-grade offensive capability into the open.

WannaCry paired EternalBlue with DoublePulsar, a second leaked NSA implant. DoublePulsar installs a persistent backdoor before the ransomware payload drops, ensuring a foothold even if the initial process is interrupted.

The attack sequence operated automatically:

1. EternalBlue scanned for unpatched machines and gained entry through port 445.
2. DoublePulsar established a persistent backdoor before the ransomware payload dropped.
3. The ransomware encrypted every accessible file on the infected machine.

Every newly infected host immediately became a new scanning origin, turning the outbreak into a self-feeding loop across connected networks.

Microsoft had released MS17-010 in March 2017. Millions of endpoints running Windows XP, Windows 7, and Server 2003 were never updated, and those unpatched machines became the attack surface.

The Kill Switch That Stopped WannaCry

Security researcher Marcus Hutchins analyzed WannaCry’s code and found an unusual behavior: before executing, the malware queried a specific, long, nonsensical domain name. A successful DNS lookup told the malware it was being analyzed. No response meant the environment was real, and the attack continued.

The behavior is consistent with sandbox evasion. Security analysts routinely examine malware in isolated environments where all DNS queries return responses. The kill switch logic treated a live DNS resolution as evidence of an analysis environment and halted execution before dropping the payload.

The domain was unregistered. Hutchins registered it for approximately $10.69, and new infections stopped globally within hours.

The kill switch did not decrypt a single already-locked file. Victims infected before Hutchins registered the domain faced a binary choice: pay the ransom or lose the data permanently, unless off-network backups were available. Within days, modified WannaCry variants appeared with the kill switch removed, confirming that Hutchins had achieved containment, not resolution.

The Real Cost of WannaCry

WannaCry’s damage operated at two levels: the immediate infection footprint, and the downstream losses that took months to fully quantify.

• Scale: More than 230,000 machines across 150 countries, spanning healthcare, telecommunications, logistics, and government
• NHS impact: According to the UK National Audit Office, approximately 80 NHS trusts were affected; an estimated 19,000 appointments were canceled, ambulances were diverted, and clinical staff reverted to paper records and personal mobile phones
• Ransom collected: Despite hundreds of thousands of infections, attackers received approximately $140,000 in bitcoin total, a fraction of the destruction caused
• Total economic damage: Post-incident modeling estimates put losses between $4 billion and $8 billion in productivity, recovery costs, and lost revenue
• No reliable decryptor: No verified public decryptor was ever released for WannaCry; organizations without current backups faced permanent data loss or a ransom payment decision
• NotPetya followed weeks later, using the same EternalBlue exploit vector and inflicting even greater damage on global enterprises

The pattern that defined WannaCry recovery is consistent: organizations with tested, off-network backups recovered quickly; those without them did not. Secure backup solutions built for SMBs make the difference between a recoverable incident and a permanent loss.

What the WannaCry Ransomware Attack Teaches SMBs Today

The conditions that enabled WannaCry still exist in small and mid-sized business environments. Unpatched endpoints, flat network architectures, and absent backup strategies are not historical artifacts from 2017.

1. Patch on a defined schedule. MS17-010 was available approximately two months before WannaCry struck. Patch cycles longer than 30 days for critical updates represent an accepted liability. No amount of user training compensates for an unpatched production endpoint.
2. Segment your network. WannaCry spread laterally because machines on the same network could reach each other on port 445. Proper segmentation limits the blast radius when an infection begins. A compromised workstation should not have a direct path to your file server, your accounting systems, or your domain controller.
3. Maintain verified, off-network backups. The organizations that recovered fastest from WannaCry had recent, tested backups stored separately from the production environment. A backup stored on a mapped network drive is reachable by ransomware and does not qualify as a recovery option.
4. Audit legacy and end-of-life systems. WannaCry hit hardest where Windows XP and Server 2003 were still running in production, both past Microsoft’s end-of-support dates. Inventory your environment and have a documented plan for any endpoint without an active security patch cadence.
5. Know your attack surface before attackers do. Regular risk assessments identify unpatched endpoints, open SMB ports, and exposed protocols before attackers find them. A partner offering Chicago cybersecurity services builds that review into an ongoing process, not a one-time event.

These lessons don’t have to stay abstract. Ransomware prevention fundamentals translate them into specific controls your business can start implementing today.

Strengthen Your Defenses Before the Next Outbreak

WannaCry is the clearest available case study in what happens when patch management is treated as optional. The attack required no phishing email, no weak password, and no user mistake. It required only an unpatched machine on a reachable network.

When patch management, network segmentation, and backup are handled proactively, a ransomware outbreak becomes a recoverable incident rather than a business-defining crisis. Your team keeps working. Your data stays accessible. An attack that would have cost weeks of downtime gets handled before it reaches your desk.

LeadingIT provides managed IT and cybersecurity services to businesses across Chicagoland, including:

• Endpoint protection
• 24/7 monitoring
• Patch management
• Backup and recovery

We work with SMBs from 25 to 250 employees and build the layered defenses that make attacks like WannaCry a reference case rather than a current emergency. Schedule a free assessment to find out where your environment is exposed or call 815-788-6041 to speak with our team directly.