The WannaCry ransomware attack was a worldwide cyberattack in May 2017 that infected over 200,000 computers across 150 countries. This attack exploited vulnerabilities in older Windows operating systems using a hacking tool called EternalBlue that was leaked online by the hacking group Shadow Brokers. WannaCry encrypted files on infected computers and demanded ransom payments in bitcoin to decrypt them. It caused significant disruption globally, including shutting down hospitals, telecom operators, universities, and businesses. So how did this massive ransomware attack ultimately get stopped?
How did WannaCry spread initially?
WannaCry spread rapidly across networks by targeting the Server Message Block (SMB) protocol on unpatched Windows machines. SMB is responsible for shared access and remote file access on Windows networks. WannaCry specifically targeted the vulnerability tagged as EternalBlue, which allowed it to infect machines and spread laterally through networks without user interaction. Once a single computer was infected, WannaCry would scan the network for other vulnerable machines with exposed SMB ports and infect them automatically. It was able to infect entire networks in just minutes due to this self-propagating nature.
Why was WannaCry so disruptive?
WannaCry was highly disruptive for several reasons:
- It spread extremely quickly through networks by exploiting the leaked NSA EternalBlue exploit.
- It encrypted files on infected computers and rendered them inaccessible until ransom was paid.
- It affected outdated Windows XP and Server 2003 machines that many organizations still relied on.
- It disrupted critical infrastructure like healthcare facilities, logistics, and other essential services.
- Organizations were often unprepared and had no effective response plan in place.
Within just 1 day, WannaCry had infected over 230,000 computers across 150 countries. The ransomware hit thousands of businesses worldwide, from telecom providers in Spain to universities in China to hospitals in the UK. The UK’s National Health Service was one of the worst hit, with 70,000 devices including MRI scanners, blood-storage refrigerators, and theater equipment being taken offline. This caused widespread disruption to hospital operations, postponing of surgeries, and diversion of ambulances. Overall, billions in damages resulted from just a single day of this attack.
What steps helped stop WannaCry’s spread?
While WannaCry caused massive, worldwide disruption initially, several key factors helped slow and eventually stop its spread:
Accidental kill-switch discovery
Security researcher @MalwareTechBlog accidentally stumbled upon a kill-switch domain that halted WannaCry. He discovered that before encrypting files, WannaCry would query an unregistered domain. If the domain existed, WannaCry would exit. @MalwareTechBlog registered this domain, which slowed infections in countries fortunate enough to query the kill-switch first.
Patching vulnerabilities
Microsoft quickly released emergency patches for unsupported operating systems like Windows XP and Server 2003 to fix the SMB vulnerabilities being exploited. While patching vulnerabilities was critical, it took time to apply these patches across massive corporate networks and control systems. Still, it prevented further infections.
Sinkholing attack traffic
Researchers from security firms and organizations worked to sinkhole WannaCry traffic by taking control of key domains hardcoded into the malware. This redirected infections away from vulnerable computers. Sinkholing efforts from organizations like Kryptos Logic, Neustar, and Check Point helped reduce the number of attacks.
Antivirus updates
Antivirus and cybersecurity vendors like Avast, Kaspersky Lab, and Symantec pushed definition updates to detect and stop WannaCry infections. This provided protection at endpoints and internal networks to contain the attack.
Disabling SMBv1
Microsoft recommended disabling outdated SMBv1 file-sharing protocols across Windows networks, as WannaCry targeted vulnerabilities in SMBv1 specifically. Disabling SMBv1 prevented lateral movement through networks.
Backup and recovery
For infected systems, backup and recovery from secure backups remained the most reliable means to restore encrypted files without paying ransom. Organizations with prepared backups were able to recover critical data and resume operations.
Who was behind the WannaCry attack?
The exact perpetrators behind WannaCry remain unknown, although evidence points to the Lazarus Group, a cybercrime outfit linked to North Korea. Specific clues leading to this include:
- Code similarities between WannaCry variants and previous malware used by Lazarus.
- Shared code libraries found in Lazarus malware like Joanap.
- Connections with previous cyberheists like the 2016 Bangladesh bank heist.
- Possible linguistic markers in WannaCry’s code and ransom notes.
However, despite evidence, North Korea has denied any involvement. The Lazarus Group remains the prime suspect due to these links, but the attack was unable to be definitively traced back to them or North Korea.
How much did WannaCry make from ransom payments?
Despite infecting hundreds of thousands of computers globally, WannaCry did not make much money from ransom payments. Due to the widespread media coverage and quick response, victims were discouraged from paying the ransom. Only around $140,000 in Bitcoin ransom payments were tracked, a relatively small amount for such a broad campaign.
Ransom payment tracking sites allowed researchers to monitor Bitcoin wallets used by WannaCry and showed low payment volumes. Low payouts were likely due to:
- Warnings not to pay ransoms.
- The inability of many victims to pay due to Bitcoin illiteracy.
- Mistakes in WannaCry’s payment system coding.
- Rapid response and patching shutting down infections before encryption.
Had WannaCry spread uncontrolled for longer with ransom payments enabled properly, the payout totals could have been far higher. But its amateur mistakes and quick disruption kept numbers low.
How was WannaCry different from other ransomware?
While ransomware attacks had been around for years, WannaCry stood out because of:
- Unprecedented scale – It spread to over 200,000 systems faster than any previous ransomware.
- Worm-like propagation – It infected entire networks by moving laterally using the SMB exploit.
- Targeting of outdated systems – It successfully exploited unpatched legacy XP and Server 2003 systems.
- Use of leaked NSA tools – It repurposed powerful exploits developed by intelligence agencies.
- High profile disruption – It disabled hospitals, telecoms, transport, and corporations.
Previous ransomware incidents were more localized, slower moving, and relied more on social engineering. WannaCry established ransomware as a threat to critical infrastructure through its ability to spread rapidly using powerful exploits. However, later ransomware like NotPetya and Bad Rabbit would refine this approach further.
What was the impact of the WannaCry attack?
The WannaCry ransomware attack had a global impact by disrupting vital infrastructure and businesses worldwide, including:
- 200,000+ infected systems across 150 countries.
- temporary closure of hundreds of hospitals in UK
- over $4 billion in total damages
- interruptions to telecoms, shipping,factories
- loss of data, files and productivity
- expensive recovery efforts for many organizations
Although infections were contained relatively quickly, the sheer scale and speed of the attack was alarming for businesses and governments worldwide. It highlighted the destructive potential of cyber weapons like those developed by intelligence agencies falling into the wrong hands. The widespread disruption caused forced greater attention on improving cyber resilience and response plans.
How was another global outbreak prevented?
Since WannaCry, progress has been made to avoid another global ransomware outbreak:
- Software vendors issue patches faster for critical vulnerabilities.
- Businesses are quicker to patch and upgrade outdated systems.
- Improved endpoint malware detection and response solutions deployed.
- Increased segmentation of critical networks.
- More staff training on ransomware prevention and response.
- Banning payments to ransomware operators in some countries.
However, risks still remain high due to factors like continued use of vulnerable legacy systems, lack of patching by many organizations, and growing ransomware-as-a-service enabling less sophisticated actors.
Table 1: Timeline of the WannaCry Attack
| Date | Event |
|---|---|
| March 2017 | Shadow Brokers hacker group steals and releases SMB exploit tool EternalBlue developed by the NSA. |
| April 2017 | WannaCry ransomware created using EternalBlue to propagate through networks by exploiting unpatched SMB vulnerabilities. |
| May 12, 2017 | Initial infections detected hitting computers through vulnerable public facing SMB ports. |
| May 12-15, 2017 | Rapid spread across 150 countries with over 200,000 infections, hitting hospitals, businesses, government systems. |
| May 13, 2017 | Researcher @MalwareTechBlog accidentally discovers a kill-switch to slow infections. |
| May 13-16, 2017 | Patches released, SMBv1 disabled, sinkholing deployed, antivirus updated to stop WannaCry. |
| May 16, 2017 | Infections contained after spreading to over 200,000 systems in 150 countries. |
Conclusion
The WannaCry attack provided sobering lessons on the dangers of weaponized exploits and poor cyber resilience. Its unprecedented speed and scale triggered chaos worldwide, disabling vital systems like healthcare networks. Although quickly contained, the disruption caused by WannaCry was immense and demonstrated how vulnerable much of the world’s critical infrastructure still is to cyber threats. Stronger collaboration between governments, software vendors, security researchers, and infrastructure operators is needed to prevent such outbreaks in the future. WannaCry revealed just how easily common cyber weapons can cripple hospitals, businesses, and transport systems worldwide.