WannaCry (also called WannaCrypt or WCry) is a ransomware cryptoworm that began spreading on 12 May 2017 and infected an estimated 200,000+ computers across roughly 150 countries within days. It encrypted files on vulnerable Windows machines and displayed a ransom note demanding payment in Bitcoin (initially around $300, rising to $600) in exchange for a decryption key.
The malware propagated using EternalBlue, an exploit targeting a vulnerability in Microsoft's Server Message Block (SMBv1) protocol. EternalBlue had been developed by the U.S. National Security Agency and was leaked publicly in April 2017 by the Shadow Brokers group. Microsoft had issued a patch (MS17-010) in March 2017, but many organisations had not applied it, and unsupported systems such as Windows XP remained exposed.
The outbreak was largely halted when security researcher Marcus Hutchins registered a domain hard-coded in the malware that functioned as a "kill switch," stopping further encryption on most variants. Damage was nonetheless severe: the UK's National Health Service had appointments cancelled and ambulances diverted across dozens of trusts; other affected organisations included Telefónica, Renault, Deutsche Bahn, FedEx, and Russia's Interior Ministry.
In December 2017, the United States, United Kingdom, Australia, Canada, New Zealand, and Japan publicly attributed WannaCry to North Korea, specifically the Lazarus Group linked to the Reconnaissance General Bureau. In September 2018, the U.S. Department of Justice indicted North Korean national Park Jin Hyok in connection with the attack and other Lazarus operations.
WannaCry is frequently cited in policy debates about:
- Vulnerability equities: whether intelligence agencies should disclose or stockpile zero-days.
- Critical infrastructure resilience and patch management in healthcare and public services.
- State attribution and the application of international law to malicious cyber operations.
- The UN Group of Governmental Experts (GGE) and Open-Ended Working Group (OEWG) discussions on responsible state behaviour in cyberspace.
Example
In May 2017, WannaCry forced the UK's National Health Service to cancel an estimated 19,000 appointments after encrypting computers across dozens of hospital trusts.
Frequently asked questions
In December 2017 the US, UK, and allies publicly attributed the attack to North Korea's Lazarus Group. The US DOJ indicted North Korean national Park Jin Hyok in 2018.
Keep learning