WannaCry showed how unpatched flaws and leaked cyber tools can cripple global systems, reshaping cybersecurity defenses worldwide.
In memory of the day the digital world was shaken, but learned to fight back.
The WannaCry ransomware attack represents one of the most significant events in recent cybersecurity history, not only for its global scale but also for the technical and geopolitical implications it raised. Analyzing its history means understanding how known vulnerabilities, advanced tools, and delays in mitigation can converge into an event capable of disrupting critical infrastructure worldwide.
WannaCry emerged on May 12, 2017 by exploiting a vulnerability in the SMBv1 protocol of Microsoft Windows (CVE-2017-0144 aka EternalBlue). This vulnerability, which was addressed by the Microsoft security patch MS17-010 in March 2017, allowed remote code execution without authentication. The most critical detail is that the exploit used, known as EternalBlue, was not developed by common cybercriminals but derived from offensive tools attributed to the National Security Agency (NSA), later leaked by the hacker group Shadow Brokers.
This combination made WannaCry particularly effective. It was not a traditional ransomware spread via phishing, but a worm capable of autonomously propagating within networks.
On that day in May, WannaCry began spreading rapidly, infecting over 200,000 systems in more than 150 countries within hours. Among the countries most affected were Spain, United Kingdom, United States, China, Portugal, Vietnam, Russia, and Ukraine, with particular impact on British hospital IT systems and Spanish telecommunications networks.
Italy was also affected by the attack, and the case was handled by the CNAIPIC, the cybercrime operations center of the Polizia Postale. The speed of propagation was largely due to the widespread presence of unpatched systems, especially outdated Windows versions like Windows XP.
Infection mechanism and behavior
Once inside a system, WannaCry encrypted files using strong cryptographic algorithms and displayed a ransom demand in Bitcoin. The requested payment was relatively low, around $300, but increased over time to pressure victims into paying quickly.
From a technical perspective, the real innovation was its automated lateral movement. Using EternalBlue, the malware scanned networks for other vulnerable systems and replicated itself without human interaction. This behavior made it more similar to a classic worm than to traditional ransomware.
A crucial moment in WannaCry’s history was the accidental discovery of a “kill switch.” Security researcher Marcus Hutchins (aka MalwareTech), while analyzing the code, noticed that the malware attempted to connect to an unregistered domain (hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com).
By registering that domain, he effectively slowed and partially stopped the worm’s global spread. This mechanism was likely intended as an anti-analysis technique, but it ended up playing a key role in mitigating the attack.
Attribution and lessons learned
Subsequent investigations attributed the attack to groups linked to North Korea, particularly the Lazarus Group. This attribution, supported by several governments including the United States and the United Kingdom, highlighted how cyber warfare tools can be repurposed in criminal or hybrid operations.
The WannaCry case also sparked intense debate about how governments manage software vulnerabilities. The fact that an intelligence-grade exploit escaped control and was used globally exposed the risks associated with stockpiling cyber weapons.
WannaCry marked a turning point in how cyber risk is perceived. It demonstrated that failing to apply security patches can lead to systemic consequences. Microsoft had released the necessary security update months before the attack, yet many organizations had not implemented it.
Another key lesson concerns network segmentation. The worm’s ability to move laterally exposed weaknesses in internal infrastructures that lacked proper isolation controls.
Finally, WannaCry emphasized the importance of international cooperation in cyber incident response. The timely sharing of technical information helped limit the damage and enabled faster development of countermeasures.
Years later, WannaCry remains a landmark case showing how known vulnerabilities, advanced tools, and organizational shortcomings can combine into a devastating cyberattack. It was neither the most sophisticated nor the most profitable ransomware, but it was undoubtedly one of the most impactful.
Its legacy is still visible today in modern security practices, which place greater emphasis on patch management, network resilience, and preparedness for large-scale attacks.
About the author: Salvatore Lombardo (X @Slvlombardo)
Electronics engineer and Clusit member, for some time now, espousing the principle of conscious education, he has been writing for several online magazine on information security. He is also the author of the book “La Gestione della Cyber Security nella Pubblica Amministrazione”. “Education improves awareness” is his slogan.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ransomware)
