The WannaCry ransomware struck on May 12, 2017, exploiting the EternalBlue vulnerability to infect over 200,000 systems across more than 150 countries within just 24 hours. Global losses were estimated to reach $4 billion, including the devastating toll on the UK’s NHS, which saw over 19,000 appointments canceled and £92 million in recovery and lost output costs.

The malware spread via SMBv1, targeting unpatched Windows systems, despite Microsoft having released fixes for the exploited vulnerability. Many organizations failed to apply the patch, allowing the ransomware to spread rapidly and globally without requiring user interaction. Having said that, thousands of systems still run vulnerable SMBv1 today, leaving them vulnerable to similar attacks. This article examines the WannaCry ransomware attack, detailing its unfolding sequence, global impact, and key strategies for preventing similar threats.

WannaCry is a fast-spreading crypto-ransomware worm that encrypts data and automatically seeks new victims, demanding payment in Bitcoin for file recovery. Unlike locker ransomware, which restricts access to devices, WannaCry uses RSA-2048 and AES-128 encryption to lock files unless the attacker’s key is used.

The malware emerged on May 12, 2017, and spread rapidly across unpatched Windows systems, installing a backdoor and scanning ports 135–139 and 445 to propagate without any user action.

This attack marked a turning point in cybersecurity, proving that a single exploit chain could cripple systems globally. It reshaped how organizations manage patching, segmentation, and incident response.

WannaCry exploits outdated Windows file-sharing protocols to gain remote access and execute code across networks. It begins by targeting TCP port 445 using EternalBlue to exploit SMBv1, gaining SYSTEM-level access.

Once inside, the malware:

• Encrypts files with AES-128

• Encrypts the AES key with RSA-1024

• Displays a ransom note demanding $300–$600 in Bitcoin, translated into multiple languages

Each infected system then scans nearby IP ranges to repeat the attack, enabling rapid lateral movement with no user interaction, making patching the only effective barrier.

A hardcoded kill switch briefly stopped the outbreak. Later variants removed or randomized this mechanism, allowing continued spread. Notably, some versions failed to decrypt files after payment, reinforcing the risks of ransom negotiation.

Unpatched SMBv1 services remain a critical vulnerability, offering attackers a direct path from external exposure to full internal compromise.

The global spread of WannaCry demonstrates how quickly unpatched vulnerabilities cascade into worldwide disruption within hours, fundamentally changing how organizations approach cybersecurity.

Microsoft released KB4012598 (MS17-010) on March 14, 2017, which closed the SMBv1 vulnerability that would later enable the propagation of the ransomware. The patch addressed CVE-2017-0144, but widespread deployment lagged across enterprise networks. One month later, the Shadow Brokers leaked EternalBlue on April 14, placing the exploit in every attacker's toolkit.

The outbreak began on Friday, May 12, 2017. WannaCry encrypted approximately 230,000 endpoints across 150 countries within 24 hours.

Initial infections spread across European networks during peak business hours. The UK's NHS became the most visible victim, with hospitals forced to cancel surgeries and revert to pen-and-paper systems. As business hours progressed, Telefónica in Spain instructed staff to disconnect their PCs, while Deutsche Bahn's railway systems displayed ransom screens. Manufacturing networks collapsed as Renault shut down its French production facilities, and FedEx experienced global shipping delays.

Cybersecurity researcher Marcus Hutchins discovered and registered the kill switch domain on May 15. The ransomware only encrypted files if it couldn't reach "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com." Hutchins accidentally triggered WannaCry's built-in kill switch by registering this domain for $10.69, providing immediate global relief.

The timeline reveals how unpatched SMBv1 hosts enabled every major disruption. The NHS canceled 19,000 appointments, resulting in a cost of £92 million. Organizations had nearly two months from Microsoft's patch release to protect themselves, yet WannaCry impacted over 200,000 computers globally.

Without timely updates and network segmentation, even accidental design flaws like the kill switch provide minimal protection once the worm penetrates your network perimeter. Later variants removed this mechanism, eliminating the fortunate accident from future attacks.

Protecting against WannaCry requires a layered approach to cybersecurity. This section outlines the key steps organizations should take to prevent infection and defend against future ransomware threats.

Inventory every system that still supports SMBv1, then apply MS17-010 patches or retire the hosts altogether. Microsoft released the security patch almost two months before WannaCry began, leaving unpatched shares on port 445 still vulnerable to ransomware exploitation of the same EternalBlue flaw documented eight years ago.

Zero Trust Segmentation creates blast walls blocking worm traffic from hopping between subnets. 81% of security leaders now consider this control mandatory for cyber resilience. Place operational technology, medical devices, and Windows XP remnants in separate zones and deny outbound SMB at the firewall to prevent lateral movement.

Backups must be immutable and off-network. Keep at least one copy and prove it works with quarterly restore drills. Immutable storage thwarts attackers who encrypt snapshots before triggering ransom timers.

Modern EDR and XDR tools watch for kernel injections and sudden spikes in outbound SMB traffic that preceded the 2017 worm. Layer machine-learning models that baseline normal file-share activity to contain anomalies in seconds, not hours, before encryption begins.

Replace aging VPNs with context-aware policies. Combine least-privilege shares, MFA for every admin session, and continuous risk scores, echoing U.S. Intelligence Community's 2025 maturity targets.

• Patch coverage of SMBv1 assets: Percentage with MS17-010 applied

• Mean time to isolate (MTTI) infected hosts: Target <5 minutes

• Verified backup restore time: Quarterly validation of full recovery capability

Even with these steps, the fundamentals remain unchanged: ruthless patching, network segmentation, immutable backups, and AI-enhanced detection. You need to measure, refine, repeat, because ransomware operators iterate just as quickly as you do.

WannaCry’s billion-dollar impact proved that a single unpatched protocol can disrupt 230,000 machines across 150 countries in just one day. Many of the vulnerabilities it exposed still persist today. Effective defense requires consistent patching, strong network segmentation, and rehearsed incident response plans—backed by continuous user education.

However, even with solid defenses, traditional tools often overlook the subtle behavioral shifts that indicate ransomware activity. That’s where Abnormal becomes essential. Its AI-driven platform learns your organization’s typical behavior, detects anomalies in real time, and autonomously isolates threats, stopping ransomware before it spreads.

Strengthen your ransomware defenses today. Book a demo to see how Abnormal protects every layer of your email and network environment.