How the WannaCry ransomware attack changed cybersecurity

On May 12, 2017, a security researcher named Marcus Hutchins identified an unusual domain embedded in the WannaCry ransomware code, registered it for a nominal fee, and inadvertently activated a kill switch that slowed the outbreak before it could spread further.

According to Security Affairs, by the time Hutchins registered the kill switch domain embedded in WannaCry's code, the ransomware had already infected more than 200,000 systems across 150 countries. Europol called the scale unprecedented; hospitals in England had turned ambulances away, MRI scanners and blood-storage refrigerators sat locked and useless, and patients who had arrived for scheduled procedures were told to go home.

WannaCry did not change cybersecurity because it was particularly sophisticated. It changed cybersecurity because it showed the world, in the space of a single weekend, what happens when decades of deferred maintenance meet a weapon built by a nation-state.

How a stolen NSA cyberweapon made WannaCry possible

Understanding WannaCry requires going back further than May 2017. The NSA had discovered a critical vulnerability in Microsoft Windows' Server Message Block version 1 protocol, designated CVE-2017-0144, and rather than disclosing it to Microsoft, had developed it into an offensive cyberweapon called EternalBlue. The agency used it for intelligence gathering for years, keeping the vulnerability open and exploitable while millions of Windows systems worldwide remained unknowingly exposed.

In April 2017, a hacker group called the Shadow Brokers leaked EternalBlue publicly, apparently having stolen it from NSA infrastructure. Microsoft had been privately notified and issued a patch, MS17-010, on March 14, 2017, nearly two months before the WannaCry attack. However, patching at scale in large organizations, particularly those running legacy systems or managing 24/7 operations, is rarely immediate. According to Microsoft, when WannaCry launched on May 12, the patch had been available for 59 days, and the overwhelming majority of vulnerable systems had not applied it.

Microsoft's own president, Brad Smith, used the analogy that remains the most quoted description of what happened: the situation was the equivalent of the US military having some of its Tomahawk missiles stolen. Edward Snowden, more pointedly, argued that if the NSA had disclosed the vulnerability when it found it rather than when it lost control of it, the attack might never have happened.

What WannaCry did differently

Ransomware before 2017 was largely a manual business. Attackers sent phishing emails, waited for someone to click, then deployed encryption if access was obtained. Each infection was the downstream consequence of a human action.

WannaCry needed no human action at all, using EternalBlue to exploit the SMBv1 vulnerability over TCP port 445, it scanned networks autonomously for other vulnerable machines, replicated itself without any user clicking anything, and moved from device to device across internal networks at a speed no human-dependent attack could match. A single unpatched device connected to a network was sufficient for the worm to reach every other unpatched device on that same network.

The ransom demand itself was almost absurdly modest: $300 in Bitcoin per machine, doubling after three days, with a threat to permanently delete encrypted files after a week. In reality, the payment infrastructure was so poorly designed that even victims who paid often did not receive their decryption keys. The attack generated comparatively little revenue, so the scale of destruction relative to the financial return was the first strong indicator to investigators that financial gain may not have been the primary motive.

What happened inside the NHS during the WannaCry attack

The National Health Service was not specifically targeted. WannaCry's propagation was indiscriminate; it spread to whatever unpatched systems it could reach. The NHS was simply large, interconnected, and heavily reliant on Windows operating systems, including Windows XP installations that Microsoft had stopped supporting years earlier. The combination created exactly the exposure WannaCry was designed to exploit.

Over 600 NHS organizations were affected, including 34 hospital trusts directly infected and 46 others disrupted through preventative shutdowns or shared systems. Thousands of devices went offline, including computers, MRI scanners, and blood-storage refrigerators. The UK Department of Health was alerted at 1 pm on May 12, and by 4 pm, the scale was already national.

A peer-reviewed retrospective analysis published in Digital Medicine by researchers from Imperial College London found that directly infected hospital trusts experienced approximately 6% fewer total admissions per day during the WannaCry week compared to baseline, with 4% fewer emergency admissions and 9% fewer elective admissions. The total economic value of lost hospital activity reached £5.9 million, including £4 million in missed inpatient admissions, £1.3 million in canceled outpatient consultations, and £600,000 in lost accident and emergency activity. The same analysis found no statistically substantial increase in mortality, a finding that the authors noted should not be interpreted as meaning there was no patient harm, but that the data available could not measure it at that scale.

Attribution and what it revealed about nation-state cyber activity

The US government formally attributed WannaCry to North Korea's Lazarus Group in December 2017, a conclusion shared by the UK's National Cyber Security Centre. Symantec and Kaspersky had previously identified code overlaps with prior Lazarus malware, including tools used in the 2014 Sony Pictures hack and a 2016 Bangladesh central bank heist. The Lazarus Group, believed to be directed by North Korea's Reconnaissance General Bureau, had been conducting financially motivated attacks for years, focused on generating hard currency for a sanctions-constrained regime.

The attribution raised uncomfortable questions that the cybersecurity community had not fully confronted before WannaCry, a cyberweapon developed by the NSA, had been stolen, leaked, and weaponized by a state actor within months. The patch that would have prevented most of the damage had been available for nearly two months before the attack, and the systems most catastrophically affected, hospitals, government agencies, and manufacturers, were running software so outdated that its vendor had already stopped supporting it. WannaCry did not exploit a zero-day vulnerability; it exploited institutional inertia.

How the WannaCry kill switch worked and what its limits revealed

According to IBM, Hutchins' discovery of the kill switch, a hardcoded domain that the malware checked before executing, almost certainly intended as an anti-sandbox analysis technique, temporarily slowed the outbreak. Three variants with distinct kill switches appeared over the following days, all eventually neutralized as security researchers across the globe registered the relevant domains, and a fourth variant then appeared with no kill switch at all.

At that point, most vulnerable systems had been patched or isolated, limiting the fourth variant's reach, but the original attack's lesson had been delivered: a worm with no kill switch, using the same EternalBlue exploit, on the same unpatched infrastructure, would have been permanently unstoppable by this method.

What healthcare still has not fixed

EternalBlue is still being used in attacks in 2025, eight years after WannaCry showed what happens when unpatched legacy Windows systems meet an autonomous worm. Threat intelligence reports from 2024 and early 2025 confirm that EternalBlue continues to appear in targeted operations against legacy Windows environments in healthcare and manufacturing. The organizations using those environments have not necessarily changed since 2017; the pressures that prevented patching then, operational continuity requirements, budget constraints, and the difficulty of updating systems that clinical workflows depend on persist today.

According to Paubox's 2026 Healthcare Email Security Report, 41% of breached healthcare organizations in 2025 were classified as high risk based on their email configuration, up from 31% in 2024. The organizations still getting breached are consistently the ones whose foundational security controls, the same controls that WannaCry exposed as absent in 2017, remain incomplete. According to Paubox's 2025 Healthcare Email Security Report, ransomware attacks on healthcare have surged 264% since 2018, a figure that covers the eight years of escalation that WannaCry helped initiate.

The specific mechanics of modern ransomware have changed considerably since 2017. Today's dominant groups, Qilin and Interlock among them, use phishing email as their primary initial access vector rather than autonomous network propagation. Human judgment, specifically whether a clinical staff member clicks a malicious link or opens a malicious attachment, sits at the beginning of most healthcare ransomware chains. According to Paubox's Top 3 Healthcare Email Attacks in 2025 report, phishing-driven mailbox takeovers exposed 630,000 individuals in 2025, making them the most damaging email attack type by impact. Pre-delivery email filtering that removes malicious messages before they reach inboxes, addresses that rely on human judgment dependency in the same way that patching addressed the EternalBlue vulnerability, by removing the exploitable condition before the attacker can use it.

Paubox Inbound Email Security uses AI to analyze sender behavior, message intent, and contextual signals to detect phishing and impersonation attempts that bypass signature-based filters, stopping delivery before clinical and administrative staff encounter the message. According to Paubox's 2026 Healthcare Email Security Report, attacks avoiding native email defenses rose 47% in 2025, showing the same category of gap that WannaCry exposed in legacy Windows patching, known defenses that were not enough against the current attack.

FAQs

What made WannaCry different from ransomware that came before it?

Most ransomware before 2017 required a user to take an action: click a link, open an attachment, and execute the initial infection. WannaCry used EternalBlue to propagate autonomously across networks via a Windows vulnerability, moving from machine to machine without any human interaction required. A single unpatched device connected to a network was sufficient for the worm to reach every other vulnerable device on that network.

Was a patch available before WannaCry attacked?

Yes, Microsoft released patch MS17-010 on March 14, 2017, nearly two months before the May 12 attack. The EternalBlue vulnerability it addressed, had been disclosed to Microsoft privately by the NSA after the Shadow Brokers leaked the exploit. The widespread damage WannaCry caused was not the result of an unavoidable zero-day; it was the result of organizations that had not applied an available fix.

Why did the NHS suffer so badly if a patch was available?

Many NHS trusts were running Windows XP, a version Microsoft had stopped supporting in 2014, meaning those machines received no patches at all because Microsoft no longer issued updates for them. Others were running supported versions that had not been patched in time. The combination of unsupported legacy systems, deferred maintenance, and highly interconnected hospital networks created the conditions that WannaCry needed to spread rapidly through 600 organizations.

Who was behind WannaCry and why?

The US and UK governments formally attributed WannaCry to North Korea's Lazarus Group in December 2017. The attack generated surprisingly little ransom revenue given its scale, which led many analysts to conclude that financial gain was not the primary motive; the disruption itself may have been the objective, or the attack may have escaped the control of its operators. The underlying exploit, EternalBlue, came from the NSA, was stolen by the Shadow Brokers, and leaked publicly six weeks before the attack.

Is WannaCry still a threat in 2026?

The original WannaCry worm is neutralized by the registered kill switch domain; however, EternalBlue, the exploit it used, continues to appear in active attacks against organizations running unpatched legacy Windows systems. Organizations that have not applied MS17-010, or that run Windows versions no longer receiving security updates, remain technically vulnerable to EternalBlue-based attacks, as newer WannaCry variants without the kill switch exist and can affect those systems.

Learn more: Paubox Inbound Email Security