WannaCry: The Ransomware Attack That Shut Down Hospitals

It was 3 PM on a Friday.

A doctor at an NHS hospital in the UK tries to check his email. Instead, one of the PCs in the room reboots into a scary red screen demanding $300 in Bitcoin [23].

The date is May 12, 2017, and pretty soon, almost every computer across the hospital system is going down. Staff begin scrambling to find pens and pencils, ambulances are getting diverted, and appointments are canceled without warning [23].

The hospital - full of sick patients and emergency situations - is now running on paper.

But this isn’t just one hospital. By the end of the weekend, a third of England’s NHS hospital organizations are affected - at least 81 out of 236 - plus 595 GP practices, with around 19,000 appointments cancelled [2].

But it gets worse. It isn’t just the NHS. It isn’t even just the United Kingdom.

Telefonica in Spain. FedEx in the United States. Renault in France, shutting assembly lines. Railway departure boards in Germany flicker with the telltale red screen. Russian banks and railways. Within about a day, ransomware has encrypted data on tens of thousands of computers in dozens of countries [3]. Europol calls the attack “unprecedented” [3].

The culprit is malware, and it has a name, at least, now it does: WannaCry.

So, let’s talk about who’s to blame, what could have been done to prevent it, and most interestingly, how this virus actually worked.

Stay with me. Because WannaCry isn’t just a story about a piece of malicious code. It’s a story about leaked government cyberweapons, a patch that everyone ignored, an industry built on legacy systems that can’t be turned off, and a young man who accidentally became the most important sysadmin in the world for about 48 hours.

But to understand this hack, you first need to understand what ransomware actually is.

Ransomware is a piece of malicious software that, once installed on your machine with access to the file system, encrypts stuff that you care about: your documents, your photos, your databases, maybe all of it. That might sound like a good thing, but it encrypts it with a key that only the attacker has access to.

Then it pops up a ransom note demanding payment, usually in cryptocurrency, in exchange for getting your files back. To be on the receiving side of a ransomware attack is terrifying enough; but the stakes get even higher when those files are essential to treating and saving the lives of hospital patients.

In the case of WannaCry, it demanded you pay $300 in Bitcoin within three days. If you don’t, the ransom doubles. Wait seven days, and you lose your files forever [1].

Ransomware exploded in the 2010s, possibly due in part to the invention of Bitcoin [4]. Cash is hard to extort. Wire transfers leave a paper trail. But a pseudonymous, borderless, irreversible cryptocurrency is a payment rail that lends itself perfectly to “your business is down until you send us money.”

In 2017, most ransomware spread the boring way: through phishing [5]. Some employee clicks a sketchy link in an email attachment, downloads and runs the program, and it’s game over for that one machine.

WannaCry was different.

WannaCry didn’t need anyone to click anything. It scanned for reachable machines over TCP port 445 and exploited a vulnerability in something called SMB: Server Message Block. The protocol Windows machines use to share files and printers across a local network [6].

SMB is exactly the kind of boring corporate plumbing users never think about. The kind of thing that exists in the background of every office building, hospital, and government agency, doing the unglamorous work of letting Greg from accounting print his quarterly report on the third-floor copier. Which is also why it’s the perfect place to exploit.

Once one machine inside a hospital was infected, every other vulnerable Windows machine on the same network was living on borrowed time. The worm self-propagated. Hospitals didn’t get hit one workstation at a time. They got hit by a chain reaction. One vulnerable machine gets infected, the malware sees the network, the malware sees three hundred other devices, and sixty seconds later the building is down.

You might be thinking, “Wow, these hackers are geniuses.” They must have come up with some new technique that changed ransomware forever.

But the thing is, they didn’t even build it.

According to Microsoft, the exploit WannaCry used had been stolen from the NSA [7].

An elite offensive cyber unit widely linked to the NSA - known as the Equation Group - had reportedly built or held an exploit for a serious vulnerability in Windows SMB. Internally, it had a code name.

EternalBlue.

It was useful exactly because it was secret. EternalBlue let an attacker remotely execute code on unpatched Windows machines running vulnerable SMBv1 services, with no user interaction, just by sending a malformed packet to the right port [8]. For an intelligence agency, they’re not too worried about it being a vulnerability, they care that it’s now their skeleton key.

In August 2016, a group calling itself the Shadow Brokers showed up on the internet, claiming to have stolen a trove of NSA hacking tools. And to this day, nobody knows their real identities [9]. Maybe they had a rogue insider or perhaps a foreign intelligence service hacked into an NSA jump server. Edward Snowden - the former NSA contractor famous for leaking information to the public about US government surveillance - hinted at Russian responsibility [10]. But the U.S. government has never confirmed any of it, and we don’t know for sure.

So, fast-forward to April 14, 2017, the Shadow Brokers dump a fresh load of exploits onto the internet, with names like ETERNALROMANCE, ETERNALCHAMPION, FUZZBUNCH, DOUBLEPULSAR - and the one and only EternalBlue [9].

One month later, a group of criminals had welded EternalBlue onto a piece of ransomware, creating WannaCry.

So here’s the obvious question. If the exploit was leaked publicly in April, surely Microsoft scrambled to patch it. Surely the world had a month to update their systems before the worm hit.

Yes and no.

Microsoft had actually shipped a fix a month before the leak. On March 14, 2017, they released security bulletin MS17-010, which closed the SMB vulnerability that EternalBlue depended on [8]. By the time the public dump landed in April, the door was already supposed to be closed.

So why, on May 12, did WannaCry still tear through hundreds of thousands of computers?

Because frankly, enterprise patching is a nightmare.

A hospital doesn’t just run “Windows.” Broadly speaking, hospitals run connected medical devices, hospital networks, vendor-managed systems, and clinical workflows where cybersecurity risk can become patient-safety risk [24]. The point isn’t that this exact hospital had this exact machine in this exact state. It’s that things like MRI machines and infusion pumps are not laptops you can casually reboot in the middle of a workday.

“Move fast and break things” may be the Silicon Valley mantra for web development, but it’s a bad idea for mission-critical firmware.

So for big enterprises like hospitals, it’s not as easy as just clicking “update.” If you aren’t careful, things break. Updates tend to be manual.

In the NHS specifically: a huge number of machines were running supported-but-unpatched Windows 7. Some were even running Windows XP - which Microsoft had stopped supporting in 2014. NHS Digital had actually issued patching alerts in March and April of 2017, but, as the National Audit Office later noted, before the attack happened the Department had no formal mechanism for checking whether anyone had actually applied them [2].

Spoiler: a lot of them hadn’t.

So WannaCry hit, and Microsoft did something very out of the ordinary. Mid-attack, on a Saturday, they emergency-released patches for unsupported Windows versions, including Windows XP, Windows 8, and Windows Server 2003, to help stop the bleeding [6].

But the worm was spreading too fast. Every infected machine was scanning their networks for more vulnerable machines, and every successful infection became a new launchpad.

Enter the guy in his bedroom who was about to save countless files, dollars, and maybe even lives through his fix.

Saturday morning, May 13. In Ilfracombe, a coastal town in southwest Devon, a 22-year-old security researcher named Marcus Hutchins - better known online as MalwareTech - wakes up to a sample of WannaCry sitting in his inbox [11].

This is, by his own description, basically what he does on weekends. He tracks botnets and reverse-engineers malware from his bedroom, meaning he actually wants to download malware samples on his quarantined system, because he reverse-engineers them for fun [23].

So, he runs the sample he’s given in a sandbox and watches what it does.

And he notices something odd.

Before WannaCry encrypts a single file, it tries to phone home - to a long, gibberish-looking domain name: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com [6]. Hutchins checks the domain… and strangely enough, it’s not even registered, let alone pointing to a specific IP address.

So he registers it.

It cost him ten dollars and sixty-nine cents [11].

With that ten bucks, he had unknowingly just turned the entire worm off.

Globally.

Now, the infections didn’t undo. Anything already encrypted, stayed encrypted. But every new copy of WannaCry, on every new machine, started checking that domain - and now that the domain existed, it caused the malware to shut itself down before encrypting anything.

It took hours, and other researchers double-checking his work, before it was clear what had happened [11]. Hutchins later said he didn’t even realize what he had done at first; one of his colleagues had to dig through the code and confirm that yes, the random domain he bought was literally the kill switch [12]. He spent the rest of the weekend with friends and colleagues taking shifts running the sinkhole - at one point, he says, a foreign government seized one of his servers thinking he was the WannaCry command-and-control [12].

And the relevant code path was almost comically simple. At a high level, the behavior can be represented like this. I’m simplifying the Windows API calls here, but this is the bug CISA documents: see if the big nasty domain successfully responds, if it does, abort, otherwise, start encrypting [6].

response = open_url("http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com");
if (response) {
    exit_process();
}
encrypt_files();
spread_to_other_machines();

So, why would the criminals build a kill switch into their own ransomware? Are they just dumb?

Well, kinda. I mean it did make it trivial to stop the attack.

But it’s because the domain wasn’t intended to be used as a kill switch. It was an anti-sandbox check that backfired [6]. See, a lot of malware analysis tools simulate “the internet” by responding successfully to a lookup on any domain. By having the worm bail out if some random nonsense URL is resolved, the authors hoped to detect when they were running inside a researcher’s sandbox, and abort. This would, in theory, make the malware harder to detect and reverse engineer.

The criminals, to put it gently, did not anticipate that some kid in Devon would just buy the domain.

This was not a coordinated government defense response. There was no cyber command war room saving the day. It was a particularly clever researcher with ten dollars. And his ten dollars may have prevented far more damage.

So we know who saved the day, and how. But now how do we make sure this doesn’t happen again?

That’s the question Brad Smith - Microsoft’s president - tried to answer in a now-famous blog post two days after the attack [7].

His argument was blunt. If governments are going to stockpile vulnerabilities in commercial software for offensive operations, then sooner or later those stockpiles are going to leak. And when they leak, civilians are the ones who pay.

He compared it to the U.S. military having a handful of its Tomahawk missiles stolen [7].

Smith called for a “Digital Geneva Convention” - an agreement that governments would report vulnerabilities to vendors instead of hoarding them [7].

But has anything actually changed since 2017?

Well, not really.

Governments still stockpile vulnerabilities. Stockpiles still leak. A few weeks later, NotPetya, the destructive 2017 cyberattack initially aimed at Ukraine, spread worldwide and caused billions of dollars in damage across Europe, Asia, and the Americas, according to the White House [13]. Same basic lesson. Same kind of Windows enterprise blast radius. Different malware.

Then in August 2018, more than a year after WannaCry, a variant of the same ransomware crawled into the chip-fabrication facilities of TSMC, the world’s largest semiconductor foundry, and forced multiple production lines offline [14]. A piece of 2017 malware was still tearing through Windows machines inside the most advanced chip plants on Earth.

But what about the criminals who actually built WannaCry? Whatever happened to them?

In December 2017, the United States, the United Kingdom, Australia, Canada, New Zealand, Japan, and Denmark publicly attributed WannaCry to North Korea’s Lazarus Group [15]. U.S. authorities named one of those alleged operators - Park Jin Hyok - as part of a Reconnaissance General Bureau conspiracy that private researchers have labeled Lazarus Group and APT38 [16]. Alongside Park, U.S. authorities also named two more alleged North Korean hackers - Jon Chang Hyok and Kim Il - as alleged participants in the same RGB-linked conspiracy [17].

So, how much money did they actually make from WannaCry? Turns out, only about $143,000 in Bitcoin [18].

Which isn’t a whole lot, for a piece of malware that infected hundreds of thousands of machines [15], crippled hospitals, and disrupted train departure boards.

Their payday was a pittance for two reasons. One: the kill switch nuked the campaign before most victims even had time to pay. Two: the payment-and-decryption logic in WannaCry was also buggy, so officials warned that paying the ransom did not guarantee files would be released [6].

Effectively, WannaCry, the most famous ransomware attack in history, was a financial flop. The criminals barely cleared six figures.

It looks, on the surface, like a story with a happy ending. A researcher unwittingly saves the world, the attackers barely profit, and world governments eventually attribute the attack and name alleged operators.

But unfortunately, things do get darker from here.

Because ransomware as an industry, after WannaCry, did not disappear. It exploded in growth.

By 2023, ransomware payments crossed one billion dollars in cryptocurrency for the first time, according to Chainalysis [19]. The model became industrial.

Depressingly, “Ransomware-as-a-service” is a thing now. Complete with affiliate programs, initial access brokers, and off-the-shelf tools that make it easier for less technical criminals to launch attacks [19].

LockBit alone provided ransomware-as-a-service to a global network of affiliates, and the U.K.’s National Crime Agency says more than 7,000 attacks were built using its services between June 2022 and February 2024 [20].

Hospitals are still getting hit. Pipelines are still getting hit. City governments are still getting hit. And the most uncomfortable thing about all of these stories is that they all rhyme with the same institutional weakness WannaCry exposed in 2017.

Old systems that nobody can afford to turn off.

In May 2019, the city of Baltimore was infected with ransomware called RobbinHood [21]. The New York Times initially reported that EternalBlue had been used in the spread, which would have been a poetic horror - a literal NSA exploit, two years after WannaCry, still circulating, taking down a major American city. Subsequent forensic analysis disputed that claim: malware analyst Joe Stewart told KrebsOnSecurity the RobbinHood binary had no EternalBlue exploit code and no means of spreading across networks on its own [21]. But the underlying point remains: even years later, EternalBlue was still the kind of old, patched vulnerability defenders had to worry about.

Six years after WannaCry, in October 2023, the British Library - the national library of the United Kingdom - was hit by a ransomware group called Rhysida. The Library later described it as a deeply damaging criminal attack that caused a loss of control of some personal data [22].

The disruption knocked major services offline for months. The Library’s own incident review pointed at the usual story: historic reliance on complex legacy infrastructure, uneven security controls, and a slow path back to full recovery [22].

So no. The vulnerability of major institutions to determined criminal crews has not been meaningfully fixed since 2017. Cyber extortion has only gotten more lucrative, more professional, and more frequent.

WannaCry was, in some sense, a perfect storm. A leaked government cyberweapon. A patched but underdeployed Windows vulnerability. Decades of legacy enterprise infrastructure no one wants to touch.

We all hear so often about how tech is changing so fast, everything is going to be automated, software is a solved problem. And yet, a massive chunk of the world’s tech infrastructure is actually unbelievably old and decrepit. Don’t underestimate how slow large enterprises and government organizations can be to change.

The most unsettling thing of the aftermath to me is that our best practices didn’t save us.

An accident did.

Marcus Hutchins didn’t have a contract with the U.K. government. He had a sandbox, a hunch, and a few dollars to spend on a domain. Our last line of defense between a global cyberattack escalating into Monday morning, when people would turn their work computers back on, and that attack stalling out over the weekend, was one researcher noticing one weird domain in one network request.

If anything, the outlook has gotten more complicated since. There are more connected medical devices, more internet-dependent industrial systems, more legacy software, and more attackers working with better tools in a more mature criminal economy [24].

Many major institutions still have some version of the WannaCry problem sitting somewhere inside them. A leaked exploit nobody patched. A vendor-managed system that’s hard to update. A critical piece of software written by a disgruntled COBOL engineer who quit back in 2019.

We can hope that next time, a researcher catches it as fast as Hutchins did.

Or, here’s an idea: we can care about security a bit more. We can stop running production code on operating systems that lost vendor support during the Obama administration. Let’s assume the next leaked NSA exploit is already in the hands of a criminal affiliate program writing better malware than the last one.

But at the same time, it’s true that our cybersecurity protocols and technologies are improving. Automated scanning has made exposure feel less like an “if” and more like a “when.” If we don’t patch it up, it’s going to be crawled and scanned. But there’s plenty of hope, we just need to take software quality and security a little more seriously in the developer community.

Bibliography

1. Damien Gayle et al., “NHS seeks to recover from global cyber-attack as security concerns resurface.” The Guardian, May 13, 2017. https://www.theguardian.com/society/2017/may/12/hospitals-across-england-hit-by-large-scale-cyber-attack
2. National Audit Office, “Investigation: WannaCry cyber attack and the NHS.” October 2017. https://www.nao.org.uk/reports/investigation-wannacry-cyber-attack-and-the-nhs/
3. BBC News, “Cyber-attack: Europol says it was unprecedented in scale.” May 13, 2017. https://www.bbc.com/news/world-europe-39907965
4. Greg Myre, “How Bitcoin Has Fueled Ransomware Attacks.” NPR, June 10, 2021. https://www.npr.org/2021/06/10/1004874311/how-bitcoin-has-fueled-ransomware-attacks
5. Malwarebytes, “What is Ransomware?” Malwarebytes Cybersecurity Resource Center. Accessed April 28, 2026. https://www.malwarebytes.com/ransomware
6. Cybersecurity and Infrastructure Security Agency, “Indicators Associated With WannaCry Ransomware.” Alert TA17-132A, last revised June 7, 2018. https://www.cisa.gov/news-events/alerts/2017/05/12/indicators-associated-wannacry-ransomware
7. Brad Smith, “The need for urgent collective action to keep people safe online: Lessons from last week’s cyberattack.” Microsoft On the Issues, May 14, 2017. https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/
8. Microsoft, “Microsoft Security Bulletin MS17-010 - Critical.” March 14, 2017. https://learn.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010
9. Andy Greenberg, “Major Leak Suggests NSA Was Deep in Middle East Banking System.” WIRED, April 14, 2017. https://www.wired.com/2017/04/major-leak-suggests-nsa-deep-middle-east-banking-system/
10. Camila Domonoske, “‘Shadow Brokers’ Claim To Have Hacked The NSA’s Hackers.” NPR, August 17, 2016. https://www.npr.org/sections/thetwo-way/2016/08/17/490329015/shadow-brokers-claim-to-have-hacked-the-nsas-hackers
11. Nadia Khomami and Olivia Solon, “‘Accidental hero’ halts ransomware attack and warns: this is not over.” The Guardian, May 13, 2017. https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack
12. Dan Raywood, “In Conversation with Marcus Hutchins - WannaCry, Coding, AI and the Future.” SC Media UK, April 19, 2024. https://insight.scmagazineuk.com/in-conversation-with-marcus-hutchins-wannacry-coding-ai-and-the-future
13. The White House, “Statement from the Press Secretary.” February 15, 2018. https://trumpwhitehouse.archives.gov/briefings-statements/statement-press-secretary-25/
14. Agence France-Presse, “Chip giant TSMC says WannaCry behind production halt.” SecurityWeek, August 6, 2018. https://www.securityweek.com/chip-giant-tsmc-says-wannacry-behind-production-halt/
15. National Cyber Security Centre, “UK supports US charges against North Korean cyber actors.” February 17, 2021. https://www.ncsc.gov.uk/news/uk-supports-us-charges-against-north-korean-cyber-actors
16. Federal Bureau of Investigation, “Park Jin Hyok.” FBI Most Wanted. https://www.fbi.gov/wanted/cyber/park-jin-hyok
17. Federal Bureau of Investigation, “Jon Chang Hyok” and “Kim Il.” FBI Most Wanted. https://www.fbi.gov/wanted/cyber/jon-chang-hyok and https://www.fbi.gov/wanted/cyber/kim-il
18. Ryan Browne, “Hackers have cashed out on $143,000 of bitcoin from the massive WannaCry ransomware attack.” CNBC, August 3, 2017. https://www.cnbc.com/2017/08/03/hackers-have-cashed-out-on-143000-of-bitcoin-from-the-massive-wannacry-ransomware-attack.html
19. Chainalysis Team, “Ransomware Payments Exceed $1 Billion in 2023, Hitting Record High After 2022 Decline.” Chainalysis, February 7, 2024. https://www.chainalysis.com/blog/ransomware-2024/
20. National Crime Agency, “LockBit leader unmasked and sanctioned.” May 7, 2024. https://www.nationalcrimeagency.gov.uk/news/lockbit-leader-unmasked-and-sanctioned
21. Brian Krebs, “Report: No ‘Eternal Blue’ Exploit Found in Baltimore City Ransomware.” Krebs on Security, June 3, 2019. https://krebsonsecurity.com/2019/06/report-no-eternal-blue-exploit-found-in-baltimore-city-ransomware/
22. Sir Roly Keating, “Learning lessons from the cyber-attack.” British Library, March 8, 2024. https://blogs.bl.uk/living-knowledge/2024/03/learning-lessons-from-the-cyber-attack.html
23. Andy Greenberg, “The Confessions of Marcus Hutchins, the Hacker Who Saved the Internet.” WIRED, May 12, 2020. https://www.wired.com/story/confessions-marcus-hutchins-hacker-who-saved-the-internet/
24. U.S. Food and Drug Administration, “Cybersecurity.” FDA Digital Health Center of Excellence. Accessed April 28, 2026. https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity