Aug 01 2023
WannaCry Ransomware Attack

WannaCry Ransomware Attack: What, Who, Why, When, & How to Stay Protected?


The May 12, 2017, WannaCry ransomware attack was one of the most devastating and globally widespread computer infections. The next WannaCry is prepared and about to occur in 2023, claims Kaspersky. The potential reason is that the biggest and most devastating cyber epidemics happen every six to seven years.

Here are some helpful tips to stay protected against WannaCry ransomware.

In today’s rapidly evolving digital landscape, cybersecurity has become a critical concern for individuals, businesses, and governments alike. As we increasingly rely on technology to manage our personal lives and professional activities, the potential risks posed by cyber threats have grown exponentially. This underscores the importance of robust cybersecurity measures for safeguarding valuable information and ensuring the smooth functioning of modern society. Amidst all this, WannaCry Ransomware is also a major threat.

WannaCry Ransomware is a type of malicious software (malware) that encrypts files on an infected computer or network and holds them hostage, until a ransom payment is made, usually in the form of cryptocurrency like Bitcoin. Once installed, ransomware can quickly spread throughout the victim’s system, rendering important data inaccessible to its users. The attackers then demand payment from the victim for the decryption keys necessary to unlock their files.

According to a Thales Group 2023 report, 48% of IT professionals reported an increase in ransomware attacks. The numbers are surprising, as 22% of organizations have experienced a ransomware attack in the last 12 months. In addition, 51% of enterprises do not have safety measures for a ransomware plan.

There are several different types of ransomware, each with its own unique characteristics and methods of attack.

Types of Ransomware

What is WannaCry Ransomware?

WannaCry is classified as “ransomware” that is creating havoc that infects computers running on Microsoft Windows operating systems.

The WannaCry ransomware attack made headlines in May 2017 when it caused widespread damage to computer systems across the globe. The attack affected over 300,000 computers and targeted businesses, hospitals, and government agencies in more than 150 countries.

WannaCry Ransomware Attack

WannaCry ransomware is a type of crypto-ransomware. Specifically, it uses the RSA-2048 encryption algorithm to encrypt data stored within the victim’s computer/network which can only be decrypted using a unique private key held by attackers.

Crypto-ransomware attacks like WannaCry have become increasingly common over recent years due to their high profitability as they target critical infrastructure/organizations with sensitive/confidential information often willing to pay up quickly rather than risk losing access permanently causing severe operational disruptions or reputational damage.

Once installed, ransomware can quickly spread throughout the victim’s system, rendering important data inaccessible to its users. The attackers then demand payment from the victim for decryption keys necessary to unlock their files.

Ransomware attacks can be initiated through various methods such as phishing emails containing malicious attachments/links or by exploiting vulnerabilities in outdated software applications/operating systems installed within target organizations’ IT infrastructure.

How does the WannaCry attack work?

Typically, WannaCry encrypts files on Microsoft Windows systems’ hard drives in order to prevent users from accessing them. To unlock the files, this malware in 2017 demanded a ransom payment in Bitcoin within three days. Let’s look at the operation of the WannaCry ransomware and how to spot the symptoms. How Does The WannaCry Attack Work?

Origin and Impact of WannaCry Ransomware Attack

It is unclear who the first victim of the WannaCry attack was, as the malware spread rapidly across computer systems worldwide. However, one of the earliest known and high-profile victims of the WannaCry ransomware was the National Health Service (NHS) in England in May 2017. The attack affected hospitals and other healthcare facilities across England, with many systems being forced to shut down temporarily due to data encryption caused by this malware.

The NHS was particularly vulnerable because it relied heavily on outdated software versions which were no longer supported by Microsoft and thus missed critical security updates/patches required for safeguarding against such attacks. This allowed WannaCry to quickly spread throughout their networks infecting thousands of computers within minutes.

WannaCry brought chaos as appointments had to be cancelled, surgeries rescheduled while patient records became inaccessible leaving health workers unable to access vital information needed for providing adequate care. Hospitals even turned away patients as they could not use electronic medical record-keeping systems slowing down operations considerably.

300,000+ computers Affected by WannaCry Ransomware Attack

It is estimated that over 70,000 devices connected within the NHS network were infected during the initial wave of attacks causing financial losses worth millions along with reputational damage among patients/staff/government bodies alike highlighting the importance of investing in cybersecurity measures including regular patching/updating/testing etc., while also having disaster recovery plans ready.

The Widespread Devastation of WannaCry Ransomware

What made WannaCry particularly devastating was its ability to exploit a vulnerability called EternalBlue found in Microsoft Windows operating systems. EternalBlue had been discovered by the US National Security Agency but leaked online by hackers before being patched by Microsoft. This allowed attackers to spread rapidly through networks and infect other vulnerable computers.

Despite attempts to stop the spread of WannaCry and decrypt affected files without paying the ransom, many organizations ultimately paid millions of dollars for their data’s safe return.

According to reports, victims paid over $143,000 in Bitcoin to regain access to their data during the height of the outbreak. However, this number could be higher since many victims may have opted not to report payment due to cybersecurity concerns or other factors.

WannaCry ransomware is malware that exploits vulnerabilities in outdated versions of Microsoft Windows operating systems to infect computers and encrypt files, holding them hostage until a ransom payment is made. Once installed on a victim’s computer, it can quickly spread throughout their network using the EternalBlue exploit which allows for rapid propagation across vulnerable devices.

This malware caused widespread damage by exploiting weaknesses present within IT infrastructure such as unpatched software applications/operating system vulnerabilities or lack of proper security measures including firewalls/antivirus/multi-factor authentication among others.

Overall, the combination of sophisticated encryption techniques with fast-spreading capabilities via EternalBlue vulnerability helped make WannaCry one of the most destructive cyber attacks in recent times leaving many companies struggling to recover from its impacts both financially & operationally while also raising concerns around cybersecurity readiness preparedness at the organizational level.

Intention and the execution of the WannaCry Ransomware

WannaCry ransomware intended to extort money from its victims through the encryption of their data, making them inaccessible unless they paid the ransom demanded. It used strong encryption algorithms such as AES and RSA to lock down critical files on an infected system which made recovery difficult without paying the huge sum demanded.

Once installed on a device or network, it would then scan for other devices with unpatched versions of Windows OS connected via SMB protocol, exploit vulnerabilities within those systems using EternalBlue exploit, and propagate itself onto those devices leading to widespread infection across organizations globally. In summary, WannaCry was designed as a tool for financial gain at scale through extortion of individuals or organizations who fell prey to its tactics.

Microsoft’s measures to get ‘Wannacry’ free

Microsoft released an emergency update in May 2017 that addressed the vulnerability exploited by EternalBlue, which was used by WannaCry attackers. EternalBlue is a critical software vulnerability that was discovered in Microsoft Windows operating systems in 2017. It allowed hackers to exploit network protocols and remotely execute malware on vulnerable computers, making it a favored tool for cybercriminals conducting ransomware attacks.

The WannaCry ransomware attack that affected over 300,000 computers globally is an example of the devastating impact caused by EternalBlue vulnerability exploitation. The company also issued patches for unsupported versions of Windows such as XP and Server 2003 after widespread criticism from various stakeholders citing it as one reason why so many organizations fell prey to this cyberattack.

The WannaCry ransomware attack included a “kill switch” which exploited an unregistered domain found within the code of the malware which acted as an off-switch preventing further encryption/propagation after it was activated by researchers leading to widespread damage control across affected organizations worldwide before any major harm could be caused.

Who invented WannaCry Ransomware?

The identity of the individuals or groups responsible for the WannaCry ransomware attack is still unknown. However, it is believed that the attackers were a hacking group affiliated with North Korea known as the Lazarus Group. The attribution was based on similarities between WannaCry and previous cyber attacks attributed to the Lazarus Group, although this has not been confirmed definitively.

How did WannaCry Ransomware affect different industries

What Industries Were Most Severely Impacted By WannaCry?

  • Healthcare

    In May 2017, the UK’s National Health Service (NHS) was one of the first organizations to be hit by WannaCry, which caused widespread disruptions to patient care services and led to cancelled appointments and delayed surgeries. Since then, healthcare organizations globally have been targeted with over 40 such attacks in just the past six months alone impacting operations severely.

  • Manufacturing

    Nissan Motor Company was among several Japanese firms affected by the WannaCry attack leading them to halt production for almost a day at their manufacturing plants worldwide.

  • Financial Services

    Russian banks were also among those affected by the outbreak that disrupted financial institutions’ IT infrastructure across several countries including Russia & Ukraine.

  • Government Agencies

    The UK government’s Department of Work and Pensions (DWP) also fell prey to this attack resulting in the temporary closure of its offices across multiple locations causing delays in benefits payments for millions of people relying on these funds.

These incidents highlight how dangerous ransomware like WannaCry can be, affecting businesses and individuals alike regardless of industry or region they operate from if not addressed proactively through robust security measures before any damage could occur.

How to tell whether you are at risk from WannaCry Ransomware or not?

Signs you are at risk of a WannaCry Ransomware Attack

  1. Inability to access files on your computer

    If you’re unable to open or access certain files on your computer, it could be a sign of a ransomware attack.

  2. A message demanding payment

    If you see a message pop up on your screen demanding payment in exchange for the return of your data, your system has likely been affected by ransomware.

  3. Unusual network activity

    Ransomware like WannaCry often spreads rapidly across networks, so if you notice unusual network activity (e.g., slow internet speeds), it could be an indication of infection.

  4. Disabled security software

    Ransomware typically attempts to disable antivirus and other security software installed on the victim’s system to avoid detection.

  5. Pop-up windows or ads appearing out of nowhere

    Some types of malware use pop-ups and ads as a way to spread further throughout the user’s system.

If you suspect that your device has been infected with WannaCry or any other type of malware, it is important to seek assistance from IT professionals immediately and disconnect from all networks until remediation steps have been completed.

What to do if you have been infected by a WannaCry Ransomware Attack?

If you believe that your device has been infected with WannaCry or any other type of malware, it is important to take immediate action. Here are some steps you can take:

  1. Disconnect from all networks

    This will help prevent the further spread of the malware and protect other devices on the network.

  2. Contact IT professionals

    Seek assistance from experienced cybersecurity experts who can assist in identifying and removing the malware from your system.

  3. Do not pay the ransom

    Paying attackers encourages them to continue their illegal activities and does not guarantee that they will provide decryption keys for affected files.

  4. Restore data from backups

    If possible, restore data from recent backups that have not been impacted by the attack instead of paying a ransom.

How to protect your system from WannaCry Ransomware?

As always said prevention is better than cure; here are some steps that one can take to protect against WannaCry ransomware:

What Are Ransomware Mitigation Strategies?

  1. Keep software up-to-date

    Regularly install updates and patches for operating systems, applications, antivirus software, and firewalls which contain fixes for known vulnerabilities exploited by cybercriminals like WannaCry.

  2. Backup regularly

    Maintain regular backups of critical data stored on your computer using secure cloud storage platforms or external hard drives disconnected when not required.

  3. Use Anti-Malware Software

    Consider installing reputable antivirus and anti-malware software along with intrusion detection tools capable enough in detecting such attacks before they cause widespread damage to systems & networks.

  4. Be cautious while opening emails & attachments

    Ransomware often spreads through phishing emails containing malicious links or attachments designed to trick users into clicking on them unknowingly leading to infection.

  5. Educate employees about good security hygiene

    Promote safe browsing habits within your organization by training employees in best practices for password management, avoiding suspicious downloads/emails/websites as well as promoting strong password policies across the user base.

  6. Disable SMBv1 protocol

    This is an outdated version of the Server Message Block (SMB) Protocol used for sharing files between computers which was exploited during the WannaCry attack; disabling this protocol can help prevent future infections from similar threats.

  7. Deploy firewalls / Intrusion Detection Systems (IDS)

    Firewalls/IDSs act as the first line of defence preventing unauthorized access attempts thereby reducing the chances of malware entry through open ports/services.

By taking these precautions, individuals and organizations can significantly reduce their risk of falling victim to a WannaCry ransomware attack or other types of malware threats.

Does WannaCry Still Exist?

WannaCry ransomware continues to exist even today, albeit in different forms, with new variations being discovered regularly. While continued efforts continue globally to combat its spread through regular patching/updating along with awareness campaigns aimed at promoting good security hygiene among users across all sectors, including private businesses & government agencies alike.

While the initial wave of WannaCry attacks has subsided, there is still a risk of infection for organizations and individuals who have not taken appropriate security measures. As long as vulnerable systems remain unpatched or unprotected against new variants of the malware, there will be a potential threat of another outbreak.


The WannaCry ransomware attack was a stark reminder of the importance of cybersecurity and how critical it is to keep systems updated and secure. The widespread damage caused by this malware highlights the need for organizations to adopt robust security measures such as regular patching/updating/testing while also having disaster recovery plans ready in case of future attacks.

Cybercriminals continue to evolve their tactics & techniques, but so do defenders, who are constantly working towards improving defences against such threats. It’s only through awareness, education, collaboration, & investment in the right technology/solutions/infrastructure that we can hope to stay ahead in this never-ending battle against cybercrime. This blog is a great source towards achieving these objectives by providing valuable insights into how one could stay protected against such threats, thereby contributing positively towards overall digital safety & resilience.

About the Author

Pratik Jogi

Pratik Jogi is a cybersecurity visionary with an Electronics & Communications Engineering degree. He holds esteemed certifications like Microsoft MCSE and MVP. With over two decades dedicated to defending the digital frontier, his expertise in Server, Network, and Cyber Security reflects a genuine commitment to secure digital landscapes against emerging threats.