Continue your mission
A global ransomware cryptoworm that infected 230,000 computers in 150 countries using the NSA-developed EternalBlue exploit, devastating the UK NHS.
On May 12, 2017, the WannaCry ransomware cryptoworm launched a global attack that infected over 230,000 computers across 150 countries within the first day. The malware encrypted user files and demanded Bitcoin ransom payments of $300 to $600 per machine. WannaCry's most devastating impact was on the UK's National Health Service (NHS), where it disrupted operations at 80 hospital trusts, forced cancellation of 19,000 medical appointments, and diverted ambulances from affected emergency departments.
The attack was attributed to North Korea's Lazarus Group by the US, UK, and multiple other nations. It was halted when security researcher Marcus Hutchins (MalwareTech) discovered and activated a kill switch domain embedded in the malware's code.
WannaCry exploited EternalBlue (CVE-2017-0144), a critical vulnerability in Microsoft's SMBv1 protocol that enabled remote code execution on Windows systems. EternalBlue was developed by the NSA and leaked by the Shadow Brokers hacking group in April 2017, one month after Microsoft had released a patch (MS17-010). The worm component used EternalBlue to spread automatically across networks without user interaction, scanning for vulnerable systems on both local networks and the public internet.
The ransomware payload encrypted files using AES-128-CBC with unique keys per file, wrapped with RSA-2048 encryption. It targeted 176 file types including documents, images, and databases, appending the .WNCRY extension. The kill switch was a hardcoded domain name that the malware queried before encrypting: if the domain resolved (was registered), the malware exited without encrypting files. This was likely an anti-sandbox technique that was repurposed as an emergency stop.
WannaCry demonstrated the catastrophic consequences of delayed patching and the dangers of nation-state cyber tool proliferation. Damages were estimated at $4 to $8 billion globally. The attack forced organizations worldwide to reassess their patching programs, accelerated the retirement of Windows XP and other unsupported systems, and prompted significant investment in ransomware defenses. It remains the most widespread ransomware attack in history and a defining case study in cyber risk management.
CDA Theater missions that address topics covered in this article.
The Enigma machine was an electro-mechanical cipher device used primarily by Nazi Germany during World War II to encrypt military communications.
On November 2, 1988, a Cornell University graduate student named Robert Tappan Morris released a self-replicating computer program onto the ARPANET, the research network that would become the public internet.
Written by CDA Editorial
Found an issue? Help improve this article.