// overview
What happened
On April 14, 2017, a hacker collective called the Shadow Brokers leaked a cache of NSA cyber weapons including EternalBlue, a reliable remote-code-execution exploit against Microsoft's SMBv1 protocol. Microsoft had silently patched the vulnerability the previous month after a private tip from the NSA (MS17-010), but hundreds of millions of unpatched systems remained exposed.
On May 12, 2017, the WannaCry worm combined EternalBlue with file-encrypting ransomware payload demanding $300 in Bitcoin. Unlike traditional ransomware, it propagated automatically over SMB, infecting every vulnerable machine on every reachable network without human action.
Within hours the UK National Health Service was crippled: a third of NHS trusts in England were affected, ambulances were diverted, 19,000 appointments cancelled. Telefónica in Spain, Deutsche Bahn in Germany, FedEx in the US, the Russian Interior Ministry, and Renault and Nissan factories all halted operations.
British security researcher Marcus Hutchins (@MalwareTechBlog) reverse-engineered a sample and noticed it queried an unregistered domain before activating. He registered the domain for £10.69 as a research sinkhole — and accidentally triggered the worm's built-in kill switch, halting global propagation. The US, UK, and Australia later attributed WannaCry to North Korea's Lazarus Group.
// timeline
How it unfolded
Mar 14, 2017
Microsoft releases MS17-010 patching EternalBlue (CVE-2017-0144).
Apr 14, 2017
Shadow Brokers leak EternalBlue and other NSA exploits publicly.
May 12, 2017 — 07:44 UTC
First WannaCry infections begin propagating in Asia.
May 12, 2017 — afternoon
UK NHS hospitals divert ambulances; surgeries cancelled.
May 12, 2017 — evening
Marcus Hutchins registers kill-switch domain, halting worm spread.
Dec 19, 2017
US, UK, Australia formally attribute attack to North Korea.
// damage
Impact and scale
WannaCry showed what happens when a nation-state cyber weapon escapes into criminal hands and gets bolted onto worm propagation. UK hospitals diverted patients. Renault and Nissan halted production. Deutsche Bahn departure boards went dark. A 22-year-old British researcher accidentally killed the worm by registering a kill-switch domain it queried.
// affected
Who was hit
- UK National Health Service — ~1/3 of English trusts disrupted, 19,000 appointments cancelled
- Telefónica (Spain), Deutsche Bahn (Germany), LATAM Airlines
- Renault and Nissan vehicle production plants
- Russian Interior Ministry, Chinese universities, Indian Andhra Pradesh police
// lessons
Key takeaways
- Patch SLAs are not optional for vulnerabilities in network-facing services like SMB.
- Disable legacy protocols — SMBv1 had no business being enabled in 2017.
- A kill switch in worm-class malware is the security community's last-line backstop; do not assume the next one will have one.
- Cyber weapons developed by states will leak. The supply chain of offensive capability flows downhill into criminal hands.
