WannaCry — The Ransomware That Weaponised a Leaked NSA Tool

On Friday 12 May 2017, hospitals in London, the Spanish carrier Telefónica, the timetable boards of Deutsche Bahn stations, the Russian Interior Ministry, university campuses in China, a Nissan plant in the UK — an estimated 300,000 Windows machines in about 150 countries — all locked up within hours and displayed the same red message: "Ooops, your files have been encrypted!"

The ransom demand was about US$300 in Bitcoin, with no guarantee of recovery. This was WannaCry (a.k.a. WCry, WanaCryptor 2.0), the most widely propagated ransomware in history — and an event that surfaced several structural problems of modern cybersecurity at once.

Three Ingredients

WannaCry was built from three layers stacked together: (a) a leaked NSA tool, (b) a Microsoft legacy bug, and (c) an enormous installed base of unpatched hosts.

EternalBlue (the NSA tool). A remote code execution exploit against Windows SMBv1, reportedly developed and used over years by the NSA's Tailored Access Operations (TAO) unit. It was published, alongside other NSA tooling, by the unidentified group calling itself the Shadow Brokers on 14 April 2017 (the group had been releasing NSA materials in stages since August 2016).

The Microsoft vulnerability MS17-010 / CVE-2017-0144. The SMBv1 flaw EternalBlue exploits. Microsoft — having reportedly been tipped off by the NSA — shipped the patch on 14 March 2017, two months before WannaCry. Yet enormous numbers of organisations were still running unsupported Windows 7 SP1 or Windows XP, or were simply slow at patching.

The ransomware payload. Files were encrypted under AES-128 with RSA-2048, with US$300–600 in Bitcoin demanded to three wallets. Crucially, the malware also scanned the local LAN segment and random external IPs for other vulnerable SMB hosts and re-deployed itself via EternalBlue — a worm-like self-propagation that turned a single infection into 300,000 in hours.

The Day Itself

The first infections were observed around 07:44 UTC on 12 May. By UK lunchtime, about 40 of England's roughly 80 NHS Trusts were affected, more than 19,000 appointments and operations were cancelled, and ambulances were diverted to other hospitals (according to the UK National Audit Office). The NAO later estimated direct NHS-only costs at about £92 million.

At 15:03 UTC, Marcus Hutchins, a 22-year-old researcher in south-west England known online as MalwareTech, was analysing a WannaCry sample and noticed that the malware first attempted an HTTP request to a long, unregistered domain: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. If the domain resolved, the malware exited without encrypting — apparently an anti-sandbox check. Hutchins registered the domain for about US$10. New infections stopped encrypting almost immediately. The improvisation of one researcher had reduced the scale of the incident in real time — a now-iconic moment in cybersecurity history.

Attribution — North Korea's Lazarus Group

On 19 December 2017, the US White House formally attributed WannaCry to the Lazarus Group, sponsored by the government of North Korea (the UK NCSC, Australia, Canada, Japan, and others followed). One basis was code reuse: a beta of WannaCry from February 2017 shared code fragments with earlier Lazarus malware (the 2014 Sony Pictures Entertainment hack and the 2016 Bangladesh Bank Heist).

That said, the ransom-collection plumbing of WannaCry was crude: attackers ultimately received only about US$140,000 in Bitcoin — an absurdly low return for taking 300,000 machines hostage. Compared with North Korea's normal crypto-theft yield (US$625 million from the 2022 Axie Infinity Ronin Bridge heist alone), this is anomalous. A persistent hypothesis in the research community is that WannaCry was an in-progress experiment whose worm payload was released by accident.

What Happened to Marcus Hutchins

In the immediate aftermath, Hutchins was celebrated worldwide. But in August 2017, after attending DEF CON in Las Vegas, the FBI arrested him on his way home and charged him with unrelated earlier offences — alleged involvement, as a teenager, in distributing the Kronos banking trojan. He pleaded guilty under a deal and in 2019 was sentenced to time served with no fine. He continues to work as a security researcher in the United States.

NHS Fallout and Policy Effects

The UK NAO concluded that affected NHS organisations were either (1) still running unsupported Windows XP, or (2) running supported Windows but had not applied the MS17-010 patch. The attack, it said, succeeded "because of poor basic cyber hygiene" — and both the NHS and the Department of Health were criticised.

Globally, WannaCry pushed three policy debates into motion at once: (a) whether the NSA should hoard vulnerabilities at all (a reckoning with the Vulnerabilities Equities Process); (b) whether ransomware against critical infrastructure should be treated as state-level concern — picked up after the 2021 Colonial Pipeline incident, with OFAC sanctions used in earnest; and (c) the operational risk of running unsupported operating systems in hospitals and on factory floors.

What It Left Behind

WannaCry was the first global demonstration of a now-canonical threat model: when a state offensive tool leaks, unrelated criminals (or other states) will weaponise it almost immediately. Six weeks later, on 27 June 2017, the EternalBlue-based NotPetya was launched out of Ukraine by Russia, causing more than US$10 billion in damage to Maersk, Merck, FedEx and others. WannaCry was, in retrospect, the trailer.

12 May 2017 is the moment when "applying patches" — the most basic discipline in computing — became the front line of inter-state cyber conflict.