This attack exposed major vulnerabilities in corporate and government cybersecurity infrastructures, leading to financial losses, operational disruptions, and an urgent need for stronger cyber resilience.
How the Attack Started
WannaCry's spread began when cybercriminals used EternalBlue, an exploit that targeted a critical vulnerability in Microsoft Windows Server Message Block (SMB) protocol. This exploit, originally developed by the NSA (National Security Agency) for intelligence purposes, was leaked by a hacking group called Shadow Brokers in April 2017. Shortly after, cybercriminals weaponised it into the WannaCry ransomware.
- The attack is believed to have originated in Asia or Europe, where the first infections were reported early on May 12, 2017.
- The ransomware initially infected a single vulnerable machine connected to the internet.
- From there, it rapidly spread within internal networks of companies and institutions that had unpatched systems.
- Unlike most ransomware, WannaCry acted like a worm, self-replicating and automatically infecting other vulnerable computers.
Within hours, WannaCry had spread worldwide, targeting major corporations, hospitals, banks, and government institutions. By the end of the first day, tens of thousands of computers had been infected, bringing essential services to a halt.
How Companies Reacted
When organisations realised their systems were encrypted and unusable, panic ensued. Many companies had no immediate solution because the ransomware locked files permanently unless the ransom was paid in Bitcoin. It affected national organisations across the globe:
- Hospitals in the UK run by the NHS (National Health Service) were forced to cancel surgeries, ambulances were diverted, and medical staff were locked out of patient records.
- Manufacturing plants like Renault and Nissan had to halt production to contain the infection.
- Some financial institutions such as Sberbank (Russia), Hitachi (Japan) and State Bank of India experienced service disruptions.
- Germany’s Deutsche Bahn railway system displayed ransomware messages instead of train schedules.
- Spanish telecom provider Telefónica was forced to shut down parts of its network to contain the spread.
Most organisations reacted in one of three ways:
- Paid the Ransom – Some companies paid the Bitcoin ransom, hoping to recover their files (though many never got them back).
- Attempted Recovery – Companies with backup systems were able to restore their files, but it took time and disrupted business operations.
- Emergency Patching & Containment – Those who hadn’t been infected rushed to apply Microsoft’s MS17-010 patch to prevent further infections.
Despite these reactions, WannaCry’s damage was already done, and the attack showed just how vulnerable global networks were to cyber threats.
How EternalBlue Enabled WannaCry
EternalBlue was a Windows vulnerability exploit that targeted the Server Message Block (SMB) protocol, specifically versions 1.0 and 2.0. The exploit allowed attackers to execute remote code on vulnerable systems without requiring authentication. Here’s how it worked:
- SMB (Server Message Block) is a protocol that allows computers to share files and printers over a network.
- The vulnerability (CVE-2017-0144) existed in the way Windows processed SMB packets.
- Attackers could send a malicious SMB request to corrupt memory and gain control over the system.
Microsoft patched the vulnerability in March 2017 (MS17-010), but many organisations failed to apply the update, leaving them exposed to attack.
How WannaCry Was Stopped
A 22-year-old cybersecurity researcher, Marcus Hutchins, was analysing WannaCry's code when he noticed it was programmed to check for the existence of a specific unregistered domain before executing.
- Hutchins registered the domain as part of his research, unknowingly activating a kill switch that prevented further infections.
- This immediately stopped WannaCry's spread, but it did not decrypt files already affected.
- Variants of WannaCry later emerged, some without the kill switch, but the attack was no longer spreading at the same rate.
Microsoft's Emergency Response
Microsoft had already released patch MS17-010 in March 2017, two months before the attack. However, because many organisations had not applied it, Microsoft took the extraordinary step of releasing emergency patches for outdated systems, including Windows XP, which was no longer officially supported.
Government & Law Enforcement Reactions
- The US, UK, and international governments believed the attack originated in North Korea, attributing it to the Lazarus Group, a state-sponsored hacking organisation.
- Cybersecurity firms worked together to analyse the malware and prevent future outbreaks.
- The attack led to increased global pressure on governments to improve cyber threat intelligence sharing and regulatory enforcement.
Understanding Ransomware
Ransomware is a type of malware that encrypts files and demands a ransom for their release. The attackers typically threaten to permanently delete or expose sensitive data if the ransom is not paid. Ransomware attacks have evolved significantly in recent years, with modern variants incorporating data theft and double extortion tactics.
How Ransomware Works
- Infection – Delivered via phishing emails, malicious websites, or system vulnerabilities.
- Encryption – Files are locked with an unbreakable encryption key, rendering them inaccessible.
- Ransom Demand – Attackers demand payment in exchange for decryption keys (sometimes even if a ransom is paid, files are not recovered).
- Spread – Some ransomware, like WannaCry, can self-propagate within networks, making them highly destructive.
- Extortion – Some variants also steal data and threaten to leak it if the ransom is not paid.
Protecting your Business from Ransomware
At Penta, we understand that proactive cybersecurity measures are the key to preventing ransomware attacks. Our comprehensive suite of services is designed to detect, block, and recover from threats like WannaCry.
Patch Management & Vulnerability Assessments
Keeping software up to date is the first line of defence against ransomware. Penta’s patch management and vulnerability assessments:
- Ensures all security updates are applied automatically.
- Proactively identifies and addresses vulnerabilities before they can be exploited.
- Provides real-time alerts on unpatched systems.
Microsoft 365 Security & Segmentation
Many ransomware attacks spread through unsecured networks, and WannaCry spread through an unpatched Microsoft vulnerability. Our Microsoft 365 security and segmentation solutions minimise attack surfaces by:
- Automatically installing Windows Defender Antivirus, DLP, Bitlocker and Advanced Threat Protection (ATP).
- Using firewalls and Zero Trust policies to prevent unauthorised access.
- Isolating infected systems to prevent lateral movement within networks.
Advanced Threat Detection & Cyber Security Monitoring (SIEM)
Modern ransomware can bypass traditional antivirus tools, requiring next-generation solutions. Penta Sentinel is a comprehensive and customised SIEM solution that can detect advanced threats using:
- Comprehensive data collection, including network traffic monitoring and system event log forwarding.
- Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) for real-time monitoring.
- AI-powered behaviour analysis to detect insider threats that may have been able to bypass firewalls.
Backup as a Service & Disaster Recovery
Having immutable backups is critical in ransomware defence. Our Backup as a Service:
- Offers fast and reliable backup and replication of your entire IT environment to the cloud of your choice, or to Penta’s secure data centers.
- Regularly tests backups to ensure quick restoration in case of an attack.
- Provides instant recovery solutions to minimise downtime.
Cyber Security Awareness Training
Human error remains one of the biggest security risks, but with proper training, your team can understand and effectively mitigate attacks. Penta’s cyber security awareness training:
- Provides tailor-made cybersecurity awareness training for staff delivered by professionals.
- Simulates real-world phishing attacks to test and improve employee awareness.
- Give you analytics on how your teams performed and recommendations by our cyber security experts.
Remote Monitoring & Web Filtering
Endpoints, like desktop computers and laptops, are typically the most vulnerable part of a corporate network and the most common entry point for attacks. Similarly, if you are not in control of what your employees are accessing while online, you are open to potential risks.
- Penta’s RMM service detects new devices, applies pre-configured security policies, installs patches and integrates backup procedures.
- Web filtering gives you: internet access control, real-time threat protection, prevention of unauthorised data sharing and the ability to paralyse botnets.
Secure Your Business Today with Penta
The WannaCry ransomware attack of 2017 was a wake-up call for organisations, highlighting the vulnerabilities in outdated software and the critical need for proactive cybersecurity measures. Thankfully, valuable lessons were learned that have significantly improved the way we approach cybersecurity today. But with ever-evolving threats, organisations cannot afford to let their guard down.
Penta’s highly tailored security solutions are designed by cybersecurity experts using state-of-the-art technologies. Hosted at Penta’s data centres in Dubai and Geneva, our security solutions provide best-in-class software with IT expertise. It is a testament to their quality that we are trusted to run and maintain IT infrastructures for some of the world’s leading financial organisations. Security isn’t the aim, with Penta it comes as standard. Contact us today.