WannaCry, also known as WannaCrypt, is a form of ransomware that made global headlines in May 2017 due to its widespread and destructive impact. Ransomware is a type of malicious software that encrypts a victim’s files, rendering them inaccessible until a ransom is paid to the attacker.

The WannaCry ransomware attack was unprecedented in its scale, affecting hundreds of thousands of computers across more than 150 countries. It exploited a vulnerability in Microsoft’s Windows operating system, specifically in the Server Message Block (SMB) protocol. This article will delve into the details of WannaCry, its origins, how it works, its impact, and how to protect against such attacks.

Origins of WannaCry

The WannaCry ransomware is believed to have been created by the Lazarus Group, a cybercrime group linked to North Korea. The group has been associated with several high-profile cyber attacks, including the 2014 Sony Pictures hack and the 2016 Bangladesh Bank heist.

The ransomware leveraged an exploit known as EternalBlue, which was allegedly developed by the United States National Security Agency (NSA). The exploit was leaked by a group called The Shadow Brokers in April 2017, a month before the WannaCry attack.

The Shadow Brokers

The Shadow Brokers is a hacking group that first appeared in the summer of 2016. They are known for leaking exploits, hacking tools, and other classified information allegedly stolen from the NSA. The group’s identity and motives remain unknown, but their actions have had significant global repercussions.

The EternalBlue exploit leaked by The Shadow Brokers was a key component of the WannaCry ransomware. It allowed the ransomware to spread rapidly across networks, infecting multiple computers without user interaction.

How WannaCry Works

WannaCry is a wormable ransomware, meaning it can spread itself across networks. Once it infects a computer, it encrypts the user’s files and displays a ransom message, demanding payment in Bitcoin for the decryption key.

The ransomware uses the RSA and AES encryption algorithms to lock files. RSA, a public-key cryptosystem, is used to encrypt the key for AES encryption. The AES key is then used to encrypt the user’s files. Without the RSA private key held by the attacker, the AES key cannot be decrypted, and thus the files remain locked.

EternalBlue Exploit

The EternalBlue exploit targets the SMB protocol in Microsoft’s Windows operating system. SMB is used for sharing access to files, printers, and other resources on a network. The exploit allows the attacker to execute arbitrary code on the target system, providing a gateway for the ransomware to infiltrate the system.

Once inside, WannaCry uses another tool, known as DoublePulsar, to install and execute a copy of itself. DoublePulsar is a backdoor implant tool that was also leaked by The Shadow Brokers. It allows the attacker to maintain persistent access to the system and execute malicious payloads.

Impact of WannaCry

The WannaCry ransomware attack had a significant global impact, affecting organizations across various sectors, including healthcare, finance, and logistics. The attack caused widespread disruption, with hospitals in the UK’s National Health Service (NHS) being among the hardest hit.

According to estimates, the attack affected over 200,000 computers across 150 countries. The financial damage caused by the attack is difficult to quantify, but some estimates suggest it could be in the billions of dollars. The attack also highlighted the vulnerabilities in our increasingly interconnected world and the potential for cyber attacks to cause real-world harm.

Case Study: NHS

The NHS was severely affected by the WannaCry attack, with approximately one-third of health trusts in England being disrupted. Hospitals had to cancel appointments and surgeries, and some even had to divert emergency patients. The attack exposed significant vulnerabilities in the NHS’s IT infrastructure, including outdated systems and a lack of cybersecurity preparedness.

The financial cost to the NHS was estimated to be around £92 million. This includes the immediate costs of responding to the attack and the longer-term costs of IT upgrades, data recovery, and improved cybersecurity measures.

Preventing WannaCry and Similar Attacks

Preventing ransomware attacks like WannaCry requires a multi-faceted approach. This includes keeping software and systems up to date, using reliable security software, regularly backing up data, and promoting cybersecurity awareness among users.

Microsoft released a patch for the EternalBlue vulnerability in March 2017, a month before the WannaCry attack. However, many organizations had not applied the patch, leaving their systems vulnerable. This highlights the importance of timely patch management in cybersecurity.

Cybersecurity Awareness

Human error is often a significant factor in successful cyber attacks. Phishing emails, for example, rely on users clicking on malicious links or attachments. Therefore, promoting cybersecurity awareness among users is a crucial part of preventing attacks.

Training should include recognizing and avoiding phishing emails, using strong and unique passwords, and understanding the importance of software updates and backups. Users should also be aware of the signs of a ransomware attack, such as suddenly inaccessible files or unusual system behavior.


The WannaCry ransomware attack was a wake-up call for many organizations about the potential scale and impact of cyber attacks. It highlighted the importance of robust cybersecurity measures, including patch management, data backups, and user awareness.

While the attack caused significant disruption and financial damage, it also led to increased focus on cybersecurity and the need for improved defenses. As we become more reliant on digital systems, the lessons learned from WannaCry will continue to be relevant in protecting against future cyber threats.

With cybersecurity threats on the rise, organizations need to protect all areas of their business. This includes defending their websites and web applications from bots, spam, and abuse. In particular, web interactions such as logins, registrations, and online forms are increasingly under attack.

To secure web interactions in a user-friendly, fully accessible and privacy compliant way, Friendly Captcha offers a secure and invisible alternative to traditional captchas. It is used successfully by large corporations, governments and startups worldwide.

Want to protect your website? Learn more about Friendly Captcha »