Five years ago, the WannaCry ransomware cryptoworm targeted computers running Microsoft Windows, encrypting data at organizations around the world.
WannaCry
WannaCry is a ransomware cryptoworm that emerged in May 2017 and caused one of the most disruptive global cyber incidents recorded on Microsoft Windows systems.
Profile source: Mallory opens in a new tabWannaCry
Family profile
WannaCry is a ransomware cryptoworm that emerged in May 2017 and caused one of the most disruptive global cyber incidents recorded on Microsoft Windows systems. It combines file-encrypting ransomware behavior with worm-like self-propagation, allowing it to spread rapidly across vulnerable networks without requiring user interaction on each host. The malware is widely associated with exploitation of the SMB vulnerability addressed by Microsoft in MS17-010, using the EternalBlue exploit to compromise unpatched and unsupported Windows systems at scale.
Once executed, WannaCry encrypts victim data and presents a ransom demand in Bitcoin. In addition to local file encryption, it can scan for newly attached drives and encrypt files on those devices as they appear. It also exhibits defense-evasion and persistence behavior, including hiding some files and creating a Windows service masquerading as a legitimate Microsoft security component. Its worming capability enabled propagation across organizations and countries, contributing to widespread operational disruption in sectors including healthcare, government, and business. The 2017 outbreak notably affected the UK National Health Service and many other large organizations worldwide.
WannaCry has been attributed by multiple governments and security researchers to North Korea, with reporting and technical analysis commonly linking it to the Lazarus Group. Earlier variants were reportedly used in more targeted enterprise attacks before the large-scale outbreak, and the later mass propagation was enabled by the public leak of offensive cyber tooling that included EternalBlue. The campaign is frequently cited as a landmark example of how leaked nation-state exploitation capabilities can be repurposed for financially motivated ransomware operations.
WannaCry is best characterized as both ransomware and a worm, but its most specific classification here is ransomware because its core payload encrypts victim files and extorts payment. Its historical significance stems from the combination of automated network propagation, large-scale impact, and reliance on patchable Windows vulnerabilities, making it a canonical case study in ransomware outbreaks, wormable exploitation, and the security consequences of delayed patching.
Capabilities
- Defense Evasion
- Exfiltration
- Persistence
- Reconnaissance
- Scanning
Ransomware.live
Operational record
Reported operators
Threat actors
5 named in public reportingThe WannaCry ransomware attacks have received extensive coverage since a widespread attack on May 12 caused the systems of many large organizations around the world, including the NHS in the UK, to come to a juddering halt.
WannaCry paralysed computers running mostly older versions of Microsoft Windows by encrypting users' computer files and displaying a message demanding anywhere from $US300 to $US600 to release them; failure to pay would leave the data mangled and likely beyond repair.
The exploit chains in play included EternalBlue, DoublePulsar, and WannaCry, all tools that have been publicly known and patchable for years.
The WannaCry attack was a massive ransomware cyberattack... This ransomware leverages an NSA exploit known as EternalBlue... Wincry was the base of the encryption, but two additional exploits, EternalBlue and DoublePulsar, were used by the malware to make it a cryptoworm.
Exploited software
Vulnerabilities linked to WannaCry
4 CVEsMITRE ATT&CK
WannaCry in ATT&CK
66 distinct techniquesTechniques
66 techniquesReporting
Research mentioning WannaCry
AI-Powered 'Intelligent Worm' Could Regenerate Exploits and Adapt to Defenses in Real Time
This is why fast patching remains one of the most effective controls against outbreaks such as Code Red, Slammer, Conficker, and WannaCry.
NSA revives 'Tailored Access Operations' name for elite hacking unit | The Record from Recorded Future News
The U.S. believed that Russia and North Korea capitalized on pilfered tools to unleash devastating global cyberattacks — most famously in 2017 when the WannaCry ransomware used an exploit called EternalBlue.
SonicWall: NHS hospitals hit by 10x cyber attack surge -
Past attacks have taken their toll. WannaCry cost £92 million.
A privacy-first take on local malware analysis - Help Net Security
Families with larger sample counts, including Adware.Neoreklami, GCleaner, WannaCry, Socks5Systemz, and CobaltStrike, reach high recall.
The Intelligent Shield. OpenCTI. Beyond Ingestion Subtitle: Deploying… | by Andrey Pautov | May, 2026 | InfoSec Write-ups
The profile shows: Attributed to: North Korea Motivations: Financial gain, Espionage Targets: Finance, Cryptocurrency, Defense Malware used: WannaCry, Hermes, BLINDINGCAN (all auto-linked by MITRE connector)
Cyber insurance forces companies to rethink risk management | TechTarget
If you go back about a decade , there were some fairly high-profile incidents -- cases like NotPetya and WannaCry -- where various companies from different parts of the world were impacted by these propagating events.
Claude Mythos Turning N-Days Into N-Hours With Rapid Working Exploit Creation
For example, the WannaCry ransomware attack occurred nearly two months after the MS17-010 patch, while other exploits typically took weeks.
Smashing Security podcast #471: This AI worm just rewrote its own rules • Graham Cluley
More recently, the WannaCry worm, of course, that was really high profile back in 2017, I think it was, spread to hundreds of thousands of computers in just a matter of days and exploited a zero-day vulnerability in Microsoft Windows.