WannaCry Ransomware Attack: What Happened, How It Spread, and Lessons for 2026
WannaCry is ransomware that infects itself by exploiting a vulnerability in the Windows Server Message Block (SMB) protocol. The malware encrypts victims’ data and demands cryptocurrency to decrypt them. WannaCry encrypted hundreds of thousands of devices in over 150 countries in a matter of hours.
Ozan Ucar, Founder and CEO of Keepnet
Last Updated: 2026-06-01
'%3e%3cpath%20d='M4%204L15.733%2020H20L8.267%204H4Z'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3cpath%20d='M4%2020L10.768%2013.232M13.228%2010.772L20%204'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_8149_16006'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M5.37214%2023.8745H0.396429V8.10162H5.37214V23.8745ZM2.88161%205.95006C1.29054%205.95006%200%204.65279%200%203.08658C1.13882e-08%202.33427%200.303597%201.61278%200.844003%201.08082C1.38441%200.548853%202.11736%200.25%202.88161%200.25C3.64586%200.25%204.3788%200.548853%204.91921%201.08082C5.45962%201.61278%205.76321%202.33427%205.76321%203.08658C5.76321%204.65279%204.47214%205.95006%202.88161%205.95006ZM23.9946%2023.8745H19.0296V16.1963C19.0296%2014.3665%2018.9921%2012.0198%2016.4427%2012.0198C13.8557%2012.0198%2013.4593%2014.0079%2013.4593%2016.0645V23.8745H8.48893V8.10162H13.2611V10.2532H13.3307C13.995%209.01393%2015.6177%207.70611%2018.0386%207.70611C23.0743%207.70611%2024%2010.9704%2024%2015.2102V23.8745H23.9946Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24588'%3e%3crect%20width='24'%20height='27'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M13.957%2014.75L14.668%2010.0848H10.2225V7.05745C10.2225%205.78115%2010.8435%204.53707%2012.8345%204.53707H14.8555V0.565174C14.8555%200.565174%2013.0215%200.25%2011.268%200.25C7.60703%200.25%205.21403%202.48441%205.21403%206.52931V10.0848H1.14453V14.75H5.21403V26.0278H10.2225V14.75H13.957Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24590'%3e%3crect%20width='16'%20height='25.7778'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
The WannaCry ransomware attack of May 2017 exploited a vulnerability in Microsoft Windows systems, leveraging the EternalBlue exploit developed by the NSA and leaked by the Shadow Brokers group. The attack infected over 230,000 systems across 150 countries in a matter of hours, demonstrating how a single unpatched vulnerability in a widely deployed protocol could cascade into a global crisis. Nearly a decade later in 2026, WannaCry remains relevant: security researchers continue to detect WannaCry infections on unpatched legacy systems, and the underlying vulnerability (MS17-010) still represents an active attack surface in organizations running unsupported Windows versions or with delayed patch management.
The WannaCry attack resulted in estimated global financial damages ranging from $4 billion to $8 billion, making it one of the most costly cyberattacks in history at the time. By comparison, the NotPetya attack that followed in June 2017 caused approximately $10 billion in damages, and the cumulative cost of ransomware attacks globally exceeded $30 billion annually by 2025. WannaCry established the template for large-scale, worm-propagating ransomware that has been refined in nearly every major ransomware family since.
In the UK, the National Health Service (NHS) experienced significant operational disruptions during the WannaCry attack. An estimated one-third of NHS trusts in England were affected, with approximately 80 NHS trusts disrupted. The attack forced cancellation of thousands of appointments, diversion of ambulances, and reversion to paper systems. The WannaCry attack directly contributed to subsequent NHS cybersecurity investment and regulatory changes, including mandatory Cyber Essentials certification for NHS organizations and a requirement for supplier cybersecurity assessments that informed the policy response to the 2022 Advanced ransomware attack.
The NHS faced reputational harm following the WannaCry attack, as the incident exposed widespread use of Windows XP systems for which Microsoft had ended mainstream support in 2014. The UK National Audit Office report on the attack found that the NHS could have prevented the disruption by implementing basic security measures. In 2026, legacy operating system management remains a persistent challenge in healthcare globally, and WannaCry-style propagating ransomware continues to exploit unpatched SMBv1 vulnerabilities in networks that have not enforced the mitigations recommended in the 2017 Microsoft advisory.
These impacts underscore the critical importance of robust cybersecurity practices. In 2026, WannaCry is not merely a historical case study. Honeypot networks continue to detect WannaCry propagation attempts, indicating that infected machines remain active on the internet. Organizations that have inherited legacy infrastructure, operate in manufacturing or healthcare, or have not enforced SMBv1 disablement and MS17-010 patching remain potentially vulnerable to WannaCry-style attacks or to newer ransomware families that use EternalBlue as part of their propagation toolkit.
1. What is WannaCry Ransomware?
WannaCry is ransomware that infects itself by exploiting a vulnerability in the Windows Server Message Block (SMB) protocol, which allows Windows machines on a network to communicate with one another, and specially crafted packets could trick Microsoft’s implementation into executing an attacker’s code.
2. How did WannaCry spread?
Wannacry managed to infect 230,000 users globally with ransomware by exploiting Windows security flaws via the Internet. The ability of the virus to transmit itself to other systems via infected linked devices has increased the risk to the point of disaster. Even if the first wave of assaults is defeated, if the self renewing later versions of attacks are not taken seriously and the necessary actions are not performed, the information saved in the first wave may be permanently lost.
3. Risk of Infection Via Email
Wannacry has begun to spread via email after being infected by exploiting a Windows security flaw via the Internet. Wannacry software has also penetrated business internal networks with connections to emails and hazardous information. According to cyber threat intelligence firms, the actual major threat will start with business network infection.
4. WannaCry Components
The DoublePulsar dropper, a self contained program that selects the other elements A program that could encrypt and decrypt data, Records include encryption keys, An open source software application allowing secret conversation.
5. The Effect of the WannaCry Attack
WannaCry ransomware burst in 2017, infecting over 230,000 systems worldwide and costing billions of dollars. Despite the fact that new strains of this ransomware were discovered in 2018, the attack had a significant impact on two industries: healthcare and large manufacturers.
6. Who created WannaCry?
The US believes that Park Jin Hyok, a 34 year old North Korean, is one of the many individuals behind a long string of malware attacks and interventions.
7. Who Stopped the WannaCry Ransomware?
Marcus Hutchins, better known by his nickname MalwareTech, has been charged with two felonies related to the creation and distribution of malware. Hutchins was hailed as a hero in May 2017 for his involvement in halting the global spread of the WannaCry ransomware.
Are your Email Security Products Ready Against Ransomware? Use our anti phishing tools and test yourself for free.
Email services are entry points for cyberattacks, that is to say, over 97% of successful attacks occur via email. Test your email vulnerability and see your email risks against Ransomware attacks using the Email Threat Simulator – Keepnet Labs solution .
Centralize Suspicious Email Reporting and Get Support from Experts
With the Keepnet Outlook Phishing Reporter add in, users can report suspicious emails to cybersecurity administrators with a single click and receive immediate support after automated analysis. To have the Phishing Reporter add in contact us and start using it.
Why WannaCry Remains Relevant in 2026
WannaCry occurred in 2017 but its core lessons apply directly to 2026. The EternalBlue exploit used by WannaCry was based on a vulnerability for which Microsoft had already released a patch two months before the attack. The organizations that were devastated were those that had not applied a routine security update. In 2026, attackers continue to exploit known, patched vulnerabilities against organizations that have fallen behind on updates. The technology has changed but the human and organizational failure remains the same. Unpatched systems, inadequate backup strategies, and employees who cannot recognize suspicious emails are still the three most exploited weaknesses in any organization.
The kill switch discovered by Marcus Hutchins was a design flaw that limited WannaCry's spread, but modern ransomware does not contain such failsafes. Today's ransomware families are more targeted, better tested, and designed specifically to avoid the mistakes that gave defenders an edge against WannaCry. Organizations that treat WannaCry as history rather than a warning are repeating the conditions that made the attack possible.
Editor's Note: This article was updated on June 1, 2026.
SHARE ON