LLMpediaThe first transparent, open encyclopedia generated by LLMs

WannaCry

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: United States Cyber Command Hop 3
Expansion Funnel Raw 64 → Dedup 5 → NER 4 → Enqueued 0
1. Extracted64
2. After dedup5 (None)
3. After NER4 (None)
Rejected: 1 (not NE: 1)
4. Enqueued0 (None)
Similarity rejected: 4
WannaCry
WannaCry
source
NameWannaCry
Also known asWCry, WannaCryptor, WannaCrypt
DateMay 12, 2017
TypeRansomware worm
TargetsMicrosoft Windows systems
AffectedOrganisations worldwide
PerpetratorsAttributed to North Korean cyber unit by several states and companies

WannaCry was a widespread ransomware worm that infected hundreds of thousands of computers across more than 150 countrys on 12 May 2017, encrypting files and demanding payment in Bitcoin for decryption. The incident affected critical infrastructure and high-profile institutions including the National Health Service (England), private sector firms, and public agencies, prompting coordinated technical responses from cybersecurity firms such as Kaspersky Lab, Symantec, and Microsoft as well as investigations by state actors including the United States Department of Justice, the National Cyber Security Centre (UK), and the European Union Agency for Cybersecurity. The attack exploited an exploit leaked from the Equation Group and raised international debate involving organizations such as the United Nations, the North Atlantic Treaty Organization, and the G7 about offensive cyber capabilities and attribution.

Background and discovery

WannaCry emerged after the leak of cyber tools attributed to the National Security Agency (United States) by the hacking group Shadow Brokers in April 2017, with the exploit known as "EternalBlue" developed from code linked to the Equation Group and reportedly utilising vulnerabilities in Microsoft Windows's Server Message Block protocol; early discovery and analysis were conducted by researchers at MalwareTech (Marcus Hutchins), Kaspersky Lab, and Symantec who identified the worm behaviour and ransom note. Public reporting and incident response involved coordination between the National Cyber Security Centre (UK), the United States Computer Emergency Readiness Team, and private sector firms such as FireEye and Palo Alto Networks, while affected organisations including the National Health Service (England), Telefonica, and the Deutsche Bahn reported operational disruption. The leak and subsequent outbreak renewed scrutiny of the Vulnerabilities Equities Process used by the United States Department of Defense and spurred policy discussions in bodies such as the United Nations General Assembly and the European Commission.

Technical details

WannaCry combined the EternalBlue exploit against Server Message Block (SMB) v1 in Microsoft Windows with a ransomware payload sometimes called DoublePulsar-related or using components from the Equation Group leak; the payload used RSA and AES cryptography to encrypt files and appended extensions while dropping a ransom note demanding payment in Bitcoin. The worm included a kill-switch domain hard-coded by the authors; security researcher Marcus Hutchins (MalwareTech) registered the domain, discovering that contacting the domain prevented further propagation and effectively slowed the outbreak, a finding confirmed by analysis from Kaspersky Lab, Symantec, and Cisco Talos. Analysis of binaries and command-and-control artefacts by Europol-affiliated teams, NCA (UK), and private firms revealed password hashing, Tor-based payment instructions, and multiple language variants targeting organizations across Europe, Asia, and the Americas.

Attack chronology and global impact

The initial outbreak on 12 May 2017 rapidly affected institutions such as the National Health Service (England), FedEx subsidiary TNT Express, Telefonica, Deutsche Bahn, and manufacturing plants leading to cancelled procedures, freight disruptions, and operational shutdowns; cybersecurity companies Kaspersky Lab, Symantec, McAfee, and Trend Micro produced technical reports while incident response coordination involved Europol and the European Union Agency for Cybersecurity. Media coverage by outlets including the BBC, The New York Times, and The Guardian amplified impacts on public services and private firms, while insurance firms such as AIG and Lloyd's of London evaluated claims and exposures. Economists and analysts at institutions like the World Bank, Organisation for Economic Co-operation and Development, and International Monetary Fund estimated economic and productivity losses, and governments from the United States to China issued advisories and emergency patches.

Attribution and perpetrators

Attribution evolved from technical indicators, including links to tools from the Equation Group leak and code overlaps, to formal statements by states and private firms; in December 2017 and 2018 the United States Department of Justice charged and named individuals associated with the Lazarus Group and linked activities to the Democratic People's Republic of Korea, a conclusion supported by attribution assessments from Microsoft and cybersecurity companies such as Kaspersky Lab and Symantec. The United Nations Group of Governmental Experts and reports by bodies such as the International Criminal Police Organization (Interpol) and Europol discussed norms for state behaviour in cyberspace in light of the incident, while the North Atlantic Treaty Organization and national cyber commands examined implications for deterrence and response. Some independent researchers and firms urged caution, citing possible false flags and code reuse traced through collaborations among actors including APT38 and other financially motivated groups.

Response and mitigation

Emergency mitigation steps included the rapid release of patches by Microsoft for supported and some unsupported Windows versions, incident response from firms such as FireEye, CrowdStrike, and Mandiant, and coordinated action by law-enforcement agencies including Europol and the FBI to trace payments and infrastructure. Organisations implemented mitigations recommended by the National Institute of Standards and Technology and the Cybersecurity and Infrastructure Security Agency, such as disabling SMBv1, applying security updates, and restoring backups, while international information-sharing forums like FIRST and CERT-EU disseminated indicators of compromise. Legal actions, civil claims, and investigations by national regulators including the Information Commissioner's Office (UK) and regulatory bodies in Spain and Germany scrutinised data protection obligations under laws like the General Data Protection Regulation.

The outbreak triggered litigation, insurance claims, and policy reform: regulators including the Information Commissioner's Office and courts evaluated liability for inadequate patching, insurers such as Zurich Insurance Group assessed cyber coverage, and legislatures in United Kingdom, United States, and European Union considered tougher cybersecurity requirements for critical infrastructure. Internationally, the incident intensified debates within the United Nations and the G7 over norms for offensive cyber capabilities, the Vulnerabilities Equities Process overseen by the United States National Security Council, and proposals for information-sharing mandates involving entities like the European Commission and national cyber agencies. Academic analyses from institutions such as Harvard Kennedy School, Stanford University, and Oxford University examined systemic risk, resilience, and the economics of vulnerability disclosure, influencing subsequent policy and industry practices.

Category:Ransomware