The-Human-Side-of-Hacking

Unpacking real-world vulnerabilities for everyone.

View on GitHub

💻 WannaCry: The Ransomware That Exploited a Forgotten Door

A Silent Worm That Changed Cybersecurity Forever

🔐 What Is WannaCry and Why Should You Care?

On May 12, 2017, the world witnessed one of the most widespread cyberattacks in history. This wasn’t just a technical glitch or a minor virus, it was a ransomware attack that hit over 200,000 computers in more than 150 countries. The target? Everyone. From large corporations to public health institutions. Its name? WannaCry.

In essence, WannaCry was a ransomware worm, a type of malicious software that encrypts a victim’s files and demands a ransom payment (in Bitcoin) to restore access.

🕒 The Patch That Could Have Prevented It All

Microsoft was made aware of the security flaw exploited by WannaCry nearly a year before the attack. In response, they released a critical security patch, two months before the global outbreak, an update designed to fix the vulnerability and advised all users and organizations running Windows to install it.

But many organizations ignored the warning or had systems too outdated to receive the patch. As a result, they remained exposed and when WannaCry struck, those unpatched systems were the ones that fell victim.

From hospitals and factories to train stations and government offices, the impact was massive and largely preventable.

🧬 How Did It Work? A Simple Exploit, Global Consequences

The attack did not start with phishing emails or user mistakes (as is common with many ransomware attacks). Instead, it scanned the internet for devices running unpatched versions of Windows. Once it found a vulnerable system, it infected it directly over the network, then looked for other vulnerable machines nearby.

🧠 How Did WannaCry Actually Infiltrate Networks?

Once WannaCry was released into the wild, it didn’t need human help to spread. Instead, it used a powerful combination of technical weaknesses and poor cybersecurity practices.

Here’s how it worked, step by step:

1. Scanning the Internet

WannaCry began by scanning the internet for machines that had port 445 open,this is the port used by the Server Message Block (SMB) protocol in Windows, often enabled by default.

💡 Did You Know? What is SMB?
SMB (Server Message Block) is a protocol that allows computers to share files, printers, and other resources over a network.

Think of it like a bridge that lets one computer access folders or printers on another computer, especially in office or hospital networks.

It’s useful, but if not secured properly, it can become a doorway for hackers, just like in the WannaCry attack.

2. Exploiting the SMBv1 Vulnerability

If a machine was using an unpatched version of Windows, WannaCry exploited a flaw in the SMBv1 protocol using the EternalBlue exploit (an exploit developed by the NSA and leaked online by a hacker group called The Shadow Brokers). This allowed the attackers to gain unauthorized remote access to the system, without needing credentials or user interaction.

🔍 What Is Remote Access?
Remote access means being able to connect to and use a computer or system from a different location, usually over the internet — without being physically in front of it.

💡 Did You Know? What Is EternalBlue?
EternalBlue is the name of a powerful software exploit that takes advantage of a security flaw in older versions of Windows.

Think of it like this: imagine a building where all the doors have smart locks, except one forgotten back door that’s rusted, unsecured, and hidden in the shadows. EternalBlue is like a skeleton key that opens that back door silently, letting attackers walk right in.

Originally developed by the NSA (National Security Agency) to spy on targets, this “key” was leaked online by a hacker group called The Shadow Brokers. Once it became public, it was quickly picked up by cybercriminals, including those behind WannaCry.

3. Installing the Ransomware Payload

Once access was gained, WannaCry deployed a backdoor known as DoublePulsar to help deliver the ransomware component. It then encrypted files on the machine and displayed a ransom message demanding Bitcoin.

🎯 Quick Note: What’s a Payload in Cyberattacks?
In cybersecurity, a payload is the part of the malware (malicious software) that does the damage.

Think of a cyberattack like a missile: the exploit (EternalBlue) is the rocket that delivers the attack, but the payload is the warhead, the actual harmful part that encrypts your files, steals data, or opens backdoors.

In the case of WannaCry, the payload was the ransomware, once EternalBlue got into a system, the payload locked your files and demanded a Bitcoin ransom.

🧪 Bonus Insight: What Was DoublePulsar?
DoublePulsar was a piece of malware used alongside EternalBlue, a backdoor that let attackers secretly run commands on infected systems.

To simplify: EternalBlue is like picking the lock on a door, and DoublePulsar is like leaving that door slightly open so you can come back anytime you want, unnoticed.

Once DoublePulsar was installed, it helped the attackers inject the WannaCry payload into the system, making the infection automatic and persistent.

4. Spreading Laterally Within the Network

Here’s the clever part: infected systems automatically scanned internal networks to find other vulnerable machines. If any were found, they were infected the same way, creating a chain reaction inside corporate or institutional environments.

Once inside a network, WannaCry spread like wildfire, encrypting files and demanding a ransom in Bitcoin. Victims were faced with a message: Pay or lose your data forever.

🔓 Can You Get Your Files Back After a WannaCry Infection?

Unfortunately, decrypting files encrypted by WannaCry is not currently possible, according to researchers at Symantec. The ransomware uses strong encryption, and no universal decryption key has been found.

That being said, not all hope is lost.

💾 If You Have Backups:

You may be able to fully restore your files. This is the safest and most reliable solution. Backups stored offline or in the cloud are unaffected.

☁️ What Is a Backup and Why It Matters
A backup is simply a copy of your important files stored somewhere safe, so if your computer gets infected, lost, or damaged, you can restore them.

🔁 How Does It Work?
Your files (photos, documents, etc) are automatically saved to another location, like an external hard drive or a cloud storage service.

If something goes wrong, you can restore the original version with just a few clicks.

Popular Cloud Backup Options: Google Drive, OneDrive, iCloud, Dropbox (most cloud services offer a free tier, enough for basic document and photo backups. For larger files or full-device backups, you may need a paid plan)

♻️ If You Don’t Have Backups:

There’s a chance, but it depends on where the files were saved:

💡 Tip: Use at least two backup methods, one in the cloud and one offline (USB drive).

🛡️ What Is Symantec?
Symantec is a cybersecurity company known for developing tools that help protect computers, networks, and data from cyber threats like viruses, ransomware, and phishing.
🔍 In the context of WannaCry, Symantec’s researchers were among the first to analyze the ransomware, track its behavior, and offer recovery advice.

🏥 When Healthcare Meets Malware: The NHS Case

One of the most heavily impacted institutions was the UK’s National Health Service (NHS). Although WannaCry didn’t intentionally go after hospitals, the impact in the medical field was especially severe: ambulances were diverted, patient records became inaccessible, life-saving procedures were postponed.

Hospitals aren’t usually associated with cybersecurity failures—but the attack revealed how vulnerable critical infrastructure can be when technology is outdated and security is underfunded.

🛑 The Ripple Effect: How WannaCry Disrupted Even Those Who Weren’t Infected

The County Durham and Darlington NHS Foundation Trust (CDDFT) wasn’t directly infected by the WannaCry ransomware, but they still experienced significant disruptions.

To protect themselves from potential infection, the NHS organizations involved proactively disconnected their systems from the network. This emergency move, while necessary, caused wide-ranging effects on patient care and operations.

🏨 Tertiary Centres

Specialized medical centres also shut down network access, which disrupted:

🩺 Primary Care

Primary care IT providers disconnected as well, causing:

🧠 Key Takeaway WannaCry didn’t have to directly infect a system to cause disruption. Fear of the spread was enough to paralyze digital operations, forcing entire medical teams to return to manual, paper-based methods, even in time-sensitive cases like chemotherapy and diagnostics.

This case shows that cybersecurity is not just about “if” you’re infected, it’s about how resilient your systems should be when everything goes offline.

🌍 Not Just Hospitals: WannaCry’s Global Impact

Here are just a few of the high-profile victims:

Why Did So Many Fall Victim?

💰 Did Paying the Ransom Work?

Once WannaCry infected a system, it scanned for 176 different file types(documents, images, spreadsheets, presentations, and more) and encrypted them, making them completely inaccessible. Each affected file was renamed with a new extension: .WCRY.

Victims were then shown a full-screen ransom note, demanding $300 in Bitcoin to unlock their files.

But it didn’t stop there. The message came with a chilling countdown:

🕒 Pay within 3 days, or the ransom doubles.
🕛 Fail to pay in 7 days, and the files will be deleted forever.

However, cybersecurity experts from Symantec later discovered that there was no actual code in the malware to delete the files. This part of the message appears to have been a bluff, designed to pressure victims into paying quickly out of fear.

🎭 WannaCry wasn’t just technical, it was psychological. It used fear, urgency, and uncertainty as tools of manipulation. Surprisingly, even those who paid the ransom didn’t always get their files back. The attackers weren’t interested in providing “customer support.” This made it painfully clear: paying cybercriminals is never a guaranteed solution.

🕵️ Who Was Behind WannaCry? The World Still Doesn’t Know

To this day, no one knows for certain who was behind the WannaCry attack. Some early suspicions pointed toward Russia, but President Vladimir Putin denied any involvement. Others believe the attack may be linked to state-sponsored groups from North Korea, although solid proof remains elusive. What is known, however, is that the tools used in the attack came from the United States.

💣 EternalBlue, the core exploit used by WannaCry, was developed by the U.S. National Security Agency (NSA) and was never meant to be public. It was leaked by a hacker group known as The Shadow Brokers, giving cybercriminals worldwide access to a powerful weapon.

🛑 The Accidental Hero: How a 22-Year-Old Slowed the Outbreak

In the middle of the chaos, a surprising hero emerged. Marcus Hutchins, a 22-year-old self-taught cybersecurity researcher from the UK, was analyzing the malware’s code when he discovered a strange domain name embedded inside it.

Acting on instinct, he registered the domain, not knowing that it was a hidden “kill switch”, a mechanism that immediately stopped WannaCry from spreading further.

By pure chance and technical insight, Marcus helped prevent millions more infections, buying time for organizations to patch their systems.

🛡️ Lessons Learned: Are We Safer Now?

WannaCry was a wake-up call. After the attack:

🧠 Lesson learned: Cybersecurity updates aren’t optional. Ignoring them can shut down entire institutions.

💡 Final Thoughts: Cybersecurity Is Everyone’s Business

WannaCry was more than a global ransomware attack: it was a turning point. It showed how a single vulnerability can cascade through our digital and physical worlds.

Whether you’re a student, a doctor, a business owner, or a curious reader, the takeaway is clear:
👉 Keep your systems updated. Back up your data. Stay informed.
Because in the age of cyber threats, ignorance is not bliss, it’s exposure.