What is WannaCry and How does WannaCry ransomware works

Last Updated : 4 Jun, 2025

In May 2017, a massive cyberattack shook the world when the WannaCry ransomware outbreak spread rapidly across hundreds of thousands of computers in more than 150 countries. This ransomware targeted organizations ranging from government agencies to healthcare providers, including the UK’s National Health Service (NHS), causing significant disruption and financial loss. WannaCry exploited a critical vulnerability in Microsoft Windows operating systems, primarily affecting outdated and unsupported versions.

What-is-WannaCry-and-How-does-WannaCry-ransomware-works
What is WannaCry and How does WannaCry ransomware works

This article explains what ransomware is, how WannaCry operates, its impact, and how users and organizations can protect themselves against such attacks.

What is Ransomware?

Ransomware is a malware that stealthily gets installed in our PC or mobile device and holds our files or operating system functions for ransom. It restricts the user from using their device and from accessing their files and demands that the victim has to pay some ransom within three days and if the user fails to do so, then WannaCry will delete all of the encrypted files, and all data will be lost.

What does a Ransomware attack look like?

Ransomware targets our pictures, documents, files, and data that are personally invaluable. We can tell that we are under attack when we see any of the following:

  • Ransomware note
  • Encrypted files
  • Renamed files
  • Locked browser
  • Locked screen

Types of Ransomware

Ransomware comes mainly in two forms:

1. Lockscreen Ransomware

This type locks the entire screen or operating system, preventing access to any part of the device. The user sees a full-screen message demanding ransom for access restoration.

2. Encryption Ransomware

This type encrypts files on the infected computer, making them inaccessible without the decryption key. WannaCry belongs to this category—it encrypts files and demands a ransom to decrypt them.

To know more, refer to this article: Types of Ransomware

How Does WannaCry Ransomware Work?

Exploiting the EternalBlue Vulnerability

WannaCry leverages a security flaw in Microsoft’s Server Message Block (SMB) protocol, discovered and reportedly used by the U.S. National Security Agency (NSA). This exploit, known as EternalBlue, was leaked by a hacker group called the Shadow Brokers earlier in 2017.

Microsoft quickly released patches to fix this vulnerability, but many systems, especially older versions of Windows like Windows XP, Windows 8, and unpatched Windows 7 machines, remained vulnerable.

Infection and Spread

Once WannaCry infects a system, it performs the following steps:

  • Infection Vector: It typically enters the system via phishing emails containing malicious attachments or by scanning networks for vulnerable SMB ports.
  • File Encryption: The ransomware encrypts files with extensions such as .doc, .xls, .ppt, .jpg, .pdf, and many others using strong encryption algorithms.
  • Ransom Demand: It displays a ransom note demanding payment in Bitcoin, warning the victim to pay within three days. Failure to pay results in the permanent deletion of the encrypted files.
  • Self-Propagation: WannaCry scans local networks and the internet for other vulnerable machines and spreads automatically, causing a fast-moving global outbreak.

Who Was Affected by WannaCry?

WannaCry impacted a vast array of organizations worldwide:

  • National Health Service (NHS), UK: Caused cancellation of surgeries and disrupted medical services.
  • Government institutions: Including those in China, Russia, the US, and across Europe.
  • Businesses and individuals: Especially in countries like India and Russia, where unsupported Windows XP was still in heavy use.

India was among the worst-hit countries due to widespread use of unpatched or outdated Windows versions.

How to Identify a Ransomware Attack

Signs you may be under a ransomware attack include:

  • Sudden appearance of ransom notes demanding payment.
  • Files renamed or with new extensions indicating encryption.
  • Locked or frozen screen preventing normal computer use.
  • Inability to access personal documents, photos, or business files.

Is Your Computer Vulnerable?

Older Windows operating systems without the latest security updates are vulnerable, including:

  • Windows XP
  • Windows 8
  • Unpatched Windows 7 and Windows Vista

Systems running Windows 10 or other versions with automatic updates enabled are generally protected against WannaCry.

How Does a Ransomware Attack Start?

Common ways ransomware can infect your system include:

  • Visiting untrusted or malicious websites.
  • Opening email attachments or links from unknown or suspicious sources.
  • Downloading pirated or outdated software.
  • Connecting to networks that are already compromised.

Suspicious File Types to Avoid

Executable files and Office documents with macros are common infection vectors. These include files with extensions like .exe, .bat, .cmd, .docm, .xlsm, .pptm, and many more.

Prevention: How to Protect Yourself Against WannaCry and Other Ransomware

1. Keep Software Updated: Always install the latest Windows updates and security patches.

2. Use Antivirus and Anti-Malware Programs: Regularly update and scan your system.

3. Backup Important Data: Use external hard drives or cloud services like OneDrive for regular backups.

4. Enable System Protection Features: Turn on Windows File History or System Restore.

5. Beware of Phishing Attempts: Avoid clicking links or opening attachments in unsolicited emails.

6. Use Safe Browsers: Browsers like Microsoft Edge offer SmartScreen protection against malicious sites.

7. Disable Macros in Office Files: Unless you trust the source.

8. Turn Off Remote Desktop: If not needed, to prevent remote exploitation.

9. Use Strong Authentication: Enable two-factor authentication wherever possible.

10. Secure Internet Connections: Avoid public or unsecured Wi-Fi networks for sensitive tasks.

The Bigger Picture: The Global Ransomware Problem

Ransomware remains a significant global cybersecurity threat:

  • Millions of computers encounter ransomware attacks annually.
  • Hundreds of new ransomware families appear each year, evolving tactics constantly.
  • Top ransomware variants include Cerber, Locky, Spora, HydraCrypt, Critroni, Teerac, and Troldesh.
  • Countries like the US, Italy, Russia, Korea, and Spain have reported high numbers of attacks.

While some reports suggest ransomware attacks have slightly declined, the threat persists, especially as attackers adopt new methods.

Conclusion

WannaCry was a wake-up call to the world about the dangers of outdated software and inadequate cybersecurity practices. It demonstrated how a single vulnerability, when exploited, could cause widespread disruption across countries and critical infrastructures.

To protect ourselves and our organizations, it is essential to keep systems updated, practice safe browsing and email habits, and maintain regular backups. Understanding how ransomware works and its signs helps us respond promptly and reduce the risk of falling victim to these attacks. Staying informed and proactive is key to defending against evolving ransomware threats like WannaCry.

Comment
Article Tags:
GBlog
secure-coding

Explore