Introduction
On May 12, 2017, the world watched in real-time as a ransomware worm called WannaCry swept across the planet. In less than 24 hours, it infected more than 200,000 computers in 150 countries. Hospitals in the UK's National Health Service were forced to divert ambulances and cancel surgeries. FedEx, Telefónica, Deutsche Bahn, and Renault all reported disruptions. The attack caused billions of dollars in damage.
Then a 22-year-old security researcher in England — working from his bedroom — registered a domain name for $10.69 and accidentally triggered a kill switch that stopped the worm's spread. It's one of the most remarkable moments in cybersecurity history.
What Happened
WannaCry exploited EternalBlue, an exploit for a vulnerability in Microsoft's Server Message Block (SMB) protocol. EternalBlue was originally developed by the NSA as part of their offensive cyber toolkit. It was stolen and leaked by a group called the Shadow Brokers in April 2017. Microsoft had actually released a patch (MS17-010) in March 2017 — a month before the leak — but millions of systems worldwide remained unpatched.
The ransomware spread as a worm, meaning it could propagate automatically across networks without any user interaction. Once it infected a machine, it encrypted files and demanded a Bitcoin ransom of $300-$600. It used EternalBlue to scan for other vulnerable machines on the local network and across the internet, infecting them in turn.
Marcus Hutchins, a 22-year-old British security researcher known online as MalwareTech, was analyzing a sample of WannaCry when he noticed it made a request to a specific unregistered domain name. As a standard malware analysis technique, he registered the domain to track infections. What he didn't realize was that this domain served as a kill switch: if the malware could reach the domain, it would stop executing. By registering it and making it resolve, Hutchins effectively stopped the worm from spreading further on most networks.
The kill switch was likely built in as an anti-analysis mechanism — malware sandboxes often resolve all domains, so a check like this could tell the malware it was being analyzed. But in this case, it became the off switch for a global pandemic.
The Impact
Despite the kill switch, WannaCry had already caused enormous damage. The UK's NHS was hit hardest, with 80 hospital trusts affected, 19,000 appointments cancelled, and ambulances diverted. Total global damages have been estimated between $4 billion and $8 billion.
The US, UK, and other nations formally attributed WannaCry to North Korea's Lazarus Group. The attack demonstrated that NSA-developed exploits, once leaked, become weapons anyone can use — and that the world's patching hygiene was dangerously inadequate.
Marcus Hutchins became an overnight hero, though his story took a complicated turn when he was later arrested by the FBI for unrelated malware charges stemming from work he did as a teenager. He pleaded guilty and received a supervised release sentence, having been credited with time served.
How to Protect Yourself
WannaCry exploited systems that were months behind on patches. The single most important lesson: patch your systems. Microsoft released MS17-010 two months before WannaCry hit. Every machine that was up-to-date was immune.
Beyond patching: disable SMBv1 if you don't need it. Segment your networks so worms can't spread freely. Maintain offline backups. Use endpoint detection tools that can identify ransomware behavior. And never assume that a vulnerability is too old to be exploited — attackers love unpatched systems precisely because defenders assume the threat has passed.
The Bigger Picture
WannaCry sits at the intersection of several cybersecurity realities: government-developed exploits will eventually leak, millions of systems will always be behind on patches, and sometimes the only thing standing between a global catastrophe and containment is a curious researcher and a $10 domain name. The attack changed how governments, healthcare systems, and enterprises think about ransomware. But the underlying vulnerabilities — slow patching, legacy systems, and inadequate network segmentation — remain just as prevalent today.
