WannaCry | The Korean Cyberattack
By Tibor Moes / Updated: September 2024
WannaCry
May 12, 2017. Hospitals across the UK were thrown into chaos.
Doctors couldn’t treat patients, emergency rooms shut down. The reason? A ransomware attack was locking down their computers, demanding Bitcoin in exchange.
But it didn’t stop there. The attack spread like wildfire, infecting tens of thousands of computers worldwide and causing billions in damages—all using a leaked NSA tool.
In the midst of all this chaos, one unlikely hero—a shy, self-taught hacker—managed to stop this monster. A monster that turned out to be an attack by a powerful nation-state.
This is… WannaCry.
How it started
Back in 2013, the NSA found a critical flaw in Microsoft’s Windows systems. This exploit, called EternalBlue, gave hackers the power to take over computers remotely. But instead of warning the world, the NSA kept it secret for their own use.
Fast forward to April 2017. A hacker group called the Shadow Brokers leaked EternalBlue to the public. They had been releasing stolen NSA tools for a while, but this one was different—this was a true digital weapon.
What’s strange is Microsoft had already released a patch for EternalBlue in March, a month before the leak. We don’t know if the NSA told them or if Microsoft found it themselves. But many systems didn’t update, especially in healthcare, business, and government.
For weeks, nothing happened. But on May 12, 2017, the world found out just how dangerous EternalBlue could be.
So, what was WannaCry, and how did it create such havoc?
What is WannaCry?
WannaCry is a type of ransomware, but what made it so dangerous was its ability to spread like a worm—infecting computers across networks automatically. It had three main components that worked together to create chaos.
First, EternalBlue. This tool, created by the NSA, exploited a vulnerability in Windows’ file-sharing system, SMBv1. WannaCry used EternalBlue to break into vulnerable computers without any action from users.
Next, DoublePulsar. Once EternalBlue unlocked the system, DoublePulsar installed a backdoor. This backdoor allowed WannaCry to take control of the system and prepare for the next stage.
Finally, the ransomware itself. Once inside, WannaCry locked up important files by encrypting them. To get those files back, victims had to pay a ransom in Bitcoin.
Together, these three—EternalBlue, DoublePulsar, and the ransomware—formed a fast-spreading, destructive malware that infected thousands of computers every hour. And to stay hidden, it communicated with its creators through the anonymous Tor network.
But who was behind this malicious attack?
Who was behind the attack?
This wasn’t the work of a lone hacker—it was part of a much bigger geopolitical game.
The U.S. government traced the attack back to North Korea, eventually charging a North Korean hacker named Park Jin Hyok. Park is accused of working for the North Korean regime as part of a larger group known as the Lazarus Group—a shadowy collective responsible for some of the worst cyberattacks over the past decade.
Their goal? Raising money and creating chaos. Alongside WannaCry, The Lazarus Group is behind the 2014 Sony Pictures hack and the 2016 Bangladesh Bank heist, where they stole $81 million.
The Lazarus Group operates within Bureau 121, North Korea’s elite military cyber unit. Bureau 121 consists of about 1,800 highly skilled hackers who specialize in attacking networks and systems. Due to the country’s heavily restricted internet access, they often travel to places like China, Nepal, or India to launch their attacks, staying off the radar.
Who was targeted?
North Korea primarily targets the U.S., Japan, and South Korea—its biggest geopolitical rivals. But as you’ve seen, they have no problem unleashing massive attacks in other parts of the world.
As WannaCry spread like wildfire, it infected computers in over 150 countries. While no one was safe, some sectors were hit harder than others.
One of the worst affected was the UK’s National Health Service (NHS). Hospitals had to shut down emergency rooms, cancel surgeries, and even turn away patients as critical systems were locked up by the ransomware, putting lives at serious risk.
But the attack didn’t stop there. Major corporations like FedEx and Boeing were also hit. In Europe, the German railway Deutsche Bahn, along with automakers Renault, Nissan, and Honda, faced major disruptions. Even Spain’s telecom giant Telefónica and police departments in India weren’t spared.
Some of the hardest-hit countries included Russia, Ukraine, India, and Taiwan. Big names like Sberbank in Russia and universities in China also fell victim to the attack. But how big was WannaCry really?
Impact
In the immediate aftermath, WannaCry left a trail of destruction, causing more than $4 billion in damages worldwide. It disrupted everything from global trade to healthcare and critical infrastructure. According to Europol, about 200,000 computers were infected across the globe.
But here’s the thing—WannaCry could have been even worse, if not for the quick actions of one man: Marcus Hutchins, a young cybersecurity researcher.
Born in England, he developed a love for computers at a young age, teaching himself to program by the time he was 13. In 2013, He launched a blog under the alias MalwareTech which caught the attention of the cybersecurity world. By 2017, Hutchins was working as a cybersecurity researcher in Los Angeles.
The Kill Switch
On May 12, 2017—the very day of the attack—Marcus Hutchins was digging into WannaCry’s code when something strange caught his eye: a random, gibberish domain name embedded in the malware. Oddly enough, the domain wasn’t even registered. So, for just $10.96, Hutchins decided to claim it, thinking it was part of how the malware communicated with its control servers.
What Hutchins didn’t know was that this domain was actually a kill switch. WannaCry would only continue with its ransomware attack if it couldn’t connect to that domain. By registering it, Hutchins accidentally triggered the kill switch, stopping WannaCry from encrypting more computers. His quick action saved millions of systems worldwide.
While WannaCry still spread after the kill switch was activated, it wasn’t locking down data anymore. Hutchins and fellow researcher Jamie Hankins had to fend off botnet attacks trying to take the domain offline, but their swift thinking had already neutralized the worst of the threat.
However, WannaCry is still out there. So, make sure your Windows system is always updated with the latest security patches.
Current Developments
Today, the Lazarus Group remains one of the most dangerous state-sponsored hacking teams. They’ve evolved from noisy, disruptive attacks, to more subtle and sophisticated operations. Now, their focus is on targeting critical infrastructure, banks, and cryptocurrency exchanges—ways to bypass sanctions and raise funds for North Korea’s regime and its nuclear program.
Meanwhile, in the UK, the National Health Service (NHS) has learned some tough lessons from the WannaCry attack. The NHS was one of the hardest hit, and since then, the UK government has invested heavily in beefing up its cybersecurity. But even with these improvements, vulnerabilities still exist.
As for Marcus Hutchins, the hero who accidentally stopped WannaCry, his story took an unexpected twist. Not long after being hailed for his actions, Hutchins was arrested for creating malware in his younger days. He pled guilty but avoided jail time, with the judge recognizing that he had turned his life around. Today, Hutchins continues to work in cybersecurity, using his skills to protect against the very threats he once helped create.
Conclusion
WannaCry wasn’t just a random cyberattack—it was a state-sponsored assault, launched by the Lazarus Group, targeting hospitals, businesses, and governments worldwide. It taught us a hard lesson: ignoring software updates can be dangerous, and we’re all more vulnerable to cyber threats than we might think.
But let’s be honest—it’s hard to point fingers here. Sure, North Korea pulled the trigger, but they might not have done it if the Shadow Brokers hadn’t leaked EternalBlue. Of course, the NSA created EternalBlue in the first place, but even that wouldn’t have happened if Microsoft had caught the bug during development.
But there’s a crucial takeaway here, famously quoted by Edward Snowden: “When NSA-enabled ransomware eats the Internet, help doesn’t come from spy agencies—it comes from researchers.” Marcus Hutchins, a young hero, stepped up and—almost by accident—stopped a global disaster, saving millions of systems.
On that note: Stay safe online!
Author: Tibor Moes
Founder & Chief Editor at SoftwareLab
Tibor has tested 28 antivirus programs and 25 VPN services, and holds a Cybersecurity Graduate Certificate from Stanford University.
He uses Norton to protect his devices, NordVPN for his privacy, and Proton for his passwords and email.