WannaCry

On a Friday afternoon in May 2017, ransomware began appearing simultaneously on screens in hospitals, factories, and offices around the world. National Health Service trusts in the UK began diverting ambulances. Renault stopped production in France. Deutsche Bahn passenger information boards in Germany flashed ransom notes between train times.

EternalBlue, secondhand

The worm spread through a Windows SMB vulnerability called EternalBlue. The exploit had been developed by the United States National Security Agency, then leaked the previous summer by a group calling itself the Shadow Brokers. Microsoft had patched the underlying flaw weeks earlier, but the patch had not been applied widely on the embedded systems and end-of-life Windows installs that turned out to be everywhere.

A kill switch by accident

A British researcher in his early twenties, working from his bedroom under the handle MalwareTech, noticed that the worm checked a long, garbage-looking domain name before activating. He registered the domain — costing him about eleven dollars — as part of standard sinkhole practice. By accident, that registration triggered the kill switch the authors had left in the code. Infections plateaued within hours.

Attribution and aftermath

Researchers at Google and elsewhere later linked the code to the Lazarus Group, and the US Department of Justice indicted a North Korean national. The operation appears to have been intended as a ransomware moneymaker, but the attackers' technical errors — including a non-functional payment workflow — limited their take to a few hundred thousand dollars in Bitcoin.

What the chronicle remembers

WannaCry is the moment the patient-care system of an entire country was brought to a halt by software. It also marked the public debut of the leaked NSA toolkit, which would go on to power NotPetya weeks later. The lesson — that one nation's stockpiled exploit becomes the world's emergency once it escapes — has been on display ever since.