WannaCry is an encryption-based ransomware, also known as Wanna Decryptor or WCRY. It encrypts users’ files using a combination of AES (Advanced Encryption Standard) and RSA (Rivest–Shamir–Adleman) encryption algorithms. This ensures that the encrypted files can only be decrypted using a unique private key held by the attackers.
Once infected, WannaCry changes the computer’s wallpaper and displays ransom messages demanding payment in Bitcoin. It creates encrypted copies of specific file types and deletes the original files, rendering them inaccessible without the decryption key. To increase pressure on victims, the ransomware escalates the ransom amount over time and threatens permanent data loss if payment is not made within a specified deadline.
AES is a symmetric encryption standard established by the U.S. National Institute of Standards and Technology (NIST) in 2001, while RSA is one of the earliest and most widely used public-key cryptosystems for secure data transmission.
Bitcoin operates using peer-to-peer technology without a central authority, making it attractive for ransomware operators due to its pseudo-anonymous nature.
Ransomware attacks began rising significantly around 2012. By June 2013, McAfee reported collecting more than twice the number of ransomware samples compared to the previous year. Notable ransomware such as CryptoLocker generated approximately USD 3 million before being shut down, while CryptoWall reportedly earned over USD 18 million by mid-2015.
WannaCry spread primarily through a vulnerability in Microsoft’s Server Message Block (SMB) protocol, known as MS17-010. SMB is commonly used for file sharing within networks, but when left unpatched, it can be exploited—especially if a device is connected to a public network.
According to Malwarebytes, ransomware tools are easily available on the dark web, contributing to the frequency of such attacks. As of August 2016, nearly 40 percent of organizations worldwide had reportedly been targeted by ransomware.
Experts emphasize that managing the human factor is critical in responding to ransomware incidents. Negotiations often fail due to communication gaps between technical responders and decision-makers. WannaCry was primarily effective on systems that had not been rebooted after infection and was initially known to function on older Windows versions such as Windows XP.
Despite its rapid global spread, WannaCry’s impact was slowed by a built-in kill switch—a long, unregistered domain name embedded in the malware’s code. Security researcher Marcus Hutchins (known online as @MalwareTechBlog) discovered and registered the domain in May 2017.
Once the domain became active, the malware detected it and stopped spreading. Although this intervention came too late for already infected systems, it significantly reduced further propagation. Hutchins later stated that he had not initially realized that registering the domain would halt the malware’s spread.
However, experts cautioned that future variants of WannaCry could remove or modify the kill switch, posing renewed threats.
Following the global outbreak, Microsoft took the unprecedented step of releasing security patches for previously unsupported versions of Windows, including Windows XP. Although Windows XP was still widely used—particularly in healthcare systems such as the UK’s NHS—later research suggested that Windows 7 was more severely affected.
Security firms Kaspersky and BitSight reported that approximately 97% and 67% of infections, respectively, occurred on Windows 7 systems, while the number of Windows XP infections was relatively insignificant.
To protect against ransomware attacks like WannaCry, the following measures are recommended:
Several antivirus solutions and scripts are available to detect and remove these threats.
The Indian government reported no major nationwide impact from the WannaCry ransomware attack, aside from isolated incidents in Kerala and Andhra Pradesh. The Ministry of Electronics and Information Technology confirmed that systems operated by the National Informatics Centre (NIC) remained secure.
Then IT Minister Ravi Shankar Prasad stated that India was closely monitoring the situation and had not experienced widespread disruption, unlike several other countries. Ransomware, however, remains a serious cyber threat that blocks access to critical data until a ransom is paid.
WannaCry demonstrated how unpatched vulnerabilities can be weaponized to launch large-scale cyberattacks with global consequences. The incident highlighted the importance of timely updates, proactive cybersecurity practices, and international cooperation. As ransomware continues to evolve, prevention, preparedness, and rapid response remain essential to minimizing its impact.