The day started, for me, with a phone call at 09:40 from a customer organisation reporting that their incident-response retainer was being activated. By 11:30 the SOC had alerts firing across multiple customers and the internal Splunk searches were showing a wave of EternalBlue-style activity that I had been hoping not to see this fast. By the time I left the office at 22:00, WannaCry — which is the name converging in the press — had affected over a hundred and fifty countries, hit the NHS hard enough that hospital trusts across England and Scotland were diverting patients and cancelling operations, and produced what is, on any honest measure, the most operationally consequential ransomware incident of the past several years.
The technical pattern. WannaCry is a worm that combines the EternalBlue SMB exploit released in the Shadow Brokers dump on the 14th of April with the DoublePulsar implant, packaged with a ransomware payload that encrypts user files on infected hosts and demands $300 in Bitcoin for decryption. The worm component scans both internal networks and the internet for vulnerable SMBv1 endpoints (TCP/445), exploits successfully against MS17-010-unpatched Windows hosts, and propagates. Microsoft's MS17-010 patch from the 14th of March mitigates the vulnerability (Microsoft Security Bulletin MS17-010). Microsoft has, today, taken the unusual additional step of issuing patches for out-of-support Windows versions including Windows XP and Server 2003 (Microsoft Security Response Center customer guidance, May 12) — the first such out-of-cycle patch for unsupported Windows in some years, and a measure of how serious Microsoft considered the operational situation.
The kill-switch episode is going to be the part of this story that survives in security folklore. Marcus Hutchins (MalwareTech), in the course of analysing the worm in the early afternoon UK time, noticed that the malware made an HTTP request to a long unregistered domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com) and registered the domain to capture the request for analysis. The unintended consequence — Hutchins did not know this was the effect at the time, only that the request had certain characteristics that suggested it might be a command channel — was that the malware's logic treated a successful response from the domain as a signal to halt encryption. Registering the domain and standing up a sinkhole effectively neutralised the encryption logic on infected hosts that were able to make the outbound request, which was most of them. Hutchins's blog post (malwaretech.com on the registration) is the contemporaneous account. The incident's ultimate scale and harm would have been substantially larger without that intervention, and the credit for that piece of damage limitation belongs to a researcher who happened to be in the right place at the right time and made a careful, low-confidence judgement that turned out, by accident, to be the right one.
The NHS impact is the part that needs separate writing about. Approximately 80 of the 236 NHS trusts in England were affected to varying degrees, plus eight Scottish health boards. Many radiology departments, pathology systems, and outpatient booking systems were taken offline. Patient appointments were cancelled across multiple trusts. A&E departments diverted patients in some cases. The disruption was substantial in the immediate term and has produced a debate about the IT-modernisation posture of the NHS that has been overdue for several years. The NHS estate runs a substantial population of Windows XP machines, often embedded in medical devices where the device manufacturer's certification is locked to a specific Windows version, and the patching cadence on the wider Windows estate has been slower than would be operationally adequate. The National Audit Office will, in due course, produce a comprehensive analysis. The picture today is that the NHS was, as a system, structurally exposed to exactly this kind of attack, and the fact that the kill-switch limited the damage is a piece of luck the NHS should not be relying on for the next event.
For the customer estates, the operational situation tonight is mostly under control. Browne Jacobson's Windows estate was patched between mid-March and mid-April; clean. Towry was patched in the same window; clean. Northcott patched between the EternalBlue release on the 14th of April and the end of April, with one exception — a Windows 7 testing workstation in the engineering team that was off-network for a week and missed the patching window — which was found infected at 14:00 today and was isolated and rebuilt by 18:00. The manufacturer's estate is mostly patched but the OT-adjacent Windows hosts on the production-network side were still in the patching backlog and several of those have been infected and are being recovered tonight. The new financial-services client was fully patched and shows no infections. The operational cost across the customer base is moderate; the operational cost across the unprepared parts of the wider economy is going to be much larger.
The structural lessons. First, the time between exploit publication and worm-grade weaponisation is, on this case, four weeks. That is short. Patching cadences that assume a longer disclosure-to-exploitation window are no longer adequate. Second, the long-tail Windows estate — XP, Server 2003, embedded Windows variants in industrial and medical equipment — is structurally vulnerable to attacks of this nature, and the population is large, and there is no comprehensive patching path. The conversation about that population needs to be more honest than it has been, and the procurement decisions made years ago that locked organisations into Windows XP for industrial control or medical-device reasons are now operational liabilities of the first order. Third, the cost of a worm-grade incident is not the ransom. The ransom payments to the WannaCry wallets so far total a few tens of thousands of dollars; the operational disruption cost across the affected estates is in the hundreds of millions, perhaps billions. The cost-benefit calculation that the worm operators did is materially better for them than the cost-benefit calculation looked from outside.
I will be writing the longer NHS analysis next week when the operational picture has settled. The personal note tonight is that the day was hard, the team performed well, and the customer base is, on tonight's evidence, mostly through the worst of it. The wider economy is not. The cleanup is going to take months.