The attack affected Telefónica and several other large companies in
WannaCry is believed to use the EternalBlue exploit, which was developed by the
Shortly after the attack began a researcher found an effective kill switch, which prevented many new infections, and allowed time to patch systems. This greatly slowed the spread. It was later reported that new versions that lack the kill switch were detected. Computer security experts also warn of a second wave of the attack due to such variants and the beginning of the new workweek.
The purported infection vector, EternalBlue, was released by the hacker group The Shadow Brokers on 14 April 2017, along with other tools apparently leaked from Equation Group, believed to be part of the United States National Security Agency.
EternalBlue exploits vulnerability MS17-010 in Microsoft's implementation of the Server Message Block (SMB) protocol. Microsoft had released a "Critical" advisory, along with an update patch to plug the vulnerability a month before, on 14 March 2017. This patch fixed several workstation versions of the Microsoft Windows operating system, including Windows Vista and Windows 8.1, as well as server and embedded versions such as Windows Server 2008 and Windows Embedded POSReady 2009 respectively, but not the older Windows XP, according to Microsoft.
Starting from 21 April 2017, security researchers started reporting that computers with the DOUBLEPULSAR backdoor installed were in the tens of thousands. By April 25, reports estimated the number of infected computers to be up to several hundred thousands, with numbers varying between 55,000 to nearly 200,000, growing everyday.
On 12 May 2017, WannaCry began affecting computers worldwide. The initial infection might have been either through a vulnerability in the network defenses or a very well-crafted spear phishing attack. When executed, the malware first checks the "kill switch" domain name. If it is not found, then the ransomware encrypts the computer's data, then attempts to exploit the SMB vulnerability to spread out to random computers on the Internet, and "laterally" to computers on the same local area network (LAN). As with other modern ransomware, the payload displays a message informing the user that files have been encrypted, and demands a payment of around $300 in bitcoin within three days or $600 within seven days.
The Windows vulnerability is not a zero-day flaw, but one for which Microsoft had made available a security patch on 14 March 2017, nearly two months before the attack. The patch was to the Server Message Block (SMB) protocol used by Windows. Organizations that lacked this security patch were affected for this reason, although there is so far no evidence that any were specifically targeted by the ransomware developers. Any organization still running the older Windows XP was at particularly high risk because until 13 May, no security patches had been released since April 2014. Following the attack, Microsoft released a security patch for Windows XP.
According to Wired, affected systems will also have had the DOUBLEPULSAR backdoor installed; this will also need to be removed when systems are decrypted.