WannaCry was a ransomware worm that struck in May 2017, encrypting files on more than 200,000 Windows computers across 150 countries and demanding Bitcoin ransoms. It spread by exploiting an unpatched Windows flaw known as EternalBlue.
Last updated: June 15, 2026
Nine years later, WannaCry is still one of the clearest warnings any business owner can study. The attack didn’t break in through a clever password guess or a single careless click. It moved on its own, machine to machine, through computers that were missing a patch Microsoft had already released. That’s why it still belongs in every conversation about ransomware and cybersecurity today.
The short version
WannaCry was a self-spreading ransomware worm that hit more than 200,000 Windows machines in 150 countries in a single weekend in May 2017. It used a leaked exploit called EternalBlue to jump between unpatched computers, locked their files, and demanded payment in Bitcoin. The businesses that were hit had skipped a patch Microsoft shipped two months earlier. The same gaps still let ransomware in today.
What happened during the WannaCry attack
On May 12, 2017, WannaCry began spreading across the globe in a matter of hours. It hit hospitals in England and Scotland and forced the National Health Service to turn away patients and cancel appointments. It struck telecom firms in Spain, factories, logistics companies, and government offices on nearly every continent.
Once WannaCry landed on a machine, it locked the files and showed a red ransom note demanding roughly 300 dollars in Bitcoin to unlock them. The price doubled if you waited, and the files were threatened with permanent deletion if you ignored it. Researchers later traced the worm to a leaked National Security Agency exploit, and a security analyst slowed the spread by registering a hidden web address that acted as a kill switch.
How WannaCry spread so fast
The reason WannaCry moved like wildfire comes down to one technical detail. It used an exploit called EternalBlue that targeted a weakness in an old Windows file-sharing protocol called SMB version 1. A single infected computer could scan the network, find other unpatched machines, and infect them with no human action at all.
Here’s the part that stings. Microsoft had released the patch, MS17-010, two months before the attack. Every organization that applied that update on time was protected. The companies that fell were the ones still running outdated systems or putting off patches, including many that were still using Windows versions Microsoft no longer supported.
Why WannaCry still matters in 2026
Ransomware didn’t peak with WannaCry. It grew into a professional industry. Modern strains steal your data before they encrypt it, then threaten to publish it unless you pay, so a clean backup alone no longer guarantees a quiet recovery. Attackers now rent ransomware as a service, target backups directly, and aim squarely at small and midsize businesses that assume they’re too small to notice.
| WannaCry in 2017 | Ransomware in 2026 |
|---|---|
| Spread automatically through one unpatched Windows flaw | Spreads through phishing, stolen logins, and exposed remote access |
| Locked files and demanded a flat 300 dollar ransom | Steals data first, then demands payments in the tens or hundreds of thousands |
| Stopped by a single kill switch | Sold as a service with no single off switch |
| A clean backup usually meant a full recovery | Attackers hunt for your backups, so offline copies are essential |
The lesson from WannaCry is timeless. Most ransomware still gets in through gaps that were preventable, such as missing patches, weak email filtering, exposed remote access, and accounts without multifactor authentication. The threat is more advanced, but the doors it walks through have barely changed.
How to protect your business from ransomware
You don’t need a giant security budget to close the gaps that WannaCry exploited. You need a few controls applied consistently across every device. These are the steps we put in place for the businesses we protect.
- Patch quickly and automatically. Keep every operating system and application current, and retire software that no longer receives security updates. WannaCry was a patching failure first and foremost.
- Back up on the 3-2-1 rule. Keep 3 copies of your data on 2 types of media with 1 copy offline or immutable, so attackers can’t encrypt your only recovery path. Learn more in our guide to data backup and recovery.
- Turn on multifactor authentication everywhere. A stolen password should never be enough to reach your email, your servers, or your remote desktop.
- Filter email and train your team. Most ransomware still arrives through a malicious link or attachment, so strong filtering and a staff that knows what to question stop most attempts at the door.
- Segment your network and lock down remote access. Disable legacy protocols like SMB version 1 and limit how freely an infected device can reach the rest of your systems.
- Watch your systems around the clock. Continuous monitoring catches the early signs of an intrusion before encryption begins.
For a deeper walkthrough, read our step-by-step ransomware prevention plan, and see how a managed approach ties these controls together in our cybersecurity solutions.
What to do if ransomware hits your business
If you suspect an active infection, disconnect the affected machine from the network right away to stop it from spreading, but don’t power it off, since that can destroy evidence. Don’t pay the ransom before talking to a security professional, because payment funds the next attack and doesn’t guarantee your files come back. The federal StopRansomware program offers the same advice. Then call your IT provider so they can contain the incident, work out the scope, and start a clean recovery from backups.
WannaCry and ransomware, quick answers
Is WannaCry still a threat today?
WannaCry itself is largely neutralized thanks to the kill switch and years of patching. The bigger risk now is the wave of newer ransomware it inspired, which is why the protections that would have stopped WannaCry still matter.
What operating systems did WannaCry affect?
The worm targeted Windows computers, hitting unsupported and unpatched versions hardest, including Windows 7 and the long retired Windows XP. Fully updated machines were not affected.
Should a business ever pay the ransom?
Security experts and the FBI advise against paying. Payment funds criminal operations, marks you as a willing target, and offers no real guarantee that your data will be restored.
How do I know if my systems are vulnerable to ransomware?
The fastest way is a security assessment that checks your patch status, backups, email defenses, and remote access. Most businesses find at least one of the gaps that WannaCry exploited still open.
Can backups alone protect me from modern ransomware?
Backups are essential but no longer enough on their own. Today’s attackers steal data before encrypting it and try to reach your backups directly, so you need offline or immutable copies plus layered prevention.
Get a ransomware readiness check
WannaCry punished the businesses that assumed they were safe. Uprite helps small and midsize companies close the exact gaps it exploited, from patching and backups to monitoring and staff training. Talk to an Uprite security expert for a ransomware readiness check, or call (866) 570-3065.
Written by Stephen Sweeney. Original 2017 reporting drawn from BBC News, Reuters, and ZDNet.
