At 07:44 UTC on May 12, 2017, Telefónica's Madrid headquarters paged out over loudspeakers asking employees to turn off their computers. The same morning, the UK's National Health Service saw 80 of its 236 trusts hit; ambulances were diverted, elective surgeries cancelled, chemotherapy appointments rebooked. Deutsche Bahn's departure boards in Germany went black with a ransom note. A Renault plant in Sandouville, France, stopped producing cars. The total footprint, over roughly 72 hours, was more than 200,000 machines across 150 countries.
WannaCry is remembered as a ransomware outbreak. Its more important identity is as the first Internet-wide test of a stolen nation-state exploit running against unpatched enterprise networks. That makes it a supply chain story, just not the one usually told.
The vulnerability chain
The core primitive was MS17-010, a bulletin Microsoft released on March 14, 2017, patching seven SMBv1 vulnerabilities. The most important, CVE-2017-0144, known externally as EternalBlue, allowed unauthenticated remote code execution in the SMB server on Windows XP through Windows Server 2016.
EternalBlue did not originate in public research. It was developed by the NSA's Tailored Access Operations group, known as one of the "Fuzzbunch" exploit suite tools. In August 2016, a group calling itself the Shadow Brokers began releasing stolen NSA tooling. On April 14, 2017, they published the "Lost in Translation" dump containing EternalBlue, EternalRomance, DoublePulsar, and several other exploits.
That April 14 dump is the supply chain inflection point. From that moment, anyone with a modest budget and some C++ could weaponize a zero-day-grade SMB exploit that had been in classified use for probably five to seven years. Microsoft had patched it a month earlier, on March 14. Enterprises had between 30 and 60 days to apply the patch before the public dump. Many did not.
WannaCry appeared 28 days after the Shadow Brokers dump, on May 12, 2017.
What WannaCry actually did
The worm loop was simple:
- Scan TCP/445 on the local subnet and on random Internet-routable addresses.
- If port 445 was open, attempt EternalBlue exploitation against SMBv1.
- On successful exploitation, drop DoublePulsar and use it to deliver the WannaCry payload.
- The payload encrypted files matching 176 extensions (
.doc,.xlsx,.pst,.sql, etc.) with AES-128, and demanded 300 USD in Bitcoin, rising to 600 after three days. - Before exploiting further, the dropper performed an HTTP GET request against a specific domain that had not been registered. If the request succeeded, the payload exited. This was the kill switch.
The kill switch domain, iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, was registered by Marcus Hutchins on May 12 at roughly 15:00 UTC, about seven hours into the outbreak. Registration cost him 10.69 USD. It stopped the spread of the main WannaCry variant almost immediately, though variants without the kill switch and variants with different kill switch domains appeared in the following days.
Ransom collection was operationally a failure. The three hardcoded Bitcoin addresses collected approximately 52 BTC, worth roughly 140,000 USD at the time. The attackers withdrew the balance on August 3, 2017. No victim ever received a working decryption, because WannaCry's decryption process required the attacker to manually issue per-victim keys, and the attackers never operationalized that.
Attribution
On December 19, 2017, the U.S. government, through a statement by then-Homeland Security Advisor Tom Bossert, publicly attributed WannaCry to North Korea's Lazarus Group. The UK National Cyber Security Centre concurred. In September 2018, the U.S. Department of Justice unsealed an indictment of Park Jin Hyok, a North Korean programmer and alleged Lazarus member, explicitly naming WannaCry alongside the 2014 Sony Pictures attack and the 2016 Bangladesh Bank heist.
Lazarus is a state-aligned group with strong indicators of use for revenue generation on behalf of the North Korean regime. WannaCry appears to have been an attempt at mass ransomware monetization that succeeded operationally (it spread) but failed financially (the payment processing was broken).
Where the supply chain story actually lives
Calling WannaCry a supply chain attack in the sense of SolarWinds or NotPetya is wrong. It did not compromise a vendor's build pipeline. It did not abuse a trusted update channel. It spread peer-to-peer across SMBv1.
The supply chain angles are more subtle and, I think, more important:
NSA's exploit inventory is part of everyone's threat model now. The Shadow Brokers dump demonstrated that classified offensive tooling is not a secret state resource with a stable half-life. It can leak, and when it leaks it becomes commodity malware in under 30 days. Any risk model that assumed nation-state tooling would not reach cybercrime actors within the patch window was invalidated on April 14, 2017.
SMBv1 was a supply chain artifact. Windows still shipped SMBv1 enabled by default through Windows 10 1709, released in October 2017, months after WannaCry. It was a compatibility dependency for legacy LAN equipment, many of which were third-party print servers, NAS appliances, and line-of-business software. Disabling SMBv1 broke vendor integrations. That is a supply chain constraint: the upstream vendor determined the patch posture of the downstream enterprise.
Unsupported OSes are inherited risk. Windows XP was nominally end-of-life in April 2014. Microsoft released an emergency out-of-band patch for XP on May 13, 2017, in response to WannaCry. Many of the NHS machines were running XP on medical equipment supplied by third parties under long-term contracts. The hospital could not unilaterally patch or replace those machines because the vendor's FDA certification was tied to a specific OS image. The supply chain reached into the clinical environment.
Patching is a pipeline, not an event. Microsoft released MS17-010 on March 14. Testing, staging, change control, reboot windows, and legacy application compatibility checks meant that many enterprises were still rolling the patch on May 12. That is not negligence, it is the reality of operating at scale. The attackers timed their campaign to exactly the window where the patch was public, the exploit was public, and enterprise deployment was incomplete.
The NHS as a case study
The UK National Audit Office report of October 27, 2017, documented that 34 percent of NHS trusts were hit. Direct cost estimates ran to 92 million GBP, not counting clinical impact. Specific findings:
- No NHS trust had fully applied MS17-010 at the time of the attack, despite NHS Digital issuing guidance on March 17 and April 27.
- Legacy Windows XP devices on medical hardware were a significant driver of SMBv1 being enabled across trust networks.
- Network segmentation between trusts was weak; once inside one trust's network, lateral movement was trivial.
- Post-incident, the NHS accelerated a migration program for medical device operating systems that had been planned, underfunded, for years.
The lessons that outlived the outbreak
Exploit half-lives are shorter than patch cycles. This is the hard truth WannaCry forced into enterprise risk models. If a critical patch lands and you take 60 days to deploy it, you are betting against public exploitation during that window. After April 2017, that bet started losing.
Supply chain reaches into regulatory-constrained devices. Medical, industrial, and aerospace systems cannot be patched on a Microsoft cadence. The vendor lifecycle, not the OS lifecycle, determines patch posture. This means SBOMs and vendor risk management have to extend into hardware procurement, not just software procurement.
Kill switches are luck. Marcus Hutchins's 10.69 USD purchase stopped WannaCry because the malware author coded a sandbox-evasion check wrong. That is not a defensive control. A future attacker will not leave that door open.
How Safeguard Helps
The WannaCry model, public exploit meets unpatched enterprise network, is answered by Safeguard's reachability-driven patch prioritization. Instead of treating every CVE equally, we map which of your assets actually expose the vulnerable service to networks where exploitation is feasible, cutting the patch queue by an order of magnitude. Griffin AI generates remediation plans that respect the vendor lifecycle constraints of regulated hardware, flagging devices that cannot be patched and recommending network-layer compensations instead. SBOMs extend into firmware and appliance layers through our TPRM integrations, and policy gates prevent new deployments with SMBv1 or other deprecated protocols from landing in production, so the next EternalBlue-grade exploit finds far fewer doors already open.