In May 2017, a ransomware attack of unprecedented scale was unleashed on the world, with the NHS in England and, to a lesser extent, Scotland being hit the hardest of any organisation in the UK. Around 70,000 devices were infected, leading the attack to be known colloquially as the NHS hack.
How such an attack happened and how it was shut down offers valuable information to IT professionals on how to avoid falling victim to such an incident themselves in the future.
Day Zero: 12 May 2017
In the early morning of 12 May, reports started to emerge of the first computers infected by WannaCry. While some researchers, including those at Sophos concluded the first infections cropped up in Asia, it wasn't until Spanish telecoms giant Telfonica reported its systems had been compromised that it started to come to the attention of those with an interest in technology and security.
Within just a few hours the attack had snowballed, swallowing up an estimated 47 NHS Trusts in England and Scotland. Other high-profile victims included Deutsche Bahn, Renault, FedEx and the Russian Ministry of the interior.
The impact on the NHS was particularly potent, with approximately 70,000 devices including MRI scanners, blood storage refrigerators and operating theatre equipment, as well as computer terminals, being infected.
Some hospitals, including Barts in London, had to cancel routine planned operations, while others told patients only to come to A&E if it was a "life-threatening emergency".
In the end, it's thought that around 200,000 devices running Microsoft Windows were infected across 150 countries.
Aftermath and investigation
Somewhat miraculously, WannCry was stopped in its tracks the same day it started by a 22-year-old British cyber security researcher, Marcus Hutchins, who discovered a kill-switch' embedded in the ransomware's code.
This was a considerable stroke of luck for the world's IT systems, but for those that had already been affected, there was a lot of cleanup to be done, including disinfecting and restoring systems, patching (more on that in a minute) and so on.
For the NHS, this also included rescheduling all the routine appointments that had to be cancelled, leading to disruption that continued over the following few weeks.
It was also in the wake of the attack's subsidence that questions began to be raised about how such an infection was able to run rampant in the first place, given Microsoft had already issued a patch for the vulnerability exploited by WannaCry.
While the ransomware wasn't targeted, as the wide range of organisations affected demonstrates, it unwittingly took advantage of a critical weakness in many business systems "just patch" isn't always an option.
In large organisations in particular, there are often valid reasons systems can't be patched or updated. The most common among those is dependance on critical applications or hardware that aren't compatible with newer operating systems or some patches.
In this scenario, IT administrators face a choice: update the system, but potentially risk rendering inoperable a very expensive piece of hardware or the patient database software, or don't update it in order to keep the organisation running, but risk a crippling attack, as happened in May. Most take the potential risk of being hit by ransomware or another infection in the future over the certainty of breaking existing infrastructure.
Mitigation is better than a cure
Here's the obvious advice: patch your systems.
"WannaCry only hit organisation running older versions of Windows, so the obvious advice is to update those, which of course has a cost," says Bob Tarzey, analyst and director at Quocirca.
But, as stated above, that's not always possible.
"Another option is to better isolate older systems," Tarzey continues.
Jeff Pollard, principal analyst at Forrester, agrees: "We recommend a zero trust' approach to security strategy. Zero trust means trusting nothing people or systems until they prove they are trustworthy. Make sure environments are segmented so an automated worm [like WannaCry] can't infect every system."
This has the primary benefit of isolating the infection, which means not needing to throw the switches on all systems in order to stop it from spreading an approach that had to be taken by some NHS trusts, despite being disruptive in itself.
Pollard further advises organisations "understand the identity of users, systems, and workloads, and make sure that least privilege is in place".
There's also the question of having an educated and aware workforce. Although WannaCry wasn't spread via phishing emails, many ransomware infections and other malware attacks are, so drilling into users that they mustn't open links and attachments, particularly if they're unexpected, is vital. Other basic steps include having an enterprise-grade firewall in place, as well as business-focused anti-malware software running wherever it can (although, once again, in some embedded systems this might not be possible).
WannaCry was unusual in the way it attacked systems and the speed with which the infection spread, with the high-profile nature of the victims also being notable. What was surprising in May, however, may become par for the course in the future and this is an eventuality organisations must prepare for.
"Breaches and malware infections are inevitable. What matters is the ability to continue to operate, contain the issue, and bounce back from the problem and get back to business as usual," Pollard concludes.
Make sure your organisation is resiliant enough to bounce back from an attack like this...
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Healthcare systems are rife with exploits — and ransomware gangs have noticedNews Nearly nine-in-ten healthcare organizations have medical devices that are vulnerable to exploits, and ransomware groups are taking notice.
-
NHS supplier hit with £3m fine for security failings that led to attackNews Advanced Computer Software Group lacked MFA, comprehensive vulnerability scanning and proper patch management
-
Forget MFA fatigue, attackers are exploiting ‘click tolerance’ to trick users into infecting themselves with malwareNews Threat actors are exploiting users’ familiarity with verification tests to trick them into loading malware onto their systems, new research has warned.
-
Alleged LockBit developer extradited to the USNews A Russian-Israeli man has been extradited to the US amid accusations of being a key LockBit ransomware developer.
-
February was the worst month on record for ransomware attacks – and one threat group had a field dayNews February 2025 was the worst month on record for the number of ransomware attacks, according to new research from Bitdefender.
-
CISA issues warning over Medusa ransomware after 300 victims from critical sectors impactedNews The Medusa ransomware as a Service operation compromised twice as many organizations at the start of 2025 compared to 2024
-
Warning issued over prolific 'Ghost' ransomware groupNews The Ghost ransomware group is known to act fast and exploit vulnerabilities in public-facing appliances
