Databack - Récupération de données
Request a quote
THE BLOG

WannaCry ransomware: understanding the attack, its numbers, and solutions

In May 2017, the WannaCry ransomware unleashed a wave of attacks on a scale rarely seen, affecting businesses, hospitals, government agencies, and individuals around the world.

What is a WannaCry ransomware attack?

To fully understand WannaCry, we first need to remind you what ransomware is. Ransomware is malicious software that encrypts your files, preventing you from accessing them, then demands a ransom, usually in cryptocurrency, to supposedly decrypt them.

A WannaCry ransomware attack broadly follows the same principle, but with characteristics that make it particularly worrying, and almost pandemic at the time:

  • Infection: the malware installs itself on a vulnerable Windows workstation, often via an exposed network port, without any user action.
  • Encryption: the most important files are encrypted (documents, images, databases), making day-to-day work virtually impossible.
  • Ransomware: a message is displayed, usually demanding the equivalent of $300 to $600 in Bitcoin, with a countdown timer and the threat of data deletion.
  • Automatic propagation: WannaCry is unique in that it spreads from machine to machine within a network, almost autonomously.

In other words, if you were an IT manager in 2017, a single infected workstation, uncorrected, could be enough to rapidly contaminate a large part of your network, with a striking domino effect.

wannacry ransomware

Looking back on 2017: the WannaCry attack in a few key figures

To gauge the severity of the WannaCry episode, it’s useful to look at a few figures, taken from public reports, and analyses by several cybersecurity players.

IndicatorApproximate valueComments
Infected machines> 200 000Computers compromised in the first few days of the attack, worldwide.
Countries affected≈ 150Found on every continent, including Europe, Asia and America.
Total amount of ransoms paidApproximately $130,000Sum observed on the Bitcoin wallets associated with the attack.
Overall economic costSeveral billion dollarsEstimates range from $4 billion to $8 billion in losses, depending on the source.
Affected companiesTens of thousandsLarge industrial companies, hospitals, national administrations.

In concrete terms, public health services had to postpone thousands of appointments, production lines came to a standstill and transport was disrupted. The shock was such that, in many organizations, cybersecurity went from being a peripheral issue to a strategic, almost existential concern.

How did WannaCry manage to spread so quickly?

At this point, you’re probably wondering how a single piece of ransomware could have spread so widely, in such a short space of time. The answer lies in a combination of technical, organizational and human factors.

A critical Windows vulnerability exploited on a large scale

WannaCry exploits a vulnerability in the SMBv1(Server Message Block) protocol on Microsoft Windows systems, known as MS17-010. Microsoft had released a security patch in March 2017, some two months before the major attack in May 2017.

In fact, many organizations had not yet deployed this patch, sometimes for lack of time, sometimes for fear of disrupting older applications, sometimes simply because of the absence of a rigorous update process. WannaCry took advantage of this vulnerability, and spread from machine to machine, almost automatically.

A “worm” rather than simple ransomware

An important subtlety, often overlooked, lies in the mode of propagation. WannaCry is not just ransomware, it’s also a worm. In other words, it scans networks and actively seeks out other vulnerable machines to copy itself, without any user interaction.

In a corporate network, with workstations that are often interconnected and sometimes poorly segmented, a worm of this type can spread ubiquitously, in a matter of minutes, and quickly overwhelm the reaction capacity of internal teams.

Obsolete systems and inadequate patch management

Another decisive factor was the presence of numerous obsolete or unmaintained systems in the affected organizations. We have observed, for example, workstations running Windows XP or Windows Server 2003, systems already out of standard support, but still used to control industrial equipment or specialized terminals.

These machines, rarely rebooted and sometimes considered too “sensitive” to be updated, proved to be ideal entry points for WannaCry, and facilitated a systemic spread that was difficult to contain.

What lessons can you draw from WannaCry, for you today?

The good news is that the WannaCry episode served as a trigger, almost cathartic, for many organizations. It brutally highlighted the weaknesses of certain practices, and showed that a coordinated, and regular, effort can significantly reduce risk.

If you project yourself into your own context, whether you’re an executive, an IT manager, or just a concerned user, a number of concrete lessons emerge.

1. System upgrades no longer optional

The first, essential lesson: a system that hasn’t been updated exposes the entire organization, not just the workstation concerned. In the case of WannaCry, two elements are particularly telling:

  • The MS17-010 patch was available 2 months before the massive attack.
  • Organizations that applied the patch in time were generally spared, or only minimally affected.

For you, this translates into the need for a clear, documented and regular patch management process. Even if certain updates seem prosaic, or constraining, their absence can have a disproportionate impact, in the event of a vulnerability being exploited on a large scale.

2. Reliable backups are your ultimate safety net

Another fundamental lesson concerns backups. Many of the organizations affected by WannaCry realized, in a hurry, that their backups were incomplete, poorly tested, or stored on media that were themselves accessible by the ransomware.

To limit the impact of ransomware, and get back up and running quickly, it’s crucial to have backups:

  • Regular: daily, or at least weekly, depending on the criticality of your data.
  • Unlinked: at least one copy must be offline, or logically isolated from the network.
  • Tested: restoration must be checked regularly, in an almost methodical way.

Despite the attack, organizations with robust backups were able to restore their systems, limit data loss, and often avoid paying the ransom – a decisive advantage.

3. Network segmentation limits propagation

WannaCry took advantage of poorly segmented networks, where an infected workstation could communicate too freely with the rest of the infrastructure. Further compartmentalization turns your network into a series of watertight compartments, drastically limiting the lateral spread of malware.

In concrete terms, this means :

  • Isolate critical servers from user workstations using strict filtering rules.
  • Separate production, test and administration environments.
  • Restrict the use of older protocols, such as SMBv1, to only those cases where it is absolutely necessary, or even disable them altogether.

So even if an entry point is compromised, the attack remains contained, and your response capabilities remain intact.

Wannacry ransomware

What concrete actions can be taken against ransomware, including WannaCry?

Let’s move on to a more operational plan of action, which you can adapt to your organization, whether large or small. The aim is to reduce, as far as possible, the probability of infection, and the impact of an incident should it nevertheless occur.

1. Implement a rigorous update policy

This is often the most cost-effective measure, yet it is sometimes overlooked. An effective policy should include :

  • A precise inventory of the systems and software used in your organization.
  • Automatic or semi-automatic deployment of security patches.
  • Rapid but systematic testing on a small perimeter, prior to global deployment.
  • Follow-up of obsolete systems, with a plan for replacement or reinforced isolation.

By doing so, you significantly reduce the attack surface, facing not only WannaCry, but a whole myriad of other malware as well.

2. Disable legacy protocols where possible

WannaCry exploited an old, vulnerable version of the SMB protocol. A good practice is to disable, or restrict, protocols considered obsolete, whenever possible without compromising your operations.

In other words, it may make sense to :

  • Disable SMBv1, except in very specific, duly justified cases.
  • Limit the exposure of sensitive services to the outside world, via firewalls and access control lists.
  • Implement the principle of least privilege, so that each department, each user, has only the rights that are strictly necessary.

These adjustments, sometimes perceived as technical, have a very tangible effect on the overall resilience of your information system.

3. Reinforce protection of workstations and servers

At the same time, technical protection for workstations and servers remains essential. This includes :

  • An up-to-date, properly configured antivirus or endpoint security solution.
  • Email filtering of attachments and links.
  • Blocking, wherever possible, the execution of unknown or unapproved programs.
  • Security event logging, to facilitate early detection and incident analysis.

Far from being a panacea, these measures nonetheless increase your ability to detect, and block, an attack before it spreads widely.

4. Raising user awareness in a pragmatic way

WannaCry spread primarily via a network vulnerability, but many ransomwares, before and after it, use human error, as leverage for infection. That’s why, beyond technology, user awareness is a decisive pillar.

It’s useful, for example, to explain clearly to your teams :

  • How to recognize a suspicious e-mail, a dubious attachment or an incoherent link.
  • Why you should never plug in unknown USB sticks, no matter how innocuous it may seem.
  • What are the best practices for passwords and multi-factor authentication?
  • How to react immediately in case of doubt: alert, isolate the machine, do not restart without instructions.

Regular, practical training with realistic examples helps to turn your staff from a weak link into an active line of defense.

5. Prepare an incident response plan

Finally, despite all precautions, there is no such thing as zero risk. That’s why having a clear, tried-and-tested incident response plan is an essential part of your system.

This plan should explicitly specify :

  • Who to alert in the event of suspected ransomware, and through which channel.
  • How to quickly isolate a compromised machine or network segment.
  • What are the priority restoration steps from backups?
  • Which external contacts to mobilize, if necessary (cyber insurer, service provider, competent authorities).

By preparing these procedures in advance, you save precious time, and reduce the risk of improvised, sometimes costly, decisions in a panic.

Should you pay the ransom in the event of a WannaCry-type attack?

The question often arises, especially when critical data is encrypted, and emotional pressure is high. In the case of WannaCry, many organizations didn’t pay, either because they had backups, or because they strongly doubted the attackers’ real ability, to restore the data.

From a general point of view, paying ransom remains inadvisable, for several reasons:

  • There’s no guarantee that you’ll get your data back, even if you pay.
  • You are potentially financing the pursuit of criminal activities.
  • You risk being identified as a “solvent” target, and therefore targeted again.

It’s precisely to avoid this dilemma that it’s so important to invest upstream in prevention, safeguards and operational readiness.

In conclusion: from the WannaCry episode, towards more mature cybersecurity

If we take a step back, WannaCry acted as an almost brutal revelation of the fragilities accumulated, over the years, in many information systems. But it also showed that with more mature practices, regular updates, reliable backups, and a better-prepared organization, the impact of this type of attack can be greatly mitigated.

Putting yourself in your own shoes, whether you’re in charge of a small structure, a large group, or an ordinary user, the essential thing to remember is that protection against ransomware is not out of reach. It relies on a combination of technical gestures, organizational rigor, and human awareness, admittedly demanding, but perfectly realistic.By adopting these good practices, learning from the lessons of WannaCry, you durably strengthen the resilience of your systems, gain peace of mind, and reduce the likelihood that your organization will, one day, find itself paralyzed by an unexpected ransomware screen.

Article rédigé par

17 December 2025
KEEP IN TOUCH
SUBSCRIBE TO OUR NEWSLETTER
By entering your email address, you agree to receive the Databack newsletter. You can unsubscribe at any time by clicking on the unsubscribe link at the bottom of the content. You can consult our privacy policy to find out more.
Databack Linkedin