WannaCry is a strain of ransomware that emerged in the wild on May 12, 2017, and quickly spread to infect over 200,000 systems in more than 150 countries.

Also known as WannaCrypt, WanaCrypt0r, WCrypt, and WCRY, the WannaCry worm takes advantage of a specific exploit in Microsoft’s Server Message Block (SMB) protocol codenamed “EternalBlue” and uses phishing e-mail scam tactics to infect older, unpatched Microsoft Windows systems.

Potential Damage of WannaCry Mitigated by Security Patch and Kill Switch

Microsoft patched the “EternalBlue” SMB security flaw in an update advisory released on March 14th (MS17-010), although it only applied to Windows 10 at the time. WannaCry however was developed to target unpatched Windows 7 and Windows Server 2008 and earlier operating systems.

Following the discovery of WannaCry in the wild, Microsoft extended the new SMB patch to additionally cover Windows XP, Windows 7, Windows 8 and Windows Server 2003 operating systems.

While these security patches have helped mitigate the potential spread of WannaCry, many Windows systems remain out of date when it comes to recent security patches and as a result continue to be vulnerable to ransomware like WannaCry and other malware.

The potential damage of WannaCry has also been mitigated by the trigger of a “kill switch” found in the WannaCry code. The WannaCry code was designed to attempt to connect to a specific domain and only infect systems and spread further if connecting to the domain proves unsuccessful. Since its emergence in the wild, the domain name in the WannaCry was registered and set up, resulting in limiting the further spread and damage of the initial strain of WannaCry.

How WannaCry Works and Spreads

WannaCry has two main components: a dropper Trojan that seeks to exploit the SMB security vulnerability on older, unpatched Windows systems and the ransomware itself.

Systems infected by WannaCry are used to attempt to infect other unpatched Windows systems on the local network as well as across the Internet.

WannaCry Ransomware

On infected machines, WannaCry encrypts all the files it finds and renames them with a .WNCRY file name extension. WannaCry then creates a ransom message in each directory and replaces the background wallpaper image with a ransom message demanding users pay $300 in Bitcoin currency in order to have all their files decrypted and restored to normal.

Protecting Against WannaCry and Other Ransomware / Malware Attacks

To protect systems from WannaCry and other forms of ransomware and malware, Microsoft recommends upgrading to Windows 10, which isn’t vulnerable to the WannaCry / WannaCrypt variants.

Users are also encouraged to install the SMB security update on older Windows systems and to stay current on all security patches and updates through the Windows Update service.

Additionally, users can specifically disable SMB if desired by following the instruction in this Microsoft Knowledge Base Article or restrict SMB traffic by adding a rule on the network router or software firewall to block incoming SMB traffic on port 445.

Forrest Stroud
Forrest Stroud
Forrest is a writer for Webopedia. Experienced, entrepreneurial, and well-rounded, he has 15+ years covering technology, business software, website design, programming, and more.

Top Articles

List of Windows Operating System Versions & History [In Order]

The Windows operating system (Windows OS) refers to a family of operating systems developed by Microsoft Corporation. We look at the history of Windows...

How to Create a Website Shortcut on Your Desktop

Website Shortcut on Your Desktop reviewed by Web Webster   This Webopedia guide will show you how to create a website shortcut on your desktop using...

What are the Five Generations of Computers? (1st to 5th)

Reviewed by Web Webster Each generation of computer has brought significant advances in speed and power to computing tasks. Learn about each of the...

Hotmail [Outlook] Email Accounts

Launched in 1996, Hotmail was one of the first public webmail services that could be accessed from any web browser. At its peak in...

CRM Manager

A customer relationship management (CRM) manager is a person that oversees all customer...

AdamLocker Ransomware

AdamLocker ransomware, or RW.adm_64, is a screen-locking virus designed to prevent access to...


SHA-256 is an algorithm used for hash functions and is a vital component...