Massimiliano Brolli : 3 August 2025 11:00
May 12, 2017, was a special day.
For many, it will mean nothing, but others will remember it well, because it was a hectic and eventful day as the world was catapulted into the first global ransomware infection in history.
In fact, May 12 is remembered as Day 0 of WannaCry, the malware that encrypted the contents of a computer and demanded a ransom.
It all began on the morning of May 12, 2017, when Telefonica (the well-known Spanish ISP) issues a statement advising its customers to shut down their computers due to an ongoing cyber attack.
Within hours, WannaCry began claiming victims around the world. In fact, the New York Times published an interactive map showing the progress of infection hotspots in real time, and the entire world went on alert, adding the word “ransomware” to the vocabulary and common parlance—malware that demands a ransom to decrypt data held hostage on a PC.
But aside from weaponization, the Eternalblue exploit, The Shadow Broker, and Lost in Translation (which we’ve talked about at length), today we’ll focus on the more historical aspects of the massive global infection that caused the collapse of 230,000 computers in 150 countries, including Russia, China, the USA, the UK, and, of course, Italy.
WannaCry affected Windows systems, and in December 2017, the US government, after a series of investigations, publicly held North Korea responsible for the WannaCry attack, even though North Korea has always denied the origin of the attack.
Among the organizations most affected were many National Health Service hospitals in Great Britain and Scotland, with 70,000 devices held hostage by cybercriminals, as well as MRI scanners, blood refrigerators, and other equipment.
The then-thirty-four-year-old Park Jin Hyok was identified as the mastermind of WannaCry in a 179-page document produced by the United States Department of Justice. He was also responsible for a series of attacks against the networks of Sony Pictures Entertainment and other banks around the world, and was also linked to the APT group Lazarus.
Park is associated with writing the WannaCry malware, but in this very tangled story, since May 12, 2107, other heroes have stepped forward to defend the planet from this massive cyber pandemic.
I’m talking about Marcus Hutchins, known as MalwareTech, who during the acute phase of the WannaCry infection, was analyzing the first samples of the malware when he discovered that it contained what in technical jargon is called a “kill switch,” a sort of “switch capable of blocking the infection.
In fact, WannaCry constantly called a domain. If the domain was inactive, the infection continued, but if the domain was responsive, the ransomware blocked its activity.
Kill switch present in the WannaCry ransomware
MalwareTech simply registered this domain with an investment of $10 at the time, initially thinking so that in this way he could better understand the spread of the infection. But he soon realized that WannaCry’s internal algorithm checked for its presence and, if found, blocked the infection.
Marcus Hutchins called MalwareTech
WannaCry will be remembered by all as a “biblical” event in the literature of cybersecurity, a global case, recognized by all, a sort of ILOVEYOU, larger and more technologically advanced and, above all, more Pervasive.
Ransomware today is a major threat to every organization, large or small, and the new ransomware is unforgiving, as if you don’t pay the ransom, it publishes the stolen content, causing unimaginable damage to organizations.
This is the phenomenon of RaaS (Ransomware As a Service), consisting of criminals who develop the software and affiliates who use it to launch attacks. A sort of virtuous mechanism that makes everyone a lot of money and is creating more and more problems for organizations, with major incidents and monstrously high bounties.
When will the Ransomware phenomenon end?
To date, it has been steadily rising.
It’s been 4 years since WannaCry, but ransomware has matured and its threat level is now on par with APTs, as attackers use better tools and learn from past mistakes to maintain persistence within organizations.
So let’s pay attention Be extremely careful when opening an attachment in an email of dubious origin.
You’ve been warned!