Friday morning, I’m watching hospitals in the UK go dark. NHS trusts diverting ambulances. Factories shutting down production lines. Hundreds of thousands of machines locked up across 150 countries. My first move was checking every system at the fintech startup I could reach. We were fine: patched, segmented, no SMB exposed to the internet. But I spent the next few hours glued to the reports rolling in, and honestly, I was angry.
Not at the attackers. At the state of basic security hygiene across the industry.
WannaCry wasn’t clever. The underlying exploit, EternalBlue, targets Windows SMB on port 445. Microsoft patched it on March 14th, two months before the outbreak. The Shadow Brokers dumped the exploit publicly on April 14th. Everyone had a full month of loud, public warning that a weaponized remote code execution tool was in the wild, targeting a protocol that has no business being on the internet.
And still. Two months after the patch. Carnage.
How It Spread So Fast
No phishing needed. No user clicking a dodgy link. WannaCry scanned for port 445, fired the exploit, installed itself, encrypted everything, and moved to the next machine. Fully automated. One infected box on a flat network could rip through thousands of peers in minutes.
A researcher accidentally tripped a kill switch by registering a domain the malware checked before executing. Lucky break. It didn’t undo any of the damage already done, and a patched variant without that check was trivial to create (and was created).
Why It Worked (And Why I’m Not Surprised)
One thing NATO cyber defense drills into you: attackers don’t need to be brilliant. They need you to be lazy. WannaCry is the textbook case.
Nobody patched. MS17-010 was out for weeks. Plenty of organizations hadn’t touched it. Some didn’t even know which machines they had running SMB. You can’t patch what you haven’t inventoried.
Networks were wide open internally. Flat networks everywhere. Workstations sitting on the same segment as file servers and critical infrastructure. Once the worm got in, there was nothing slowing it down. Segmentation isn’t sexy. It’s the difference between losing one machine and losing everything.
Port 445 on the public internet. Just… why. SMB should never be internet-facing. Yet scan any IP range and you’ll find it. Misconfigurations, forgotten firewall rules, “temporary” exceptions that became permanent.
Legacy systems with no path forward. Windows XP. Windows Server 2003. Long out of support, no patches coming. Microsoft actually broke precedent and released emergency fixes for those versions, but by then the damage was done. If your business runs on software the vendor abandoned, you’ve accepted a risk most people don’t want to say out loud.
What You Should Do Right Now
This isn’t complicated. That’s the frustrating part.
Patch MS17-010 on every Windows box you own. Today. If you don’t know where all your Windows boxes are, that’s problem number one.
Kill SMBv1 wherever you can. Block port 445 at every perimeter. If someone pushes back, ask them to explain why they need a 30-year-old file sharing protocol exposed to the world.
Segment your networks. Workstations shouldn’t be able to talk to servers they don’t need. Servers shouldn’t be able to reach other servers freely. This doesn’t require a massive project. Start with the obvious boundaries.
Test your backups. I mean actually restore from them. Ransomware turns into a bad day instead of an existential crisis if you can rebuild from clean backups. If you’ve never tested a restore, you don’t have backups. You have hope.
Have an incident response plan that people have actually practiced. When a worm moves this fast, you need isolation procedures ready to go. Not a document collecting dust in a shared drive: real muscle memory.
The Uncomfortable Truth
WannaCry didn’t exploit anything new. It exploited the gap between knowing what to do and actually doing it. Patch management, network segmentation, exposure reduction, backup testing: none of this is novel. It’s been best practice for years. Decades, even.
The organizations that got hit weren’t unlucky. They were behind on fundamentals. The ones that came through fine weren’t running some advanced threat intelligence platform. They just did the boring stuff consistently.
That’s the lesson. Do the boring stuff. Do it now. Because the next WannaCry won’t come with a kill switch.