Anatomy of a Breach: WannaCry — The Ransomware That Brought the NHS to Its Knees

The NHS. 80 trusts. 13,500 cancelled appointments. The patch had been available for 59 days.

On 12 May 2017, a ransomware worm called WannaCry began spreading across the internet using the EternalBlue exploit — the NSA tool released by the Shadow Brokers one month earlier. WannaCry was a self-propagating worm: once it infected a single machine on a network, it scanned for other vulnerable Windows systems and spread automatically, encrypting files and demanding a $300 Bitcoin ransom. Within hours, over 200,000 computers across 150 countries were infected, including systems at Telefónica (Spain), Deutsche Bahn (Germany), FedEx (US), Renault (France), and — most devastatingly — the UK's National Health Service.

The National Audit Office's investigation found that 80 NHS trusts in England were affected, along with 595 GP practices. At least 13,500 appointments were cancelled, including 139 urgent referrals that were potentially cancer-related. Five A&E departments diverted patients to other hospitals. MRI scanners, blood-storage refrigerators, and theatre equipment were disrupted. Staff reverted to paper records and whiteboards. The NHS had been warned repeatedly about the risk of running unsupported Windows XP systems and failing to apply security patches. Microsoft had released the MS17-010 patch on 14 March — 59 days before WannaCry struck. The NHS had not applied it.

One researcher. One domain registration. The world's luckiest break.

WannaCry's global rampage was halted — accidentally — by Marcus Hutchins, a 22-year-old British security researcher known online as MalwareTech. While analysing the malware, Hutchins noticed it attempted to connect to an unregistered domain name before encrypting files. He registered the domain for approximately $10 — and the act of registration activated a kill switch built into the malware, causing it to stop spreading. Hutchins had not known the domain was a kill switch; he registered it as part of routine malware analysis. Had the kill switch not existed — or had Hutchins not registered it — WannaCry would have continued spreading indefinitely.

The UK's healthcare system brought to its knees by a known, patched vulnerability.

Every failure was known, documented, and preventable.

WannaCry was entirely preventable.

WannaCry is the single most important case study in the history of UK cybersecurity. A known vulnerability, with a patch available for 59 days, exploiting unsupported operating systems that had been flagged as a risk for years, spreading through unsegmented networks that had never been properly tested — and the result was the largest disruption to NHS services since its founding. Every element of the failure was preventable with controls that existed, were documented, and were available.

For every UK organisation — and especially for healthcare — the controls are the same ones this series has advocated for nine years: Cyber Essentials certification (14-day patching, MFA, unsupported software removal), penetration testing (validating that controls work), vulnerability scanning (identifying missing patches), SOC in a Box for Healthcare (continuous monitoring), and UK Cyber Defence incident response (managing the crisis when it arrives). WannaCry proved that these are not optional investments — they are the controls that determine whether the NHS can treat patients.

Related Articles