WannaCry Ransomware attack: How it spread and how it could be avoided

Hackers exploiting malicious software stolen from the National Security Agency executed on Friday one of the most destructive cyber-attacks ever seen. The malware forced Britain’s public health system to send patients away, froze computers at Russia’s Interior Ministry, and brought down more than 200,000 systems in 150 countries.

Spread via email, the malicious software WannaCry used vulnerabilities in older versions of Microsoft Windows to take control of users' files and demand $300 worth of bitcoin to release them. According to the analysis of the two bitcoin addresses to which the software demanded payment, the hackers have so far gathered only $42,000 in ransom payments from about a hundred victims.

Ransomware message

The cyber-attack's timeline

May 12th Early morning - The first infection happened on Friday morning with a simple phishing email. A computer user in Europe opened an attachment to an email that allowed the hackers into their system. After that, the hackers began to encrypt the contents of the computer, and a message was shown on the user’s computer screen asking for $300 worth of bitcoin to give back control over the files.

Spanish mobile operator Telefonica was among the first large organisations to report the cyber-attack. On Friday morning, employees across the company found themselves locked out of their computers. Telefonica subsidiaries in Portugal and South America were affected too. The impact of the attack was limited to computers on an internal network and had not affected clients or services.

May 12th, 12:30 pm BST time – Hospitals across the UK reported problems to the UK’s National Cyber Incident Response Centre. The impact of the cyber-attack was especially serious in the UK, with one in five National Health Service trusts affected. Emergency services were affected, and hospital facilities across the country were brought down by the malicious software.

The list of affected organisations would increase dramatically in Europe during the next few hours, with Russia being one of the most affected countries. The Russian Interior Ministry confirmed in a statement that 1,000 of its computers had been infected.  Russian mobile phone provider MegaFon and Sberbank also were reported to be hit by the cyber-attack.

Germany’s main railway operator Deutsche Bahn was equally affected.  Passenger information displays were inoperative in some stations, as were some ticket machines. In France, some Renault factories had to stop production because of the ransomware attack.


In the days to follow, the cyber-attack had hit more than 100 countries around the world. Chinese petrol stations payment systems were brought down, and a large number of colleges and students in China were affected by the attack. In the US, the global shipping company FedEx’s logistical operations were disrupted.

May 14th - The European police agency Europol warned that the situation could worsen when workers return to their offices on Monday after the weekend. However, the agency claimed today to have avoided further fallout from a global cyber-attack. “The number of victims appears not to have gone up, and so far the situation seems stable in Europe, which is a success,” senior spokesman for Europol, Jan Op Gen Oorth told AFP.

How could this cyber-attack be avoided?

  • Patch updates. The best defence against such ransomware cyber-attacks is to ensure patch updates are regularly applied with appropriate priority to systems hosting critical data. “The challenge is to prioritise the patch update process and the systems needing the patch based on criticality of data and services. This is where decision support systems such as RHEA Group’s PSec solution come in,” said Douglas Wiemer, RHEA Group’s Director, Security and Crisis Management.

  • Security awareness training. The cyber-attack started with a simple phishing email and could have been avoided with the right cybersecurity training. “Employees need to be aware of the threat environment and their role in avoiding and reacting to cyber-attacks. This is an important part of the cyber defence strategy, and it is often underestimated,” said Gerry Deneault, RHEA Inc’s Vice President, Business Development.

  • Data protection. Having proper data protection measures, such a comprehensive backup strategy is important to mitigate the risk associated to ransomware attacks. Proper backups ensure that critical data is available and can be restored, independent of the cyber-attacker demands.  Paying the ransom should always be avoided as there are no guarantees the cyber-attacker will release the data even if the ransom is paid.

  • Incident response plans. In case such an incident would occur, companies need to have an effective incident management process in place in order to minimize its business impact. “If affected, step one would be to disconnect your computer from the network instantly, to avoid further propagation of the attack,” said Vincent Van Dongen, RHEA Group’s Business Developer, Cybersecurity.


RHEA Group has developed a security method to secure the most advanced, complex organizations and critical infrastructure. Discover the four packages of our revolutionary security solution.