The resulting wave of online chaos affected tens of thousands of machines worldwide, snarling operations at the Russian Interior Ministry, Spanish telecommunications giant Telefónica and Britain's National Health Services (NHS), where hospitals were hobbled and medical procedures interrupted.
Hospitals across England have canceled appointments and turned away patients after suffering an apparent cyberattack.
(AP Photo/Paul White). A security guard stands outside the Telefonica headquarters in Madrid, Spain, Friday, May 12, 2017. Earlier in the day a researcher for Kaspersky Lab 45,000 attacks in 74 countries, and said that WCry's list of victims was "growing fast".
Here's what happened: Unknown attackers deployed a virus targeting Microsoft servers running the file sharing protocol Server Message Block (SMB).
People walk past a Megafon mobile phones shop in Moscow, Russia, Saturday, May 13, 2017.
Companies in the USA have started seeing the attack appear on some machines. It has hit computer networks across the globe in more than 60 countries. This one worked because of a "perfect storm" of conditions, including a known and highly unsafe security hole in Microsoft Windows, tardy users who didn't apply Microsoft's March software fix, and malware created to spread quickly once inside university, business and government networks.
Many companies and individuals have not installed the fixes yet or are using older versions of Windows that Microsoft no longer supports and did not fix.
Microsoft released a patch to address the vulnerability, but networks that did not adopt it would have remained vulnerable.
For instance, the Conficker virus, which first appeared in 2008 and can disable system security features, also spreads through vulnerabilities in internal file sharing.
The attack, which locked up computers and held users' files for ransom, was believed the biggest of its kind ever recorded. "WannaCry" relies on an exploit discovered by the NSA and leaked by a hacker collective known as The Shadow Brokers back in April; if the exploit was disclosed and patched in a timely manner, this epidemic could have been prevented. As Sean Dillon, the RiskSense security analyst who reverse engineered DoublePulsar, told ThreatPost: "This is the most critical Windows patch since [Conficker]", which is one the largest similar infections to date.
The spread of the attack appears to have been thwarted by private cybersecurity researchers who identified and triggered the malware's "kill switch", which halted the attacks before it spread throughout US networks, a senior USA intelligence official confirmed, but it is unclear whether, the official said, a modified attack will soon be launched. An unidentified young cybersecurity researcher claimed to help halt WannaCry's spread by activating a so-called "kill switch". The government is closely monitoring the situation, the Cabinet's Department of Cyber Security said. Experts say this vulnerability has been understood among experts for months, yet too many organizations either failed to take it seriously or chose not to share what they'd found.
That quick thinking may have saved governments and companies millions of dollars and slowed the outbreak before US -based computers were more widely infected. The ransomware will persist on systems already infected.
British cybersecurity expert Graham Cluley doesn't want to blame the NSA for the attack.
"The impact on the USA seems to be negligible - very tiny impact, very few victims", the senior intelligence official told ABC News on Saturday. Because they could have done something ages ago to get this problem fixed, and they didn't do it, Cluley said.