In an attack predicted by cyber security experts for months , a yet unknown actor or actors integrated the EQUATIONGROUP APT exploits leaked by ShadowBrokers in a worldwide ransomware worm attack Attack.Ransom , infecting tens of thousands of endpoints in a matter of hours . On Friday , May 12 , a new ransomware , called WannaCry , began circulating throughout the United Kingdom and Spain , rapidly infecting over 45,000 exposed servers at healthcare , financial , and other business sectors . This ransomware stood out for several reasons , including being the largest ransomware attack Attack.Ransom in history , and the first widely spread ransomware worm . The ransomware infection is Version 2.0 of WanaCypt0r ( also known as WCry , WannaCry , and WannaCryptor ) . Unlike previous instances , this version takes advantage of the SMB vulnerability outlined in Microsoft Security Bulletin ( MS17-010 ) . This vulnerability was first exploited Vulnerability-related.DiscoverVulnerability by the ETERNALBLUE malware , revealed Vulnerability-related.DiscoverVulnerability by the ShadowBrokers leak Attack.Databreach in March , and targeted the Microsoft MS17-010 SMB vulnerabilities . SMB ( Server Message Block ) is a protocol primarily communicating on port 445 and is designed to provide access to shared resources on a network . Last fall , Microsoft propounded system administrators to disable SMB Version 1 on systems . According to a FBI FLASH Alert ( TLP : White ) received by Recorded Future , the WannaCry ransomware infects initial endpoints via a phishing campaign or compromised RDP ( remote desktop protocol ) . Once the ransomware gets into a network , it spreads quickly through any computers that don ’ t have the patch applied . The worm-like capabilities are the new feature added to this ransomware . During the May 12 attack , two of the most significant targets were Telefonica , the Spanish telecommunications giant , and the United Kingdom ’ s National Health Service . In the United States , the shipping firm FedEx was hit by the ransomware . Infections of the new version of WannaCry started in Spain early on May 12 , but quickly spread to the United Kingdom , Russia , Japan , Taiwan , the United States , and many more . In total , almost 100 countries were affected by the attack . New instances of this ransomware worm dramatically decreased following the activation of a “ kill-switch ” in the ransomware . A security researcher going by the Twitter handle @ MalwareTechBlog noted an unregistered domain ( www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea [ . ] com ) in a sample of the malware . WannaCry checked to ensure non-registration of the domain at some point prior to infection . According to the researcher , this was likely intended as a way to prevent analysis of the malware in a sandbox . If the domain is registered , WannaCry exits the system , preventing further infection . While this doesn ’ t benefit victims already infected , it does curb further infection . Additionally , according to security researcher Didier Stevens , WannaCry isn ’ t proxy aware , so enterprises utilizing a proxy won ’ t benefit from the “ kill-switch. ” Spora ransomware , which began circulating in January of this year , is a ransomware noted for its sophistication , including top-notch customer support to victims , and was likely created by professional malicious actors . Research in Recorded Future identified an early warning bulletin on WannaCry published on May 5 , 2017 by the Spanish CERTSI ( Computer Emergency Response Team for Security and Industry ) . The CERTSI bulletin cited numerous ransomware attacks Attack.Ransom using WannaCry targeting on equipment . It appears Russian cyber criminals were equally perplexed by the WCry campaign Attack.Ransom as the rest of the world . One of the members of the popular underground community complained about the recently purchased Virtual Private Server ( VPS ) which was almost immediately infected by ransomware even before the system update was completed . At least three separate Bitcoin wallets , controlled by unknown criminals were identified as part of the ransomware campaign . As of this writing , little over 15 Bitcoins or approximately $ 26,000 were deposited to wallets controlled by unknown criminals . In the Reference section of the WCry Intel Card , we see this factsheet posted towards a GitHub page where security researcher Mark Lee helpfully wrote a running compilation of information on WannaCry ransomware . Early identification of these types of resources during an evolving situation can greatly assist a security analyst gain insight to the nature of the threat and crowdsource solutions .