Cyber Incident Victim: Cambrian College

The WannaCry ransomware attack began on May 12, 2017, initially infecting systems in Asia before rapidly spreading globally due to its wormable design leveraging the EternalBlue exploit. This exploit targeted a Windows vulnerability (MS17-010) that Microsoft had patched in March 2017, but unpatched systems remained exposed. The ransomware propagated automatically across networks, encrypting files on infected devices and demanding $300 in Bitcoin for decryption. Within hours, the attack reached 150 countries, with Russia, China, Ukraine, Taiwan, India, and Brazil experiencing the highest infection rates. Critical sectors including healthcare, transportation, education, and government agencies were disrupted, with notable impacts on UK National Health Service hospitals where emergency services were diverted and appointments canceled.

The attack's global spread was halted on May 16, 2017, when cybersecurity researcher Marcus Hutchins identified and activated a kill switch by registering a specific domain name that WannaCry attempted to contact before executing encryption. This DNS sinkhole prevented further propagation of the original variant, though attackers subsequently launched DDoS attempts against the kill switch domain using Mirai botnets. Approximately 330 victims paid ransoms totaling 51.6 Bitcoin ($130,634 at the time), while overall damages significantly exceeded ransom payments. Forensic analysis by the FBI and cybersecurity researchers linked the attack to North Korea's Lazarus Group through code artifacts. Residual WannaCry activity persisted post-containment, including a March 2018 incident at Boeing, while derivative strains like Petya and NotPetya continued exploiting the same vulnerability. Microsoft's patch ultimately remained the primary defense against reinfection.