WannaCry is a
cryptoworm, which targeted computers running the
operating system by encrypting data and demanding ransom payments in the
[a] It is considered a network worm because it also includes a "transport" mechanism to automatically spread itself. This transport code scans for vulnerable systems, then uses the
EternalBlue exploit to gain access, and the
DoublePulsar tool to install and execute a copy of itself.
EternalBlue is an
exploit of Windows'
Server Message Block (SMB) protocol released by
The Shadow Brokers. Much of the attention and comment around the event was occasioned by the fact that the U.S.
National Security Agency (NSA) had already discovered the vulnerability, but used it to create an exploit for its own
offensive work, rather than report it to Microsoft.
 Microsoft eventually discovered the vulnerability, and on
Tuesday, March 14, 2017, they issued security bulletin MS17-010, which detailed the flaw and announced that
patches had been released for all Windows versions that were currently supported at that time, these being
Windows Server 2008,
Windows Server 2012, and
Windows Server 2016, in addition to
Windows Vista (which had recently ended support).
DoublePulsar is a
backdoor tool, also released by The Shadow Brokers on 14 April 2017. Starting from 21 April 2017, security researchers reported that computers with the DoublePulsar backdoor installed were in the tens of thousands.
 By 25 April, reports estimated the number of infected computers to be up to several hundred thousands, with numbers increasing exponentially every day.
 The WannaCry code can take advantage of any existing DoublePulsar infection, or installs it itself.
When executed, the WannaCry malware first checks the "
kill switch" domain name;
[b] if it is not found, then the ransomware
encrypts the computer's data,
 then attempts to exploit the SMB vulnerability to spread out to random computers on the Internet,
 and "laterally" to computers on the same network.
 As with other modern ransomware, the
payload displays a message informing the user that files have been encrypted, and demands a payment of around $300 in
bitcoin within three days, or $600 within seven days.
hardcoded bitcoin addresses, or "wallets", are used to receive the payments of victims. As with all such wallets, their transactions and balances are publicly accessible even though the
cryptocurrency wallet owners remain unknown.
Several organizations released detailed technical writeups of the malware, including Microsoft,