EternalBlue, WannaCry & NotPetya — How an NSA-Leaked Windows SMB Exploit Cost $10 Billion: Anatomy of 2017’s Internet-Shaking Worm

EternalBlue is the canonical case of how nation-state cyber capability, when leaked, becomes universal threat infrastructure. NSA developed EternalBlue for intelligence operations; the Shadow Brokers stole and leaked it; criminal and state-sponsored threat actors weaponised it within weeks. The resulting attacks (WannaCry and NotPetya) caused unprecedented damage and reshaped how the world thinks about cyber-weapon proliferation, vulnerability hoarding by intelligence agencies, and patch management. This post reconstructs the technical chain, contextualises the damage, and identifies the lessons that continue to shape policy.

What happened — Shadow Brokers leak and the EternalBlue weaponisation

The Shadow Brokers — a hacker group whose origins remain unclear but is widely suspected to be linked to Russian intelligence services — emerged in August 2016 and began releasing leaked NSA cyber tools. Multiple releases over the following months progressively exposed NSA capabilities. The 14 April 2017 release was particularly consequential: it included EternalBlue, EternalRomance, EternalSynergy, EternalChampion, DoublePulsar (a kernel-mode backdoor that EternalBlue payloads installed), and other exploits. EternalBlue technical details: the exploit targeted CVE-2017-0144, a buffer overflow in the Windows SMB v1 protocol implementation. Specifically, the SMBv1 server’s handling of crafted SMB_COM_TRANSACTION2 packets allowed an unauthenticated remote attacker to execute arbitrary code on the target system. The exploit was sophisticated, reliable, and worked against Windows XP, Vista, 7, 8, and Server 2003-2012 R2. After exploitation, the attacker could install DoublePulsar — a stealthy kernel-mode backdoor — for persistent access. The patch timeline: NSA had developed EternalBlue years before the Shadow Brokers leak. NSA reportedly informed Microsoft about the underlying vulnerability sometime in early 2017 (after concerns about the impending Shadow Brokers release). Microsoft released MS17-010 on 14 March 2017 — one month before the public Shadow Brokers release. Organisations that patched promptly were protected; those that did not (a substantial population) remained vulnerable.

WannaCry — 12 May 2017, 300,000 computers, 150 countries

On 12 May 2017, WannaCry was released. The malware combined EternalBlue (for propagation) with a ransomware payload (encrypting files and demanding $300-$600 in Bitcoin). Once running on a victim system, WannaCry would: (1) attempt to contact a hard-coded domain (the kill switch); (2) if the domain didn’t respond, encrypt files and propagate via SMB to other reachable systems. The kill-switch discovery: security researcher Marcus Hutchins (then known as MalwareTech) noticed that WannaCry attempted to contact an unregistered domain. He registered the domain (~$10) for analysis purposes, accidentally activating WannaCry’s built-in kill switch — the malware checked if the domain responded, and if it did, halted execution. This single act dramatically slowed the WannaCry spread. The damage by 12-13 May 2017: (1) NHS UK. Approximately 60+ hospital trusts affected; multiple emergency rooms diverting ambulances; surgeries cancelled; estimated impact ~£90 million in direct costs plus substantial patient-care disruption. (2) Telefónica Spain. Major impact across one of Spain’s largest companies. (3) FedEx. Significant operational disruption. (4) Russian railways and Indian banks. Russian Ministry of Internal Affairs, Russian Railways, Megafon (Russian telco), Indian banking infrastructure, German railways, Renault factories, dozens of others. (5) Total spread. Approximately 300,000 computers across 150 countries. Attribution to Lazarus Group / North Korea: based on technical analysis (code overlap with previous Lazarus operations) and public US, UK government attribution statements. The WannaCry payment infrastructure was poorly designed — payments could not be tracked to victims, decryption keys were not reliably delivered. The attack was, by ransomware standards, an operational failure for the attackers; total Bitcoin received was approximately $130,000 (small for the scale of damage caused).

NotPetya — 27 June 2017, $10B in damage, the most destructive cyber event

On 27 June 2017, NotPetya emerged. Initially appeared as a ransomware variant of Petya (an earlier ransomware family); rapidly determined to be something different — a destructive wiper disguised as ransomware. The encryption used cryptographically irreversible techniques; even paying the ransom couldn’t recover files. NotPetya was attributed by US, UK, and other Western governments to Russia’s GRU (military intelligence). The initial vector: NotPetya entered Ukrainian networks through a backdoored update to MeDoc, a Ukrainian tax-and-accounting software used by ~80% of Ukrainian businesses. The MeDoc update mechanism was compromised; legitimate-looking software updates installed NotPetya. From Ukraine, NotPetya spread globally via: (1) EternalBlue (same as WannaCry); (2) Mimikatz-based credential harvesting and lateral movement; (3) PsExec and WMI for spreading within networks. The unprecedented damage: (1) Maersk. Global shipping operations halted for days; ~$300 million direct cost; multi-week recovery. (2) Merck pharmaceutical. ~$870 million impact including production halts, drug-supply disruptions. (3) FedEx (TNT subsidiary). ~$400 million impact, multi-month operational recovery. (4) Mondelez. ~$100 million impact. (5) Reckitt Benckiser. ~£100 million. (6) Saint-Gobain, Beiersdorf, WPP, Nuance, dozens of others. Total estimated damage exceeded $10 billion globally. The strategic context: NotPetya was, in the assessment of US and UK governments, a Russian operation against Ukrainian infrastructure as part of the broader Russia-Ukraine conflict. The global spread was either intentional collateral damage or insufficient containment by GRU operators; either way, it demonstrated that geographically-targeted cyber operations have global impact.

Why so much damage — patching gaps and architectural fragility

Multiple structural failures contributed to the catastrophic impact. (1) Patching lag. MS17-010 was released two months before EternalBlue weaponisation by WannaCry. Many organisations had not patched. Reasons: change-management processes that require lengthy testing; legacy systems that couldn’t be safely patched; embedded systems with vendor-controlled update paths; pure organisational neglect. (2) Windows XP and end-of-life systems. Microsoft had ended support for Windows XP in 2014; many organisations continued to run XP especially in industrial and embedded contexts. XP didn’t receive MS17-010 by default; Microsoft eventually released an XP patch as an emergency measure post-WannaCry but many systems remained vulnerable. (3) SMBv1 still enabled. SMBv1 had been deprecated for years; SMBv2 and SMBv3 had been Microsoft’s recommended protocols since Vista/Server 2008. But SMBv1 remained enabled by default for backward compatibility, and many environments still had SMBv1 active. (4) Network architecture. Flat networks where any compromised system could reach any other system enabled rapid worm propagation. Network segmentation would have contained both WannaCry and NotPetya to smaller blast radii. (5) Backup architecture. Many organisations’ backups were online and reachable from production networks; NotPetya destroyed both production data and backups. Air-gapped or immutable backups would have enabled faster recovery. (6) Lack of credentialless propagation defence. NotPetya’s use of Mimikatz to harvest credentials and propagate via PsExec exploited the assumption that authenticated SMB connections within networks are trusted. Modern Zero Trust architectures challenge this assumption.

Timeline — from leak to global devastation in two months

~Years before April 2017: NSA develops EternalBlue exploit for intelligence operations. ~Late 2016 / early 2017: Shadow Brokers indicate possession of NSA tools; NSA reportedly notifies Microsoft about the underlying vulnerability. 14 March 2017: Microsoft releases MS17-010 patching CVE-2017-0144 and related issues. 14 April 2017: Shadow Brokers public release of NSA tools including EternalBlue. April-May 2017: Threat actors weaponise EternalBlue for various purposes. 12 May 2017: WannaCry release. ~300,000 computers infected within hours. NHS UK among most damaged. 13 May 2017: Marcus Hutchins activates kill-switch domain; spread slows dramatically. 15-30 May: Continued cleanup; partial WannaCry variants without kill switch attempt to continue spreading. 26 June 2017: NotPetya distribution begins via MeDoc update. 27 June 2017: NotPetya global spread; major enterprises hit hardest by approximately 24-48 hours later. July 2017: Continued cleanup; first major damage estimates emerge; attribution discussions accelerate. February 2018: US, UK governments formally attribute NotPetya to Russia / GRU. December 2017: US, UK formally attribute WannaCry to North Korea / Lazarus Group. 2018-2025: Multiple US/UK indictments of named GRU and DPRK operatives; civil suits and insurance recovery actions; ongoing policy development around cyber-weapon proliferation.

Mitigations — the post-WannaCry/NotPetya defensive standard

(1) Patching urgency. Critical Microsoft patches deployed within days, not weeks. SLAs tied to severity. (2) Disable SMBv1. Modern Windows environments should not have SMBv1 enabled. Microsoft ships SMBv1 disabled by default in newer Windows versions; verify in your environment. (3) Network segmentation. Worm-class propagation depends on flat networks; segmentation contains spread. Specifically: separate user workstations from servers, separate operational tech from corporate IT, restrict lateral SMB connectivity. (4) Backup architecture. 3-2-1 rule with at least one immutable or air-gapped copy. Backups reachable from production are not backups for ransomware/wiper purposes. (5) Credential security. Reduce attack surface for Mimikatz-style credential theft: Local Security Authority Subsystem Service (LSASS) protection, Credential Guard, removal of plaintext credential exposure on workstations. (6) End-of-life system migration. Windows XP, Server 2003, similar EOL systems must be migrated. The cost of migration is dramatically less than a single major incident on EOL infrastructure. (7) Endpoint detection and response. Modern EDR/XDR detects worm-class propagation behaviour even when initial exploitation succeeds. (8) Network monitoring. SMB traffic between unusual host pairs, large numbers of connections from a single source — these are worm signatures detectable in real time. (9) Cyber insurance with appropriate scope. Insurance policies clarified post-NotPetya around what counts as “cyber war” exclusion; policy terms now address state-sponsored attack scenarios more carefully. (10) Incident response planning. Worm-class incidents require specific response procedures; ensure your runbook is ready.

India context — WannaCry impact and lessons

Indian impact from WannaCry was significant. (1) Public sector. Multiple Indian government departments and PSUs were affected. Andhra Pradesh police computers were notably hit. (2) Banking. Some Indian banks reported impact; ATM networks (running Windows XP in some cases) were vulnerable. RBI issued specific advisories. (3) Healthcare. Some Indian hospitals running unpatched Windows systems were affected, though Indian healthcare ransomware impact was less catastrophic than UK NHS. (4) Manufacturing. Production environments running legacy Windows systems were vulnerable; some Indian manufacturing operations experienced disruption. (5) IT services industry. Indian IT services firms responded effectively for their global clients; the WannaCry response itself became a reference point for Indian IT services’ incident response capability. The Indian regulatory response: CERT-In issued advisories; RBI engaged with banks; sectoral CERTs strengthened. The WannaCry incident reinforced the case for Indian government investment in critical-infrastructure cybersecurity that subsequent incidents (Kudankulam 2019, AIIMS 2022, ICMR 2023) continued to demonstrate. For Indian organisations in 2025-2026: the WannaCry/NotPetya pattern remains relevant. Worm-class propagation via patched-but-not-deployed vulnerabilities continues. Recent examples include Conti, Lockbit 3.0 (BlackBasta), Royal — all of which use SMB-based propagation. The defensive measures from 2017 continue to apply.

Lessons learned — five durable takeaways

(1) Cyber weapons proliferate. Tools developed by intelligence agencies leak, get stolen, are reverse-engineered. Vulnerability hoarding by governments creates structural risk that may rebound on those governments’ allies and citizens. The Vulnerabilities Equities Process (VEP) governing US disclosure decisions has been controversial since EternalBlue; debate continues. (2) Patch deployment is a security control. Vulnerabilities are routinely disclosed-and-patched in advance of weaponisation. Organisations that patch promptly are protected; those that don’t are exposed. The deployment timeline matters as much as the patch availability. (3) Worm-class threats require segmentation. Flat networks are now understood as architectural malpractice for any organisation handling sensitive data. The cost of segmentation is real but the benefit is structural. (4) Backups are not backups if reachable from compromised hosts. NotPetya destroyed many organisations’ backups along with production data. Modern backup architecture includes immutable, air-gapped, or otherwise compromise-resistant copies. (5) Cyber-attack-as-cyber-war framework matures. The NotPetya attribution to Russia and the resulting policy responses (sanctions, indictments, insurance clarifications) advanced the framework for treating state-sponsored cyber attacks as state actions with associated diplomatic and economic consequences.

What every organisation should do — current state of EternalBlue-era threats

Even years after WannaCry/NotPetya, EternalBlue and similar SMB-class vulnerabilities periodically cause incidents in unpatched environments. (1) Verify SMBv1 disabled. Microsoft has set the default; verify in your environment. Audit whether any systems re-enable SMBv1 for legacy compatibility. (2) Patch management cadence. Critical Microsoft patches within 72 hours. (3) Asset inventory. Know every Windows system in your environment, current OS version, current patch status. (4) Network segmentation review. Audit lateral connectivity between systems; restrict where business-justified. (5) Backup verification. Test restore from backup quarterly. Verify at least one backup is offline/immutable. (6) End-of-life system inventory. Identify systems running EOL operating systems; create migration plan. (7) Vulnerability scanning. Continuous scanning for known vulnerabilities including EternalBlue-class. (8) EDR/XDR deployment. Modern endpoint detection catches worm-class propagation. (9) Tabletop exercises. Practice responding to worm-class incidents; identify gaps; close them.

Wider implications — cyber proliferation and the next decade

The EternalBlue / WannaCry / NotPetya episode reshaped multiple policy domains. (1) Vulnerability Equities Process maturation. US (and equivalent processes in other governments) have evolved their decision-making around when intelligence-discovered vulnerabilities should be disclosed vs hoarded. The EternalBlue case is the canonical “vulnerability hoarding rebounds catastrophically” example. (2) Cyber-attack attribution practice matures. US, UK, EU, Japan, Australia, and others have developed shared attribution practices and joint statement mechanisms; the WannaCry/NotPetya attributions established important precedents. (3) Cyber-norms development at UN. The UN Open-Ended Working Group (OEWG) on cybersecurity has progressed in part because of incidents like NotPetya demonstrating the need for international norms. (4) Insurance industry restructuring. Cyber insurance policies have been substantially revised post-NotPetya around state-sponsored attack exclusions and “cyber war” definitions. (5) Critical infrastructure protection. National designations of critical infrastructure and associated cybersecurity expectations have expanded; the WannaCry NHS impact catalysed UK NIS Directive implementation. India’s NCIIPC framework strengthened similarly. (6) Industry-wide response improvements. The infrastructure for coordinated response to wormable vulnerabilities (CISA emergency directives, CERT coordination, vendor patch synchronisation) has matured significantly. The EternalBlue era is foundational to current cybersecurity policy and will be referenced in cybersecurity discussions for the rest of the decade and likely beyond.

FAQ

Is EternalBlue still being exploited?

Yes, periodically. Long-tail unpatched Windows systems remain vulnerable. EternalBlue-derived techniques continue to feature in ransomware and other malware as a propagation mechanism.

Was WannaCry truly stopped by the kill switch?

Effectively yes for the original WannaCry variant. Modified variants without the kill-switch check appeared but did not achieve the same scale. The kill-switch discovery was a security-research lucky break that prevented vastly worse damage.

Why did Maersk lose so much from NotPetya?

NotPetya destroyed Maersk’s Active Directory, business systems, and operational infrastructure simultaneously. Recovery required rebuilding from scratch over weeks. The combination of operational dependency + comprehensive destruction produced the high cost.

Did Maersk pay ransom?

No. NotPetya’s ransomware appearance was deceptive; the encryption was cryptographically irreversible. Payment would not have helped. Maersk recovered via rebuild from offline backups and significant rebuilding effort.

How did NotPetya spread so fast globally if it targeted Ukraine?

The initial Ukrainian vector (MeDoc backdoor) infected Ukrainian businesses; many of those businesses had multinational connections via VPN, file sharing, or shared infrastructure with global parent companies. NotPetya propagated via these connections to global parent organisations.

What's the equivalent threat in 2025-2026?

Worm-class threats continue. Recent examples: PrintNightmare (2021), ProxyLogon (2021), Log4Shell (2021), various Microsoft Exchange vulnerabilities. The pattern (critical RCE in widely-deployed enterprise software, weaponised before universal patching) persists. Defensive measures from 2017 continue to apply.

📰 Note: This analysis is compiled from public reporting (Reuters, Bloomberg, court filings, threat-intel firm publications) and is intended for security education. Some technical details remain disputed in ongoing legal proceedings; we have attributed claims where the source is established and noted where matters remain contested.