On May 12, 2017, WannaCry — a self-propagating ransomware worm — began spreading globally, infecting approximately 230,000 systems in 150+ countries within 24 hours. WannaCry exploited EternalBlue, an NSA exploit for the Windows SMBv1 protocol that had been leaked by the Shadow Brokers group on April 14, 2017, exactly 28 days before the attack. Microsoft had issued patch MS17-010 on March 14, 2017; systems that had not applied it remained vulnerable. The worm required no user interaction — it propagated autonomously by scanning for open SMB port 445 and exploiting the vulnerability. The most severely impacted organization was the UK National Health Service (NHS): hospitals across England and Scotland cancelled 19,494 appointments and operations, ambulances were diverted, and clinical systems were locked. Renault, FedEx/TNT, Deutsche Bahn, Telefónica, and dozens of other major organizations were affected globally. Security researcher Marcus Hutchins (‘MalwareTech’) discovered a ‘killswitch’ domain in the malware code on May 12; registering the domain (for $10.69) halted the spread. The US, UK, and Australia officially attributed WannaCry to North Korea’s Lazarus Group in December 2017. Total damages estimated at $4–8 billion globally.