On 12 May 2017, WannaCry began affecting computers worldwide.[30] The initial infection might have been either through a vulnerability in the network defenses or a very well-crafted spear phishing attack.[31] When executed, the malware first checks the "kill switch" website. If it is not found, then the ransomware encrypts the computer's hard disk drive,[32][33] then attempts to exploit the SMB vulnerability to spread out to random computers on the Internet,[34] and "laterally" to computers on the same Local Area Network (LAN).[35] As with other modern ransomware, the payload displays a message informing the user that files have been encrypted, and demands a payment of $300 in bitcoin within three days.

The Windows vulnerability is not a zero-day flaw, but one for which Microsoft had made available a security patch on 14 March 2017,[18] nearly two months before the attack. The patch was to the Server Message Block (SMB) protocol used by Windows.[36][37] Organizations that lacked this security patch were affected for this reason, although there is so far no evidence that any were specifically targeted by the ransomware developers.[36] Any organization still running the older Windows XP[38] was at particularly high risk because until 13 May,[2] no security patches had been released since April 2014.[39] Following the attack, Microsoft released a security patch for Windows XP.[2]

Although another ransomware was spread through messages from a bank about a money transfer around the same time, no evidence for an initial email phishing campaign has been found in this case.