WannaCry happened. A ransomware WORM — self-spreading, no clicks needed — tore through 200,000+ Windows machines across 150 countries in a weekend, encrypting everything and demanding Bitcoin. The UK’s NHS got hit hardest: appointments cancelled, ambulances diverted, HOSPITALS running on paper because of unpatched Windows 7 boxes on flat networks (#047’s segmentation sermon, now with casualties). The exploit, “EternalBlue,” leaked from the NSA’s own stockpile — a government hoarded a vulnerability, lost custody of it, and watched it hit its own health system’s supply chain. Every debate from Apple-vs-FBI (#077) about “keys that only good guys hold” just got its empirical result.

The hero subplot is perfect internet: a researcher registered a weird domain he found in the malware — cost: $10.69 — and accidentally triggered its kill switch, stopping the global spread. The most valuable single deploy of 2017 was a domain registration by a guy in his bedroom.

Patch management is unglamorous, eternally deprioritized, and this fortnight it was the difference between “we’re fine” and “divert the ambulances.” We audited our fleet Monday: two forgotten boxes, patched by Tuesday. The forgotten boxes are always the story (#031, #043 — the inventory IS the security program).

TIL: kill switches in malware exist as anti-sandbox tricks — the worm checked if a nonsense domain resolved, assuming only a researcher’s sandbox would answer. Attackers have testing infrastructure too, and sometimes THEIR test hooks are OUR salvation. Everything has an ops story.