https://arstechnica.com/information-...itch-analysis/

I?ve finally found enough time between e-mails and Skype calls to write up the crazy events that occurred over Friday, which was supposed to be part of my week off. You?ve probably read about the Wanna Decryptor (aka WannaCrypt or WCry) fiasco on several news sites, but I figured I?d tell my story.
I woke up at around 10am and checked onto the UK cyber threat sharing platform where I had been following the spread of the Emotet banking malware, something that seemed incredibly significant until today. There were a few of your usual posts about various organisations being hit with ransomware, but nothing significant... yet. I ended up going out to lunch with a friend, meanwhile the WannaCrypt ransomware campaign had entered full swing.
When I returned home at about 2:30, the threat sharing platform was flooded with posts about various NHS systems all across the country being hit, which was what tipped me off to the fact this was something big. Although ransomware on a public sector system isn?t even newsworthy, systems being hit simultaneously across the country is. (Contrary to popular belief, most NHS employees don?t open phishing e-mails, which suggested that something to be this widespread it would have to be propagated using another method.)
I was quickly able to get a sample of the malware with the help of Kafeine, a good friend and fellow researcher. Upon running the sample in my analysis environment I instantly noticed it queried an unregistered domain, which I promptly registered.

Using Cisco Umbrella, we can actually see query volume to the domain prior to my registration of it, which shows that the ransomware campaign started at around 8am UTC.