An additional blog post explains Microsoft's analysis of how the malware spreads. On newer versions like Windows Vista, 7, 8.1 and 10, the March update tagged MS17-010 addresses the vulnerability it's exploiting (that was revealed earlier this year by "The Shadow Brokers" when they leaked a stolen cache of NSA tools). While it's not confirmed how the initial infections occurred, it's believed the trojan horse was spread by email phishing links that drop the "EternalBlue" exploit released by The Shadow Brokers, as well as the WannaCrypt malware variant. Interestingly, it doesn't even try to attack Windows 10, focusing solely on Windows 7/8 and earlier operating systems that are still vulnerable to the attack.

Once it's on a computer, it goes on locking up the user's files and arranging the ransom message. The spread of the initial release has actually stopped (after infecting more than 123,000 computers) because security researchers registered a domain that the malware checks before the infection starts. As long as the software finds it, a sort of killswitch engages and no encryption occurs. However, as @MalwareTechBlog notes, anyone could modify the attack to remove the killswitch and begin attacking computers again.

That's because even without phishing links, another part of the exploit the searches out a vulnerable server component (SMBv1) on unpatched Windows machines and can infect them remotely. This probably won't work across the internet for PCs behind a firewall or router, but if a server is connected directly to the internet, or a PC is on the same network as an infected computer, it can spread quickly -- which is exactly what happened yesterday.