RailWire, the Internet provider established by the Indian Railways and Google, was the hardest-hit in the WannaCry ransomware attack that was first reported around two weeks back. The ISP accounted for 32.14% of all instances of the ransomware recorded by security firm eScan. The firm published a blog post on the impact of the cyberattack in India. RailWire apparently did not put up a firewall to block the protocol through which WannaCry spread through Windows machines, potentially exposing many of the hundreds of thousands of users who use its service everyday.

According to the post, Madhya Pradesh was the hardest-hit state, accounting for over 32% of WannaCry in India. Maharashtra and Delhi came in at 2nd and 3rd most affected respectively. “While the Government is installing free Wi-Fi spots at various spots all over India, there is need to validate the internal security of these networks and there is also a need to ensure that all the consumers who are using RailTel’s free Wi-Fi service should do so with some caution,” eScan said in a blog post.

The ransomware spread through a vulnerability on the SMB protocol, which Windows machines, especially in local networks, use to exchange files and connect to devices like printers. The vulnerability was ‘stockpiled’ by the US’s National Security Agency, and was a part of a massive trove of documents leaked from the agency by a hacker. While Microsoft rolled out updates for most Windows machines as early as April, they did not roll them out for versions of Windows that Microsoft had discontinued support for, like Windows XP and Server 2003. After the attack, which also affected systems that hadn’t installed the patch, Microsoft released patches for unsupported legacy OSes also.

The WannaCry ransomware ripped through much of the world on a Saturday, starting late evening in Indian time. The attack encrypts target computers’ files and demands a Bitcoin ransom worth $300 to trigger decryption. As a result, most organizations here were only hit by the attack on Monday, by which the Indian Computer Emergency Response Team (CERT-in) and other government organizations rushed to contain the damage.

Before Monday, a security researcher named MalwareTech registered a domain name he found in the code of the ransomware, which ultimately stopped the proliferation of the attack. This may have played a role in how relatively few incidents have been reported in India, compared to the predictions of widespread chaos that some news organizations said might ensue when Asian businesses and governments turned their computers back on after the weekend.