A U.K. researcher who blogs for Malwaretech.com, and Proofpoint staffers discovered a "kill switch" that limited the attacks.
"While the identification occurred after the initial wave hit Europe and Asia, it significantly slowed the spread of this worm and aggressive ransomware worldwide," Kalember wrote.
Microsoft Chief Legal Officer Brad Smith acknowledged in a blog post that the Windows developer has the primary responsibility to fix the problems.
However, Smith shared some blame with customers who have not updated their operating systems two months after Microsoft published fixes. "As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems," Smith wrote.
Microsoft also questioned the government policy of keeping stockpiles of software weaknesses that hackers can target. "We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world," he noted.
A version of WannaCry without the kill switch is already making the rounds, according to TheHackerNews.com.
A strain of ransomware called Uiwix makes use of the Windows vulnerabilities that WannaCry targeted, without the kill switch, Heimdel Security noted.
"We reckon that this is the first of many variants to follow, which will aim to exploit this vulnerability and infect as many devices as possible until the necessary patch is applied," Heimdel security evangelist Andra Zaharia wrote.
Uiwix won't likely be the last. Proofpoint notes that new variants of ransomware appear every two or three days.