The growth of the information security industry reflects the global threat of cybercriminal activities. Cybercriminal activities impose significant costs on the global economy. Yet, although cybercriminal activities are underpinned by information systems (IS), research is scarce on how digitalization facilitates cybercrimes. To understand, anticipate and control successful cybercriminal modi operandi, crime researchers need to understand the capabilities inherent in cybercriminals. We analyze the case of the WannaCry attack, a global unprecedented ransomware attack, from an IS capability perspective. Our preliminary analysis suggests a three-phase process model of the dynamic environment of WannaCry consisting of cybercriminals and counterparties. During each phase, cybercriminals relied on different types of IS capabilities to continue their operations within a changing context.