Could you please share some more information about the incident?
From what I know and what I can speak about :
A big and sensible French company was infected with Wannacry this 12/05. After infection Wannacry starts a Tor client to join it C&C behind a .onion address. And so connect to guard nodes (possibly bridges, directory authorities and fallback directories can be affected too, or any Tor nodes which can be joined directly by standard Tor client). Sys admin of the infected company just flag all unknown *OUTGOING* traffic as evil and report corresponding IP to cops. Which seized servers of big french providers (OVH & Online at this time) on this list the 13 and 14/05.
Regards,