I love how people go on and mention port 445 - incidentally, Virgin used to block it and the rest of the NETBIOS trio - until user pressure made them rethink this. Something along the lines of "I pay for access to the whole internet." as I recall.
445 is how the worm spreads internally once it gets onto a LAN, but more often than not it enters the LAN through other means like an infected email.
But the wannacry worm tries communicating with a specific URI over HTTP so it's easy for the security researchers to log traffic hitting the website. But it does mean that people who visit the site out of curiosity end up getting a well-intentioned letter as a result.
Only use Helpful answer if your problems been solved.
When wannacry requests the kill switch domain the HTTP request header lacks the user-agent field; according to Cisco Umbrella | Blog. You may wish to query the report made to Virgin Media by Shadowserver to see if they filtered out such requests from their reports.