WannaCry ransomware still rampant

Read time 4min 40sec
SophosLabs researchers have identified 12 480 variants of the original WannaCry code.
SophosLabs researchers have identified 12 480 variants of the original WannaCry code.

More than two years after the WannaCry ransomware global outbreak, threats remain rampant, with more than 12 000 WannaCry variants currently in circulation.

This is according to the “WannaCry Aftershock” report conducted by cyber security vendor, Sophos.

The report, which tracks the infamous malware that viciously attacked computer systems across the world two years ago, found that WannaCry is still alive and well.

While the original version of the virus has not been updated, the report notes that millions of WannaCry infection attempts are stopped every month.

The WannaCry ransomware attack, which was first reported in May 2017, was a worldwide cyberattack by the WannaCry ransomware crypto-worm which targeted computers running the Microsoft Windows operating system, encrypting data and demanding ransom payments in bitcoin crypto-currency.

It propagated through EternalBlue, an exploit developed by the US National Security Agency for older Windows systems.

Although Microsoft had released patches previously to close the exploit, much of WannaCry's spread was from organisations that had not applied these, or were using older Windows systems that were past their end-of-life.

The ransomware campaign wreaked havoc globally, reaching a total of 200 000 computers in 150 countries, with SA, Ivory Coast, Egypt, Algeria and Morocco topping the list of African WannaCry ransomware targets, at the time.

The attack was stopped within a few days of its discovery, due to emergency patches released by Microsoft, and the discovery of a kill switch that prevented infected computers from spreading WannaCry further.

In the new report, Sophos reveals that, despite the availability of security patches and anti-virus protection against WannaCry, more than 12 000 unique variants exist in the world. These newer variants can spread more effectively, and stay hidden for longer than the original WannaCry. The most prevalent of these variants are locked in a battle for domination.

“The continued existence of the WannaCry threat is largely due to the ability of these new variants to bypass the kill switch,” notes the report.

“However, when Sophos researchers analysed and executed a number of variant samples, they found that their ability to encrypt data was neutralised as a result of code corruption.”

However, the very fact that these computers could be infected in the first place suggests the patch against the main exploit used in the WannaCry attacks has not been installed – a patch that was released more than two years ago, notes Sophos.

According to the report, based on August 2019 detections of unsuccessful attempted WannaCry infections, the US remained the top targeted country, with more than 22% of infection attempts targeting computers there. Other targeted countries include India (8.8%), Pakistan (8.4%), Peru (7.3%), Indonesia (6.7%), SA (2.7%), Saudi Arabia (2.3%), reflecting a global nature of the WannaCry threat.

Closer inspection of more than 2 700 samples (accounting for 98% of the detections) revealed they had all evolved to bypass the “kill switch” – a specific URL that, if the malware connects to it, automatically ends the infection process – and all had a corrupted ransomware component and were unable to encrypt data, according to the report.

Raising warning flags

WannaCry’s spread was, and still is, aided by the fact that large organisations tend to defer installing Windows update patches, because some updates have, historically, caused incompatibilities with third party software, asserts Sophos.

This debate over whether to update right away or to defer the updates until testing can be completed continues even to this day, with some tech columnists persisting in advising users not to install patches right away as a method of mitigating the consequences of an occasional patch that doesn’t work as intended.

“The WannaCry outbreak of 2017 changed the threat landscape forever,” says Peter Mackenzie, security specialist at Sophos and lead author of the research.

“Our research highlights how many unpatched computers are still out there, and if you haven’t installed updates that were released more than two years ago – how many other patches have you missed?

“In this case, some victims have been lucky because variants of the malware immunised them against newer versions. But no organisation should rely on this. Instead, standard practice should be a policy of installing patches whenever they are issued, and a robust security solution in place that covers all endpoints, networks and systems.”

While there are limited circumstances in which some specific groups of users will not want a computer to download and install operating system updates, nearly all people and organisations do not fall into this category, adds the report.

However, the continuous rise in WannaCry detections does raise warning flags: it means there are still machines whose owners have not installed an operating system update in more than two years, and those machines are vulnerable not only to WannaCry, but to much more dangerous types of attack that have emerged in the past two years.

“And this leads to an inescapable point: The fact remains that, if the original kill switch domains were to suddenly become unregistered, the potent, harmful versions of WannaCry could suddenly become virulent again, distributed by and to a plethora of vulnerable, unpatched machines,” warns the report.

Login with