The WannaCry Hangover
On the morning of May 12, 2017, organisations and individuals around the world were attacked by malware now known as WannaCry.
WannaCry’s rapid spread, enabled by its implementation of a Windows vulnerability stolen from an intelligence agency, was suddenly halted when security researchers registered an Internet domain name embedded in the code. This was a routine research procedure that, inadvertently, tripped a “kill switch” subroutine in the malware, causing it to stop infecting computers.
A small number of variants released in the following days, using new kill switch domains, were shut down using the same method. But these variants are still quite capable of spreading broken copies of themselves to Windows computers that haven’t been patched to fix the bug that allowed WannaCry to spread so quickly in the first place.
Prior to the malware’s first appearance, Microsoft released an update to close off the vulnerability to exploitation, which would have prevented the infection from spreading. The delay in installing that April, 2017 update directly contributed to WannaCry’s ability to copy itself from computer to computer.
By the time the kill switch domain had any effect, the malware had already wrought a lot of destruction. But the kill switch, surprisingly, didn’t mean an end to WannaCry, even though WannaCry was updated and rereleased only twice a few days after the first infection.
In fact, WannaCry detections appear to be at an all-time high, surpassing the number of detections of older worm malware such as Conficker. The malware continues to infect computers worldwide.
So why isn’t the world still up in arms about WannaCry? It turns out, someone, or possibly many, tinkered with WannaCry at some point after the initial attack, and those modified versions are what’s triggering nearly all the detections we now see.
Where there was once just a single, unique WannaCry binary, there are now more than 12,000 variants in circulation.
In just the month of August, 2019, Sophos detected, and blocked, more than 4.3 million attempts by infected computers to spread some version of WannaCry to a protected endpoint.
The one upside: Virtually all the WannaCry variants we’ve discovered are catastrophically broken, incapable of encrypting the computers of its victims.
The original kill switch domains have remained active since May, 2017, when security researchers registered the domains, effectively ending the WannaCry attack.
The continuous rise in WannaCry detections does raise warning flags: it means there are still machines whose owners have not installed an operating system update in more than two years, and those machines are vulnerable not only to WannaCry, but to much more dangerous types of attack that have emerged in the past two years.
This leads to an inescapable point: The fact remains that, if the original kill switch domains were to suddenly become unregistered, the potent, harmful versions of WannaCry could suddenly become virulent again, distributed by and to a plethora of vulnerable, unpatched machines.
You Might Also Read: