The WannaCry Hangover

On the morning of May 12, 2017, organisations and individuals around the world were attacked by malware now known as WannaCry. 

WannaCry’s rapid spread, enabled by its implementation of a Windows vulnerability stolen from an intelligence agency, was suddenly halted when security researchers registered an Internet domain name embedded in the code. This was a routine research procedure that, inadvertently, tripped a “kill switch” subroutine in the malware, causing it to stop infecting computers.

A small number of variants released in the following days, using new kill switch domains, were shut down using the same method. But these variants are still quite capable of spreading broken copies of themselves to Windows computers that haven’t been patched to fix the bug that allowed WannaCry to spread so quickly in the first place.

Prior to the malware’s first appearance, Microsoft released an update to close off the vulnerability to exploitation, which would have prevented the infection from spreading. The delay in installing that April, 2017 update directly contributed to WannaCry’s ability to copy itself from computer to computer.

By the time the kill switch domain had any effect, the malware had already wrought a lot of destruction. But the kill switch, surprisingly, didn’t mean an end to WannaCry, even though WannaCry was updated and rereleased only twice a few days after the first infection. 

In fact, WannaCry detections appear to be at an all-time high, surpassing the number of detections of older worm malware such as Conficker. The malware continues to infect computers worldwide.

So why isn’t the world still up in arms about WannaCry? It turns out, someone, or possibly many, tinkered with WannaCry at some point after the initial attack, and those modified versions are what’s triggering nearly all the detections we now see. 
Where there was once just a single, unique WannaCry binary, there are now more than 12,000 variants in circulation.

In just the month of August, 2019, Sophos detected, and blocked, more than 4.3 million attempts by infected computers to spread some version of WannaCry to a protected endpoint.

The one upside: Virtually all the WannaCry variants we’ve discovered are catastrophically broken, incapable of encrypting the computers of its victims. 

The original kill switch domains have remained active since May, 2017, when security researchers registered the domains, effectively ending the WannaCry attack. 

The continuous rise in WannaCry detections does raise warning flags: it means there are still machines whose owners have not installed an operating system update in more than two years, and those machines are vulnerable not only to WannaCry, but to much more dangerous types of attack that have emerged in the past two years.

This leads to an inescapable point: The fact remains that, if the original kill switch domains were to suddenly become unregistered, the potent, harmful versions of WannaCry could suddenly become virulent again, distributed by and to a plethora of vulnerable, unpatched machines.

Sophos

You Might Also Read:

WannaCry Has Not Gone Away:

WannaCry Hero Deserves a Pardon, Not A Conviction:

« Cyber Security Experts Needed in Australia
Cyber Insurance Is Unsustainable On Its Current Path »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Security Magazine

Security Magazine

Security, the business magazine for security executives, focuses on management issues facing top security professionals and effective solutions being employed, both physical and cyber.

CyberGreen Institute

CyberGreen Institute

The CyberGreen Institute is a global non-profit and collaborative organization conducting activities focused on helping to improve the health of the global Cyber Ecosystem.

AVeS Cyber Security

AVeS Cyber Security

AVeS combines expert knowledge and services with leading technology products to provide comprehensive Information Security and Advanced IT Infrastructure solutions.

GK8

GK8

GK8 is a cyber security company that offers a high security custodian technology for managing and safeguarding digital assets. Secure, Compliant and Practical.

Prompt

Prompt

Prompt supports the creation of partnerships and the setting up of industrial-institutional applied R&D projects for all ICT sectors.

InterGuard

InterGuard

As the pioneer for Unified Insider Threat Prevention and productivity monitoring tools, InterGuard offers on premise and SaaS-based services that are easily available and affordable.

Nineteen Group

Nineteen Group

Nineteen Group delivers major-scale exhibitions within the security, fire, emergency services, health and safety, facilities management and maintenance engineering sectors.

Ibento Global

Ibento Global

Ibento organises the CyberX series of cybersecurity conferences.

Brightsolid

Brightsolid

Brightsolid are experts in Hybrid Cloud. We design, build and manage secure, scalable cloud environments that meet customers’ business ambitions.

Intelligent CloudCare

Intelligent CloudCare

Intelligent CloudCare, a division of IPS, is a full IT Services provider serving the needs of SMBs in the metropolitan New York City region.

Cyber Suraksa

Cyber Suraksa

We make security simple and hassle-free by offering a sustained and secure IT environment with next-gen cybersecurity solutions through a scalable security-as-a-service model.

Cypago

Cypago

Cypago provides a powerful yet easy-to-use Compliance Orchestration Platform to automate the compliance process end-to-end.

JLS Technology

JLS Technology

Since 2007, JLS Tech has been recognized as one of the world’s most innovative cybersecurity and technology operations leaders.

Advanced IT

Advanced IT

Reliable managed IT Security & support services that will help you take your business operations to the next level without breaking the bank!

XBOW

XBOW

XBOW brings AI to offensive security, augmenting the work of bug hunters and security researchers.

PriorityZero

PriorityZero

PriorityZero is a European company focused on remote security assessments and consulting services that operates on a global scale.