A report from security researchers at Sophos, finds that after two years, variants of the WannaCry ransomware are still causing havoc.
In 2017 WannaCry’s spread quickly, due to the malware’s use of a Windows vulnerability stolen from an intelligence agency. The malware was stopped when security researchers registered a domain name embedded in the code that tripped a “kill switch” subroutine in the program. This happy accident caused WannaCry to stop infecting computers. Over the next few days variants of the malware sprung up and where stopped using basically the same kill switch.
Surprisingly, the kill switch didn’t put an end to WannaCry. The report shows that the WannaCry threat remains at large, infecting computers by the millions every month. Even though the original malware has not been updated since a few days after its appearance in May of 2017, thousands of variants are still in the world.
Sophos detected 12,480 variants of the original code, and around 2,700 of those, have evolved to bypass the kill switch that stopped the OG WannaCry malware. Sophos detected 4.3 million instances of WannaCry in August 2019 alone.
The researchers found that because of the way WannaCry infects new devices users can protect themselves. The WannaCry variants check if a computer is already infected, if the device already has the malware, it moves to another target. So leaving your computers, infected with an inert version of the malware actually protects your device from future infection by active strains of WannaCry. The researchers call this the “accidental vaccine.”
The researchers also note that nearly every WannaCry variant they discovered is broken, and incapable of encrypting victims computers. But these variants still spread broken copies of themselves to Windows computers that haven’t been patched to fix the bug that allowed WannaCry’s initial rapid proliferation. WannaCry detections are according to the report at an all-time high. this malware has surpassed the number of detections of other much older worm malware like as Conficker.
Header Image by laboratoriolinux