Remember WannaCry, the annoying piece of ransomware that spread quickly and especially disrupted hospitals in the UK before being contained? Well, as it turns out, there are potentially hundreds of thousands of PCs that are still infected with WannaCry.
Ransomware is a type of malware that encrypts a user's files and holds the data hostage until a ransom is paid, often times in Bitcoin. In many cases, there is a time limit imposed, after which the user's files get permanently deleted.
WannaCry is a specific piece of ransomware that made headlines in 2017 because of how quickly it was able to spread, and the damage it caused—hospitals in the UK had to shut down some of their non-emergency services as they dealt with the outbreak. The ransomware also went by a few other similar names, including WannaCryptor, WannaCrypt, and Wanna Decryptor.
The accidental discovery of a so-called kill switch stopped WannaCry from spreading within a few days of its discovery, as Wired explained at the time. A malware expert who goes by the name MalwareTech worked to reverse engineer WannaCry, and in the process he discovered that its programmers coded the ransomware to ping a specific URL.
Curious, he registered the domain for $10.69. In the process, he effectively shut down WannaCry—it turned out that WannaCry would only spread if the URL in question is unregistered and inactive. Once it became active, WannaCry stopped trying to infect additional PCs.
The registration of the domain effectively neutralized WannaCry, but didn't get rid of it altogether. Jamie Hankins, head of security and threat intelligence researcher at Kryptos Logic, explained in a recent Twitter thread WannaCry infections continue to ping the aforementioned domain, which is now hosted by Cloudflare.
"In the last 24 hours we saw 2,713,752 beacons from 220,648 unique SrcIPs to the kill switch from 184 different countries," Hankins says.
Feels like a nice time to do a quick end of year look at our WannaCry data. I'll be posting some graphs and different metrics in this thread. Big shoutout to the crew at @Cloudflare, they've been providing us with assistance with the kill switch since the beginning almost.December 21, 2018
The numbers balloon if looking at the past week, in which Hankins says there have been over 17 million pings from almost 640,000 unique IP addresses across 194 countries.
Hankins disclaims that the numbers are likely not 100 percent accurate because of the difficulty in tracking and collecting this kind of data, but even if it's in the ballpark, it's somewhat concerning.
"The fact that so many computers are still infected with this malware is a major problem. All you need is an internet outage to occur and for the kill switch domain to no longer be accessible for the ransomware to kick in," Bleeping Computer explains.
To prevent this from happening, Kryptos Logic built a free service called TellTale that enables organizations to monitor their range of IP addresses for known infections, including "WannaCry and a range of other potential threats."
It's not clear how many organizations have taken advantage of the service, but given the data, it seems like something companies should look into doing.