Security researchers have continued tracking WannaCry infections and have seen the ransomware spread to nearly 5 million vulnerable devices in the past two years.
The initial WannaCry attacks occurred in May 2017 and caused massive damage before security researcher Marcus “MalwareTech” Hutchins inadvertently discovered a kill switch for the ransomware by registering a dummy URL found in the malware code. However, while the kill switch prevented the ransomware from encrypting system data, researchers at Malwarebytes have been watching WannaCry continue to spread to vulnerable systems.
According to Malwarebytes’ research, WannaCry infections have been on the decline, but there have still been more than 4.8 million WannaCry detections over the past two years.
Although WannaCry continues to spread, Adam Kujawa, director of Malwarebytes Labs, based in Santa Clara, Calif., said there was almost no danger from the infections, because “it would be easier to just load new ransomware on the victim system,” rather than trying to activate the dormant WannaCry.
“In order to execute the encryption routine of a preexisting infection, the attacker would either have to modify values in running memory to force the program to jump into its encryption routine or modify the host’s file for the system by adding the kill switch URL and pointing it to a nonsense IP address, then forcing a system reboot,” Kujawa wrote via email. “You could also compromise a DNS server and point the kill switch URL to nothing. Then, any system which is infected and reaches out to that server might activate the encryption. This is really unlikely, though.”
According to Malwarebytes researchers, there are still hundreds of thousands of systems vulnerable to the EternalBlue and EternalRomance exploits used by the ransomware to spread automatically, and those unpatched systems are leaving the door open for new malware to exploit successfully.
The EternalBlue and EternalRomance exploits target vulnerabilities in the Server Message Block v1 protocol in Windows. The issues can be mitigated either by filtering SMB traffic or by installing the patches Microsoft released in May 2017.
“There are still so many WannaCry detections, because there are still samples wandering the internet,” Kujawa said. “Most worrying, however, are the new generation of Trojans, like Emotet and TrickBot, that are taking advantage [of] the same mechanisms that enabled WannaCry to cause so much damage in an attempt to do the same thing. There are millions of systems out there that are vulnerable to these vicious forms of malware. Businesses and consumers alike should make updating their systems regularly a top priority.”
Brandon Levene, head of applied intelligence at Chronicle, a cybersecurity subsidiary of Alphabet Inc., said the WannaCry infection numbers from Malwarebytes are plausible, because “VirusTotal has seen over 500,000 distinct copies of WannaCry, with an average of 211 new samples per day.”
“WannaCry remains a viable piece of ransomware, and it is trivially modifiable by even the most basic of threat actors. While a system may be patched against the spreading mechanism EternalBlue, hosts with the malware on it can still be encrypted,” Levene wrote via email. “Due to the command-and-control [C2] servers remaining active, but under researcher control, encryption does not take place. WannaCry checks for a C2 to respond; if it does, it will not encrypt the target. If, for some reason, the C2s were to go down — or a network admin were to block them for his or her network — the ransomware would kick off.”
While Kujawa suggested organizations patch systems, he acknowledged that, because systems are still vulnerable, “many of these systems may just be sitting dormant in the corner of some company’s network for all we know.”
“We have observed a steady decline in WannaCry infection detections since 2017, and it looks like, at the very least, time will age these systems, they will be replaced or upgraded, their holes patched and infections erased,” Kujawa said.
In a blog post about the WannaCry anniversary, Bob Rudis, chief data scientist at Rapid7, based in Boston, wrote that there are still a lot of potential targets for malware using EternalBlue.
“Depending on how you scan, where you scan from, and what you are trying to count when it comes to finding exposed Microsoft Windows Server Message Block (SMB) nodes on the internet, you’ll get a number anywhere between 500,000 to 1 million,” Rudis wrote. “EternalBlue-based SMB probes and attacks are absolutely part of the ‘new normal’ of background noise on the internet, with attackers — opportunistic or otherwise — testing out some form of their latest and greatest code and techniques with almost perfect immunity so they can have even more success once they gain a foothold in your organization.”