WannaCry Is Here to Stay- There Are Still Thousands of Infected Systems
Kryptos Logic the company that monitors the malware warned the IT world that the ransomware is still active. More versions have been spewed by criminals, so a rich collection of kill-switches are now up.
Researchers say the malware is still out there in many thousands of computers. Almost eighteen months after the WannaCry ransomware infected the first systems, it is dormant until the situation changes again.
Remember WannaCry was designed to check the registration of the domain that goes as “iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com”. If this domain was registered, the ransomware would stop the file encryption process and it will end the self-spreading action. Kryptos Logic after analyzing the source code of the malware had then registered the domain, and literally deactivated the ransomware that caused major problems in multiple organizations, including the Chinese Universities, the Russian Interior Ministry, Telefonica, and a lot more.
The ransomware was deactivated, and it kept checking the above-said domain to decide whether it should reactivate or not. During this while, anti-malware developers got enough time to update their databases and gear up with enough resource and tools to remove the WanaCry and all of its cryptor and decryptor modules. As reported by Kryptos Logic, there are still thousands of infected systems out there that still connect to the “kill-switch” domain. The Kryptos Logic team decided to host the domain to Cloudflare to ensure protection against DDoS attacks which would essentially reactivate WannaCry.
According to Jamie Hankings, the Head of Security and Threat Intelligence Research at Kryptos Logic, the number of connections to the kill switch domain reaches 630 thousand of unique IP addresses that come from 194 countries, each week. The most “infected countries” are China, Indonesia, Vietnam, India, and Russia. Should the ransomware get activated again, it would spread like wildfire around the globe, as the kill switch domain is the only thing that is keeping it from doing so right now. Kryptos Logic is suggesting that organizations use their “TellTale” service that can monitor a range of IP addresses and inform about their infection status so further action can be taken.
While the creators of WannaCry haven’t come up with a new update of malware that has a different kill-switch domain, or no kill-switch at all, but there are others who have done it. So there’s a comprehensive list of kill-switch domains that is keeping everything inactive. So if the original author decides to relaunch the malware without a kill-switch, it will be of no significance. Nevertheless, the infection rates could go higher and it will be a bad situation.
Julia Sowells703 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.