WannaCry ransomware continues to lurk on infected computers over a year after it first appeared

• The WannaCry ransomware first appeared in May 2017 and infected entities located in over 150 countries.
• The top three countries still infected by WannaCry are China, Indonesia, and Vietnam.

The WannaCry ransomware made its first occurrence in May 2017, infecting hundreds of thousands of computers, across 150 countries. Like other traditional ransomware variants, WannaCry encrypts files on the system’s hard drive and demands huge sums of ransom in exchange for decrypting data.

Experts recently discovered that even after 18 months, WannaCry continues to be a persistent threat and lurk on vulnerable computers across the globe. Earlier this year, security researchers from Kryptos Logic registered a domain that acted as a kill switch for the ransomware component of the infection.

If the infection was connected to the kill switch domain, then the ransomware component would not activate. However, the ransomware would continue to run silently in the background, while routinely connecting to the kill switch domain to ensure if it was still active.

The kill switch domain

On December 21, 2018, Jamie Hankins, the head of security and threat intelligence research at Kryptos Logic took to Twitter to reveal the details of WannaCry infections, such as the number of connections and unique IP addresses that continue to connect to the kill switch domain.

Even though this kill switch domain is now hosted by Cloudflare in order to provide high availability and protection from DDoS attacks, they still have access to the statistics regarding this domain, Hankins told BleepingComputer.

WannaCry’s current activities

Hankins posted WannaCry statistics on Twitter which states the following:

• The kill switch domain received approximately 17 million beacons or connections per week.
• The millions of connections came from nearly 630,000 unique IP addresses located in 194 different countries, in just one week.
• The top ten countries still infected by WannCry are China, Indonesia, Vietnam, India, Russia, Venezuela, Thailand, Ukraine, Taiwan, and Brazil.
• The number of connections is less in the weekend when compared to weekdays, likely because most users are at work and online when at work.

“The UK consists of approximately 0.15% of the total connections with the USA coming in at 1.35% for a single day's statistics. These numbers can be skewed by DHCP churn over longer time periods,” Hankins told BleepingComputer.

TellTale Service

A new service named “TellTale” was recently deployed. It notifies organizations about WannaCry ransomware infections, as well as infections of other malware and ransomware variants. This service was released by the Kryptos Logic in April 2018. TellTale service also allows organizations to monitor their range of IP addresses for known infections.