The WannaCry ransomware made its first occurrence in May 2017, infecting hundreds of thousands of computers, across 150 countries. Like other traditional ransomware variants, WannaCry encrypts files on the system’s hard drive and demands huge sums of ransom in exchange for decrypting data.
Experts recently discovered that even after 18 months, WannaCry continues to be a persistent threat and lurk on vulnerable computers across the globe. Earlier this year, security researchers from Kryptos Logic registered a domain that acted as a kill switch for the ransomware component of the infection.
If the infection was connected to the kill switch domain, then the ransomware component would not activate. However, the ransomware would continue to run silently in the background, while routinely connecting to the kill switch domain to ensure if it was still active.
On December 21, 2018, Jamie Hankins, the head of security and threat intelligence research at Kryptos Logic took to Twitter to reveal the details of WannaCry infections, such as the number of connections and unique IP addresses that continue to connect to the kill switch domain.
Even though this kill switch domain is now hosted by Cloudflare in order to provide high availability and protection from DDoS attacks, they still have access to the statistics regarding this domain, Hankins told BleepingComputer.
Hankins posted WannaCry statistics on Twitter which states the following:
“The UK consists of approximately 0.15% of the total connections with the USA coming in at 1.35% for a single day's statistics. These numbers can be skewed by DHCP churn over longer time periods,” Hankins told BleepingComputer.
A new service named “TellTale” was recently deployed. It notifies organizations about WannaCry ransomware infections, as well as infections of other malware and ransomware variants. This service was released by the Kryptos Logic in April 2018. TellTale service also allows organizations to monitor their range of IP addresses for known infections.