It’s two years since WannaCry crippled organisations around the world and the ransomware is in sharp decline. But not everyone is protected from one of the most devastating cyberattacks in history, and new threats are emerging in WannaCry’s place.
Between the 12 and 15 May 2017, a worldwide cyberattack exploited a vulnerability in older Microsoft Windows operating systems to encrypt files and demand a ransom payment in the cryptocurrency Bitcoin.
Around 200,000 computers were infected across 150 countries during the initial attack, with the UK’s National Health Service among the worst affected organisations. Around 7,000 appointments were cancelled and many machines were unusable.
WannaCry spread using an exploit known as EternalBlue, allegedly developed by the US National Security Agency to aid intelligence gathering. It was reportedly stolen by a mysterious hacking group known as the Shadow Brokers and turned back on the world in the devastating form of WannaCry.
WannaCry was eventually stopped by British security researcher Marcus Hutchins, who discovered a ‘kill-switch’ that had been built into the ransomware by its creators.
Two years on, in-depth analysis by cybersecurity firm Malwarebytes has revealed that this global kill-switch has, for the most part, stopped the spread of WannaCry.
WannaCry two years on is down but not out
Since the initial four-day outbreak in May 2017, there have been 4,826,682 global detections of WannaCry, with 17,185 of these taking place in the UK.
Now, WannaCry detections number in the “hundreds of thousands,” says Adam Kujawa, director of Malwarebytes Labs.
Although in decline, those who haven’t updated their IT infrastructure may still be at risk.
“There are still so many WannaCry detections because there are still samples wandering the internet, and while the URL used as the ‘global kill switch’ has been registered – neutering much of threat WannaCry poses – there are still many incidents where it is successfully exploiting the distribution methods we originally saw in May 2017,” said Kujawa.
This risk is more prominent in Eastern countries, the research finds. In 2019 alone, Indonesia has recorded 95,211 detections, while India and Malaysia number nearly 90, 000 each.
By contrast, WannaCry has been detected just 656 times in the UK this year.
And while China was not widely affected by the initial 2017 attack, there has been an uplift since, growing from 613 detections to 113,785 in total to date.
According to Malwarebytes, this is because there tends to be a poor culture of updating software in these regions.
Businesses may also shun updates out fear that their “bespoke software may not run anymore,” says Jake Moore, security specialist at cybersecurity firm ESET.
However, “the risks attached come with a far higher price tag should they have their data encrypted and back-ups lost,” he said. “For example, I still know of a huge worldwide vehicle manufacturer who won’t upgrade from Windows 7 to Windows 10 because their vehicles do not talk to their network on any other OS.”
New threats following familiar paths
Although the threat of WannaCry has largely subsided, other threats are taking its place. Hundreds of thousands of systems are vulnerable to the same EternalBlue and EternalRomance exploits that WannaCry took advantage of.
Malware creators are exploiting these mechanisms to unleash the next generation of Trojans. One of these is Emotet, banking malware that steals financial information by intercepting and logging outgoing network traffic on an infected computer. It is often spread via malicious links or documents inside an email.
Another is Trickbot, also a banking Trojan. Like Emotet, it infects computers using phishing emails to then gather personally identifiable information that can be used to commit identity fraud.
Both these have businesses around the world in their cross-hairs.
“There are millions of systems out there that are vulnerable to these vicious forms of malware; businesses and consumers alike should make updating their systems regularly a top priority,” advised Kujawa.