While largely contain eighteen months after the initial outbreak of the WannaCry Ransomware infection, the malware continues to rear its head on thousands, if not hundreds of thousands, of infected computers.
When the WannaCry infection was first unleashed, security researcher Marcus Hutchins of Kryptos Logic registered a domain that acted as a kill switch for the ransomware component of the infection. If the infection was able to connect to this kill switch domain, the ransomware component would not activate. The infection, though, would continue to run silently in the background, while routinely connecting to the kill switch domain to check if it was still live.
In a Twitter thread posted last Friday by Jamie Hankins, the Head of Security & Threat Intelligence Research at Kryptos Logic, data was released regarding the amount of connections and unique IP addresses that continue to connect to the kill switch. Even though this kill switch is now hosted by Cloudflare in order to provide high availability and protection from DDoS attacks, Hankins told BleepingComputer that they still have access to the statistics regarding this domain.
Feels like a nice time to do a quick end of year look at our WannaCry data. I’ll be posting some graphs and different metrics in this thread. Big shoutout to the crew at @Cloudflare, they’ve been providing us with assistance with the kill switch since the beginning almost.
— Jamie Hankins (@2sec4u) December 21, 2018
According to Hankins, the WannaCry kill switch domain receives over 17 million beacons, or connections, in a one week period. These connections are coming from over 630 thousand unique IP addresses consisting of 194 different countries in one week.
Below is a graph showing the top countries still infected by WannaCry, with China, Indonesia, and Vietnam being the top three. Hankins told BleepingComputer that the UK consists of approximately 0.15% of the total connections with the USA coming in at 1.35% for a single day’s statistics. These numbers can be skewed by DHCP churn over longer time periods.
Hankins also posted a graph showing the amount of beacons over a weekly period. As expected, the amount of connections are less over the weekend compared to a normal business day as more users come into the office and turn on their computers.
The fact that so many computers are still infected with this malware is a major problem. All you need is an Internet outage to occur and for the kill switch domain to no longer be accessible for the ransomware to kick in.