Five years since the infamous WannaCry ransomware strain swept corporate networks globally, we look back on its impact with fresh eyes. In the second of a two-part series, we explore why WannaCry is still so prevalent in certain corners of the world and how we might be able to finally defeat it.
WannaCry will forever be remembered for the damage it inflicted across the world back in 2017. The malware strain arguably put ransomware on the map and although it was by no means infallible, WannaCry’s moment in the sun lasted just a few short weeks for many.
WannaCry showed the world how not to write ransomware
What most people don’t realise, including a number of cyber security experts IT Pro spoke with recently, is that WannaCry is still very much an active participant in the ransomware landscape – a thoroughly dominant one, actually.
What’s more, cyber criminals still using WannaCry have learned from its failures and have come back with reworked, retooled versions that eliminate the ‘low hanging fruit’ kill switch that ultimately proved its downfall five years ago.
Newer ransomware strains and highly organised professional operations have stolen the headlines in recent years, but WannaCry hasn’t died the death many may have assumed. Not by a long shot.
WannaCry detections are still prevalent
Cyber security companies monitor numerous threats around the world to track their popularity and what’s being targeted. It means they can help their customers preempt potential attacks that are known to focus on specific industries, for example. In fact, since WannaCry first burst onto the scene, it’s been the most commonly detected strain in all of Trend Micro’s annual reports.
SonicWall is one such company still tracking WannaCry, although other firms tell IT Pro they have decided to stop monitoring the strain, given the worst of it is over. We may not have seen the same level of destruction as sustained five years ago, but detections remain high.
Detections for 2021 of 100,000 represent a sizable dip against the 233,000 hits of 2020, with this data supported by Trend Micro’s intel too. Despite employing different telemetry configurations, both companies are consistent in the trend they’ve established.
Despite the drop-off, no other ransomware strain comes close to WannaCry – even five years on. ESET data from 2020 suggests WannaCry accounted for as much as 40.5% of all ransomware detections globally and, in 2021, WannaCry was the only ransomware to make Trend Micro’s list of top ten most-used malware strains of the year – coming fourth.
Bharat Mistry, technical director at Trend Micro, offers an insight into why detections are still so high, telling IT Pro hackers may be using WannaCry indiscriminately to pop any computers that have failed to patch against EternalBlue.
“The spray-and-pray approach used by legacy ransomware like WannaCry might account for its large volume of attacks,” he says. “Hackers know that organisations struggle to patch vulnerabilities in a timely manner and they know WannaCry is hugely successful so why reinvent the wheel?
“In terms of its capabilities, there’s nothing that it directly offers; however the concept of using multiple techniques, vulnerability exploitation for self-replication/propagation is used in all modern-day ransomware.”
Who is WannaCry hitting, and where?
The companies still monitoring WannaCry agree that countries in the Americas were seeing the most detections – particularly in South America. Bitdefender tells IT Pro that the highest number of detections are consistently coming from Brazil, Ecuador, and Chile, with Malaysia bucking the trend and keeping WannaCry alive in Southeast Asia.
Trend Micro’s specialised cyber security report for Latin America and the Caribbean in 2021 also shows WannaCry as the most dominant ransomware strain in the region by some margin, even though it represents a significant reduction against 2020.
“As for the reason why these particular countries are at the top, we can only speculate,” says Martin Zugec, technical solutions director at Bitdefender. “These findings are based on data from our telemetry, other security companies might see a different picture depending on the distribution of their deployments.”
While Zugec was only willing to speculate, other experts have been more forthcoming in their criticisms directed generally at the region for its low levels of cyber preparedness.
Experts told the Atlantic Council think tank in 2021 that a lack of skilled individuals in these regions “is a major inhibitor” and that investment would be best placed on education. Although 15 countries here have national cyber security strategies, only efficient collaboration between the public and private sectors can meaningfully raise cyber resilience. Until both become cyber prepared, the region will continue to be targeted successfully.
“WannaCry was still the most detected ransomware family, maintaining the reign documented in Trend Micro’s roundup reports from recent years,” Trend Micro said in its report, meanwhile. “It remained as such even though it is a relatively old family, considered as pre-modern ransomware, and the malicious actors behind it had not been actively initiating attacks. The persistence of this family shows how a network worm can thrive if devices are not patched properly, if at all.”
Unsurprisingly, given everything we know already, WannaCry also dominated the three industries most affected by ransomware in 2021: government, banking, and healthcare. According to Trend Micro’s telemetry, WannaCry was 177 times more prevalent than second-place GandCrab in government machines �� the most targeted sector by ransomware – and 155 times more common than GandCrab, again in second place, in banking.
Fighting off WannaCry 2.0
Aside from abusing the still unpatched EternalBlue exploit in certain Windows environments, we do have an understanding of how attackers are executing WannaCry attacks on businesses today. Some experts, bizarrely, suggest the detections seen as recently as this year aren’t even driven by cyber criminals.
“The majority of Wannacry infections in 2022 is likely due to automated campaigns that were never turned off, as opposed to threat actors deliberately using WannaCry to specifically target victims,” says Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows.
“It’s possible that many companies have failed to completely remediate WannaCry from their networks. With WannaCry having the ability to spread automatically, partially remediated systems could be reinfected at a later date.”
WannaCry’s wormable nature certainly contributed to its effectiveness, and it’s a capability modern strains have emulated, to a degree, according to Analyst1. The cyber security company says the likes of Conti, Ryuk, and LockBit have all implemented automation in their attack chains, although the wormable functionality has largely gone off trend.
WannaCry’s detections have steadily fallen across the globe since 2018, which is good news for companies that, for whatever reason, are still running legacy systems vulnerable to the ghost of WannaCry. As for what kills the virus off for good – nobody can really tell for sure what that will be. Raising the levels of nationwide cyber resilience in the most affected regions, however, may compel attackers to switch off their WannaCry campaigns for good. All we can hope is that it doesn’t take another five years.
