WannaCry was probably the worst ransomware outbreak since the Internet came into being. It affected organizations all over the world from almost every industry, with the UK’s healthcare being one of the most badly affected industries.
Although malware experts eventually manged to stop it, there are thousands of Windows PCs/laptops that are still potentially infected with this singularly infectious and dangerous virus.
Alarmed? You should be!
What is WannaCry?
WannaCry is ransomware that infected thousands of computers, both personal and corporate, around the world.
The ransomware exploits vulnerabilities in Windows operating systems, especially Windows XP, and encrypts the entire hard drive of the victim, barring access until the requested ransom is paid.
The cybercriminals behind WannaCry usually demanded ransom in Bitcoins which had to be paid within a deadline. Failure to pay the ransom before the deadline led to the permanent deletion of all hard drive data.
WannaCry caused an estimated loss of $4 billion. It is quite rightly a malware to be feared.
Why is WannaCry Still a Threat?
To understand that, you should first understand how WannaCry spreads. The remedy to WannaCry was discovered by a MalwareTech, who examined the ransomware’s code to contain it.
Basically, WannaCry operates on a simple if-else logic you might be familiar with from your school/college computer courses. MalwareTech discovered a random website URL that appeared in several places throughout the virus code.
When he visited the URL, he found that it didn’t exist. This gave him the idea to purchase the referenced URL’s domain, which he then directed to a DNS sinkhole where it could do no damage.
The code for spreading infection built into WannaCry goes something like this:
- Try to connect to a random gibberish URL
- Is the URL active and live?
- If not, continue spreading
- If yes, stop spreading
MalwareTech’s solution took advantage of the way the virus was coded, but it’s not a solution for removal and long-term protection of our computers.
Rather, it only serves to buy some time for computers running on Windows versions that carry the vulnerability which WannaCry exploits.
Now that you understand how WannaCry operates, imagine this…
What happens if an Internet Outage were to occur?
WannaCry has instructions to continue spreading as long as the URL it pings to is unavailable. MalwareTech’s trick was to turn the URL into a kill switch by turning it into a live and registered domain and directing traffic into the DNS sinkhole.
But all that would be nullified if an Internet outage occurred, turning that URL offline.
WannaCry would continue spreading once more to Windows PCs that still haven’t updated to the security patch released by Microsoft specifically for filling in the security hole that WannaCry exploits.
So, if you were infected by WannaCry in the past and actually paid the ransom, the malware might still be alive in your system and constantly checking whether that URL it relies on is offline to begin spreading again.
That poses no threat because the URL is now alive and registered. But if an Internet outage occurs, this entire strategy would crumble and activate WannaCry again!
How Many Computers Are Still Infected?
It is difficult to exactly determine the number of PCs infected with WannaCry, but the Head of Security & Threat Intelligence at Kryptos Logic, Jamie Hankins, recently created a twitter thread, sharing data about the number of IP addresses that are still pinging the URL that WannaCry creators used to spread the malware:
In the last 24 hours we saw:
2,713,752 beacons from 220,648 unique SrcIPs to the killswitch from 184 different countries
Over the course of a week we see:
17,088,121 beacons from 639,507 unique SrcIPs (DHCP churn obviously is a factor) across 194 countries
— Jamie Hankins (@2sec4u) December 21, 2018
These are alarming figures as WannaCry is potentially lying asleep in some 640,000 PCs around the world.
So, is there anything you can do to prevent another WannaCry outbreak?
Fixes and Solutions
Ransomware infections are extremely tenacious. Once your system is infected, it is damn near impossible to get rid of it.
Your best bet is to prevent falling victim to a ransomware attack like WannaCry in the first place. Or if you have already been a victim of one, you should remove it with a suitable tool.
Here are some important tips to prevent/remove WannaCry.
1. Install Updated Anti-virus with real-time shield
You should never run your PC without a good anti-virus program to protect yours from virus attacks and ransomware.
One of the best anti-viruses for preventing ransomware attacks is Malwarebytes. Keep the software updated and the real-time shield running at all times to minimize the chances of an attack like WannaCry.
2. Keep Windows Updated
WannaCry was only made possible because of a security vulnerability inherent in some Windows versions, particularly Windows XP. If you are using an old Windows version, do yourself a favor and update ASAP.
Many forms of viruses take advantage of weaknesses in Windows that only go away one by one as Microsoft releases updates for system software.
Kryptos Logic developed a free service for checking IP addresses of infected systems. The service is called TellTale.
It can be quite helpful for organizations that can check if they are being exposed to WannaCry infection through infected IP addresses.
Organizations and ISPs should make use of it to identify infected PCs and prevent disaster in case an Internet outage actually does occur.
The WannaCry and Ransomware episode is far from over. As much as I hate to say it, it is very much possible that more advanced ransomware that does not leave an obvious kill switch in its code might be just around the corner. The next time, however, I hope we are better prepared to deal with it and don’t forget to keep our software updated.