IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

WannaCry's ghost is still wreaking havoc five years on

A retooled version of the infamous ransomware strain continues to haunt corporate networks around the world

Five years since the infamous WannaCry ransomware strain swept corporate networks globally, we look back on its impact with fresh eyes. In the second of a two-part series, we explore why WannaCry is still so prevalent in certain corners of the world and how we might be able to finally defeat it.

WannaCry will forever be remembered for the damage it inflicted across the world back in 2017. The malware strain arguably put ransomware on the map and although it was by no means infallible, WannaCry’s moment in the sun lasted just a few short weeks for many.

What most people don’t realise, including a number of cyber security experts IT Pro spoke with recently, is that WannaCry is still very much an active participant in the ransomware landscape – a thoroughly dominant one, actually.

What’s more, cyber criminals still using WannaCry have learned from its failures and have come back with reworked, retooled versions that eliminate the ‘low hanging fruit’ kill switch that ultimately proved its downfall five years ago.

Newer ransomware strains and highly organised professional operations have stolen the headlines in recent years, but WannaCry hasn’t died the death many may have assumed. Not by a long shot.

WannaCry detections are still prevalent

Cyber security companies monitor numerous threats around the world to track their popularity and what’s being targeted. It means they can help their customers preempt potential attacks that are known to focus on specific industries, for example. In fact, since WannaCry first burst onto the scene, it’s been the most commonly detected strain in all of Trend Micro’s annual reports.

SonicWall is one such company still tracking WannaCry, although other firms tell IT Pro they have decided to stop monitoring the strain, given the worst of it is over. We may not have seen the same level of destruction as sustained five years ago, but detections remain high.

Detections for 2021 of 100,000 represent a sizable dip against the 233,000 hits of 2020, with this data supported by Trend Micro’s intel too. Despite employing different telemetry configurations, both companies are consistent in the trend they’ve established.

Despite the drop-off, no other ransomware strain comes close to WannaCry – even five years on. ESET data from 2020 suggests WannaCry accounted for as much as 40.5% of all ransomware detections globally and, in 2021, WannaCry was the only ransomware to make Trend Micro’s list of top ten most-used malware strains of the year – coming fourth.

Bharat Mistry, technical director at Trend Micro, offers an insight into why detections are still so high, telling IT Pro hackers may be using WannaCry indiscriminately to pop any computers that have failed to patch against EternalBlue.

“The spray-and-pray approach used by legacy ransomware like WannaCry might account for its large volume of attacks,” he says. “Hackers know that organisations struggle to patch vulnerabilities in a timely manner and they know WannaCry is hugely successful so why reinvent the wheel?

“In terms of its capabilities, there’s nothing that it directly offers; however the concept of using multiple techniques, vulnerability exploitation for self-replication/propagation is used in all modern-day ransomware.”

Who is WannaCry hitting, and where?

The companies still monitoring WannaCry agree that countries in the Americas were seeing the most detections – particularly in South America. Bitdefender tells IT Pro that the highest number of detections are consistently coming from Brazil, Ecuador, and Chile, with Malaysia bucking the trend and keeping WannaCry alive in Southeast Asia. 

Trend Micro’s specialised cyber security report for Latin America and the Caribbean in 2021 also shows WannaCry as the most dominant ransomware strain in the region by some margin, even though it represents a significant reduction against 2020.

Related Resource

The state of email security 2022

Confronting the new wave of cyber attacks

Whitepaper cover with image of a man walking along a beach, with a line graph overlayFree Download

“As for the reason why these particular countries are at the top, we can only speculate,” says Martin Zugec, technical solutions director at Bitdefender. “These findings are based on data from our telemetry, other security companies might see a different picture depending on the distribution of their deployments.”

While Zugec was only willing to speculate, other experts have been more forthcoming in their criticisms directed generally at the region for its low levels of cyber preparedness.

Experts told the Atlantic Council think tank in 2021 that a lack of skilled individuals in these regions “is a major inhibitor” and that investment would be best placed on education. Although 15 countries here have national cyber security strategies, only efficient collaboration between the public and private sectors can meaningfully raise cyber resilience. Until both become cyber prepared, the region will continue to be targeted successfully.

“WannaCry was still the most detected ransomware family, maintaining the reign documented in Trend Micro’s roundup reports from recent years,” Trend Micro said in its report, meanwhile. “It remained as such even though it is a relatively old family, considered as pre-modern ransomware, and the malicious actors behind it had not been actively initiating attacks. The persistence of this family shows how a network worm can thrive if devices are not patched properly, if at all.”

Unsurprisingly, given everything we know already, WannaCry also dominated the three industries most affected by ransomware in 2021: government, banking, and healthcare. According to Trend Micro’s telemetry, WannaCry was 177 times more prevalent than second-place GandCrab in government machines – the most targeted sector by ransomware – and 155 times more common than GandCrab, again in second place, in banking. 

Fighting off WannaCry 2.0 

Aside from abusing the still unpatched EternalBlue exploit in certain Windows environments, we do have an understanding of how attackers are executing WannaCry attacks on businesses today. Some experts, bizarrely, suggest the detections seen as recently as this year aren’t even driven by cyber criminals.

“The majority of Wannacry infections in 2022 is likely due to automated campaigns that were never turned off, as opposed to threat actors deliberately using WannaCry to specifically target victims,” says Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows. 

“It’s possible that many companies have failed to completely remediate WannaCry from their networks. With WannaCry having the ability to spread automatically, partially remediated systems could be reinfected at a later date.”  

WannaCry’s wormable nature certainly contributed to its effectiveness, and it’s a capability modern strains have emulated, to a degree, according to Analyst1. The cyber security company says the likes of Conti, Ryuk, and LockBit have all implemented automation in their attack chains, although the wormable functionality has largely gone off trend.

WannaCry’s detections have steadily fallen across the globe since 2018, which is good news for companies that, for whatever reason, are still running legacy systems vulnerable to the ghost of WannaCry. As for what kills the virus off for good – nobody can really tell for sure what that will be. Raising the levels of nationwide cyber resilience in the most affected regions, however, may compel attackers to switch off their WannaCry campaigns for good. All we can hope is that it doesn’t take another five years.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT
ransomware

Darktrace AI’s Antigena helps stop ransomware attack at Dordogne GHT

13 Apr 2022
Sabbath hackers are targeting US schools and hospitals
ransomware

Sabbath hackers are targeting US schools and hospitals

29 Nov 2021
Out-of-hours ransomware attacks have a greater impact on revenue
ransomware

Out-of-hours ransomware attacks have a greater impact on revenue

18 Nov 2021
US and Israel join forces to fight ransomware
ransomware

US and Israel join forces to fight ransomware

15 Nov 2021

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
Researchers demonstrate how to install malware on iPhone after it's switched off
Security

Researchers demonstrate how to install malware on iPhone after it's switched off

18 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022