WannaCry – The Worm That Just Won’t Die


Thread author
Staff member
Malware Hunter
Jul 27, 2015
Remember WannaCry? That’s the infamous self-spreading ransomware attack that stormed the world in May 2017. WannaCry was an unusual strain of ransomware for two main reasons. Unlike most ransomware we’ve seen in the past 30 years (yes, it really is that long!) WannaCry was a computer virus, or more precisely a self-spreading worm, meaning that it replicated all by itself, finding new victims, breaking in and launching on the next computer automatically. WannaCry broke in across the internet, jumping from network to network and company to company using an exploit – a security bug in Windows that allowed the virus to poke its way in without needing a username or a password. And not just any exploit – WannaCry used an attack called ETERNALBLUE that was allegedly stolen from the US National Security Agency by a hacking crew known as Shadow Brokers. The good news is that, even back at the time that WannaCry burst onto the internet, a patch to fix the ETERNALBLUE security hole was available, issued two months previously by Microsoft as part of the March 2017 Patch Tuesday update. If you’d patched within the past two months, you were largely immune to WannaCry, and could therefore stand down from red alert.
Well, guess what? Not everyone has patched even now, more than two years later, and WannaCry is not only still alive (and ignoring the kill switch that was designed to stop it), but possibly more alive than ever.


Fortunately, although we’re still seeing huge amounts of WannaCry activity, we aren’t seeing many people actually getting their data scrambled by it. And because people who are infected aren’t themselves visibly being affected by unwanted encryption and ransom demands, they don’t realise they’re being using to spread copies of it. But how on earth can a destructive virus more than two years old, one that was patched against even before it first appeared, continue to spread like crazy? And how come it’s still alive but no longer drawing attention to itself by leaving a sea of scrambled files and ransom demands in its wake? More importantly, what can we do to stop it now? The data that our experts analyse in their report is fascinating :
  • More than 12,000 WannaCry variants were found in the wild, two years after the malware was supposedly conquered for good.
  • More than 5,000,000 attempted attacks against unpatched computers were blocked in the last three months of 2018 – and that’s just the ones where Sophos Endpoint Security was installed and reported back to us.
  • More than 97% of unpatched computers under attack were runnning Windows 7, so this is not just a story about forgotten Windows XP devices.
  • A few people actually paid the ransom even though there’s no point in doing so. The crooks behind the relevant Bitcoin addresses aren’t monitoring payments or providing decryption tools.


Level 27
Top poster
Sep 13, 2018
Bye-bye Windows 7!

Probably many home and enterprise users will continue to run Window 7 past its expiration date, for many reasons, including financial. Enterprise users, I understand, can pay for security patches for another couple of years. Even worse is that XP is still around and commands up to 4-5% market share, depending on the source. I could only find stats for June 2018 using Bing but maybe not too much changed. Someone has later statistics? :emoji_pray: