- WannaCry is still alive and every week thousands of people ping the kill-switch domain.
- The company Kryptos Logic still contains and monitors malware, warning the IT world that the ransomware is still alive and well.
- More versions were spewed by non – original authors requiring more domains to be registered, so a rich collection of kill switches is now available.
Almost eighteen months after the first systems were infected with the WannaCry ransomware, researchers say that the malware is still present in many thousands of computers and remains asleep until the situation changes again. Where applicable, enter the domain registration that acts as a malware kill switch.
WannaCry has been programmed to check the domain registration as “iuqerfsodp9ifjaposdfjgosurijfaewrwergwea.com“ If this domain was registered, the ransomware would stop the process of encryption of files and take its own action. A team of security researchers (Kryptos Logic) analyzed the malware source code and then registered the domain, essentially deactivating the ransomware which caused major problems in a number of organizations, including the Russian Ministry of the Interior, Chinese Universities, Telefonica and much more.
The ransomware was simply deactivated and the above domain was checked so that it could decide whether to reactivate itself or not. Eighteen months after these events, developers of anti – malware software had enough time to update their databases and essentially to remove WanaCry and all its cryptor and decryptor modules from their tools. However, as Kryptos Logic reports, there are still thousands of systems connecting to the “kill-switch ” field. In order to ensure high availability and adequate protection against DDoS attacks that would essentially reactivate WannaCry, the team decided to host the domain in Cloudflare.
Jamie Hankings, Head of Security and Threat Intelligence Research at Kryptos Logic, reports that the number of connections to the kill switch domain reaches 630 thousand unique IP addresses from 194 countries every week. China, Indonesia, Vietnam, India and Russia are the “most infected countries. ” If the ransomware is activated again, it will spread like wildfire all over the world, because the kill switch domain is the only thing that keeps it from doing this right now. Kryptos Logic suggests that organizations use their ” TellTale ” service to monitor a variety of IP addresses and to inform about their infection status in order to take further measures.
WannaCry Data from the Kryptos Logic Data While the original malware author has not released a WannaCry update with a different kill-switch domain or no kill-switch at all, others have done so accidentally or deliberately, so there is now a comprehensive list of kill-switch domains that keep everything inactive. If the original author decides to restart the malware without a kill-switch, which really should be trivial, the infection rates may get worse.