Sophos report finds thousands of live variants of the 2017 WannaCry virus

  • Cyber-security firm Sophos reports that thousands of variants of the virus responsible for the 2017 WannaCry ransomware attack are still in the wild, and many computers still aren't protected against it.

    Back in May 2017, a piece of ransomware named WannaCry spread across the internet like wildfire, crippling computer systems around the world. The attack famously affected the computer systems of NHS hospitals in the UK, locking hospitals out of their patient records and highlighting the extremely poor state of cyber-security in some of the country's most critical computer systems.

    WannaCry exploited a vulnerability to infect PCs and then encrypted all of their files before demanding a payment in Bitcoin to unlock them. While an emergency security patch was released for the vulnerability, the program continued to spread as many organisations weren't updating their systems. A security researcher also discovered a kill-switch that had been programmed into the virus and successfully shut it down.

    Cyber-security firm Sophos has now released its WannaCry Aftershock report tracking the evolution of the WannaCry virus, which has been modified and re-deployed by attackers around the world since 2017 and is still infecting computers today. The original infection hit over 200,000 machines in 150 countries, with damages estimated to be in the hundreds of millions of US dollars.

    The Sophos report shows that detections of the virus remain in the millions, with 4.3 million infection attempts stopped in August 2019. The firm catalogued 12,480 unique variants of the virus in late 2018 and 6,963 in August 2019 alone, of which 80% were completely new variants. Attackers have even managed to bypass the "kill switch" discovered by a security researcher in 2017.

    The report also highlights a bizarre side-effect of WannaCry infection -- Those infected with the original killed off strain may be effectively vaccinated against future attacks. This happens because the ransomware first detects whether a computer is already infected before it activates, so computers infected with the original disabled worm are now immune to most of the new variants. Many of the new variants were also corrupted and unable to encrypt data.

    Sophos security specialist Peter Mackenzie had some sobering words about the large number of computers still vulnerable to the attack: “The WannaCry outbreak of 2017 changed the threat landscape forever. Our research highlights how many unpatched computers are still out there, and if you haven’t installed updates that were released more than two years ago – how many other patches have you missed?"

    Source: WannaCry Aftershock report, Header Image (c) Sophos

    About the author

    Brendan is a Sync NI writer with a special interest in the gaming sector, programming, emerging technology, and physics. To connect with Brendan, feel free to send him an email or follow him on Twitter.

    Got a news-related tip you’d like to see covered on Sync NI? Email the editorial team for our consideration.

Share this story