The infamous WannaCry ransomware that was thrust into the public spotlight in May 2017 is not only still around but also still targeting more computers than ever.
The finding comes today from a report from security firm Sophos Group plc, which have found that two years on, modified WannaCry variants are still causing headaches for information technology administrators and security analysts. The research found that the WannaCry threat remains rampant, with millions of infection attempts stopped every month, and that though the original malware has not been updated, many thousands of variants are in the wild.
Indeed, the number of WannaCry variants is staggering: Sophos Labs has detected 12,480 variants of the original code to date. Some 2,700 samples, accounting for 98% of detections, have evolved to bypass the kill switch that brought the original WannaCry ransomware to a halt.
In August 2019 alone, Sophos telemetry detected 4.3 million instances of WannaCry. The number of different variants observed came in at 6,963. Of those, 5,555 or 80 percent, were new files.
Researchers did find that the way in which WannaCry infects new victims can provide users with protection. WannaCry variants check to see if a computer is already infected and, if so, move on to another target, leaving an infection by an inert version of the malware that actually protects the device from being infected from active strains in the future. The researchers dub the process as "accidental vaccine."
"The WannaCry outbreak of 2017 changed the threat landscape forever," Peter Mackenzie, security specialist at Sophos, said in a statement. "Our research highlights how many unpatched computers are still out there, and if you haven’t installed updates that were released more than two years ago – how many other patches have you missed?"
In this case, he added, "some victims have been lucky because variants of the malware immunized them against newer versions. But no organization should rely on this. Instead, standard practice should be a policy of installing patches whenever they are issued, and a robust security solution in place that covers all endpoints, networks and systems."