Connect with us

Hi, what are you looking for?

HEADLINES

Sophos tracks evolution of WannaCry

The research by SophosLabs shows that the WannaCry threat remains rampant, with millions of infection attempts stopped every month, and that while the original malware has not been updated, many thousands of short-lived variants are in the wild.

Sophos published WannaCry Aftershock, a report on what happened to the infamous WannaCry malware, following the worldwide attack that began on May 12, 2017.

The research by SophosLabs shows that the WannaCry threat remains rampant, with millions of infection attempts stopped every month, and that while the original malware has not been updated, many thousands of short-lived variants are in the wild.

The continued existence of the WannaCry threat is largely due to the ability of these new variants to bypass the ‘kill switch.’  However, when Sophos researchers analyzed and executed a number of variant samples, they found that their ability to encrypt data was neutralized as a result of code corruption.

Because of the way in which WannaCry infects new victims – checking to see if a computer is already infected and, if so moving on to another target – infection by an inert version of the malware effectively protects the device from being infected with the active strain. In short, new variants of the malware act as an accidental vaccine, offering still unpatched and vulnerable computers a sort of immunity from subsequent attack by the same malware.

Advertisement. Scroll to continue reading.

However, the very fact that these computers could be infected in the first place suggests the patch against the main exploit used in the WannaCry attacks has not been installed – a patch that was released more than two years ago.

The original WannaCry malware was detected just 40 times and since then SophosLabs researchers have identified 12,480 variants of the original code. Closer inspection of more than 2,700 samples (accounting for 98 percent of the detections) revealed they had all evolved to bypass the ‘kill switch’ – a specific URL that, if the malware connects to it, automatically ends the infection process – and all had a corrupted ransomware component and were unable to encrypt data.

In August 2019, Sophos telemetry detected 4.3 million instances of WannaCry. The number of different variants observed was 6,963. Of these, 5,555 or 80 percent – were new files.

Sophos researchers have also traced the first appearance of today’s most widespread corrupted variant back to just two days after the original attack: May 14, 2017, when it was uploaded to VirusTotal, but had not yet been seen in the wild.

“The WannaCry outbreak of 2017 changed the threat landscape forever. Our research highlights how many unpatched computers are still out there, and if you haven’t installed updates that were released more than two years ago – how many other patches have you missed? In this case, some victims have been lucky because variants of the malware immunized them against newer versions. But no organization should rely on this. Instead, standard practice should be a policy of installing patches whenever they are issued, and a robust security solution in place that covers all endpoints, networks and systems,” said Peter Mackenzie, security specialist at Sophos and lead author of the research.

Advertisement. Scroll to continue reading.

How to protect against WannaCry malware and ransomware in general:

  • Check that you have a full inventory of all devices connected to your network and that they are all up to date in terms of their security software
  • Always install the latest patches as soon as they are released on all the devices on your network
  • Verify if your computers are patched against the EternalBlue exploit used in WannaCry by following these instructions: How to Verify if a Machine is Vulnerable to EternalBlue – MS17-010
  • Keep regular backups of your most important and current data on an offline storage device as the best way to avoid having to pay a ransom when affected by ransomware 
  • There is no silver bullet to security, and a layered security model is the best practice all businesses need to implement
  • For example, Sophos Intercept X  employs a comprehensive defense-in-depth approach to endpoint protection, combining multiple leading next-gen techniques to deliver malware detection, exploit protection and built-in endpoint detection and response (EDR)

Advertisement
Advertisement
Advertisement

Like Us On Facebook

You May Also Like

HEADLINES

The attackers used a series of campaigns with novel exploits and customized malware to embed tools to conduct surveillance, sabotage and cyberespionage as well...

HEADLINES

Financial phishing attacks are rapidly increasing in the country as cybercriminals continuously evolve and adapt their tactics, making them sophisticated. The number of attacks...

HEADLINES

A Scale of Harm study by the International Justice Mission revealed that almost half a million Filipino children were trafficked to produce new child...

HEADLINES

Yondu launched an extensive, month-long cybersecurity awareness campaign focused on modern threat detection, incident response, and social engineering defense.

ELECTRONICS

Philips EasyKey partnered with Megaworld and equipped their world-class properties with only the best-in-class smart locks we have on offer, the Philips EasyKey 9300.

HEADLINES

The rising rate of ransomware attacks against healthcare institutions contrasts with the declining rate of ransomware attacks across sectors; the overall rate of ransomware...

HEADLINES

The PLDT wireless unit is also calling on customers to report these messages to Smart’s HULISCAM portal for further action.

HEADLINES

The all-cash transaction is valued at approximately $859 million. Sophos is backed by Thoma Bravo, a leading software investment firm.

Advertisement