WannaCry attempts surge in August

The threat from WannaCry remains rampant, with millions of infection attempts stopped every month, according to SophosLabs.

The latest research shows that while the original malware has not been updated, many thousands of short-lived variants are in the wild.

Last August, Sophos-protected endpoints stopped 4.3 million WannaCry infection attempts worldwide. Of these, 4.1 percent were located in Singapore, which ranked ninth worldwide in terms of the number of attempts that Sophos stopped.

Other Asian countries in the top 10 are India (2nd behind the United States), Indonesia (5th), the Philippines (7th), and China (10th).

According to SophosLabs, the continued existence of the WannaCry threat is largely due to the ability of these new variants to bypass the “kill switch.” However, when Sophos researchers analysed and executed a number of variant samples, they found that their ability to encrypt data was neutralised as a result of code corruption.

Because of the way in which WannaCry infects new victims – checking to see if a computer is already infected and, if so moving on to another target – infection by an inert version of the malware effectively protects the device from being infected with the active strain.

In short, new variants of the malware act as an accidental vaccine, offering still unpatched and vulnerable computers a sort of immunity from subsequent attack by the same malware.

Still, that these computers could be infected in the first place suggests the patch against the main exploit used in the WannaCry attacks has not been installed — a patch that was released more than two years ago.

The original WannaCry malware was detected just 40 times and since then SophosLabs researchers have identified 12,480 variants of the original code.

Closer inspection of more than 2,700 samples (accounting for 98 per cent of the detections) revealed they had all evolved to bypass the “kill switch” — a specific URL that, if the malware connects to it, automatically ends the infection process — and all had a corrupted ransomware component and were unable to encrypt data.