WannaCry is Still Active in Hundreds of Thousands of Computers

AlphaAtlas · Dec 28, 2018

Citing posts by security researcher Jamie Hankins on Twitter, Bleepingcomputer reports that Wannacry ransomware is still active, but dormant, on thousands of computers across the world. Jamie Hankins reportedly contained the infection last year by setting up a "kill switch" domain in 2017. As long as infected computers can periodically ping this domain, Wannacry stays dormant. The kill switch domain, which is apparently hosted by Cloudflare now, reportedly received 17 million beacons from over 630,000 unique IPs in a one week period. While these connections came from 194 countries, around half of them originated in China, Indonesia, and Vietnam.

The fact that so many computers are still infected with this malware is a major problem. All you need is an Internet outage to occur and for the kill switch domain to no longer be accessible for the ransomware to kick in. To prevent this from happening, Hankins suggests the use of their TellTale service to lookup and make sure their IP addresses are not known to be infected with the WannaCry infection.

ManofGod · Dec 28, 2018

Wow! I wonder if we could stop this at the web server level?

ordray · Dec 28, 2018

Company that I work for had a scare with this pretty recently... I would say that manufacturing companies are at a fairly high risk still since their process control networks tend to be populated with older and likely unpatched machines. If the networks aren't setup properly (in my experience that isn't uncommon,) then you can see rampant infections due to 1 breach. Fortunately for us, those process control devices (at my site) didn't suffer any downtime as our security guys responded pretty quickly (after the first plant had an issue,) and I ended up with a decent chunk of OT from the incident.

thebufenator · Dec 28, 2018

It's almost like those victims are running unpatched, pirated Windows.

Zfg

The Mad Atheist · Dec 28, 2018

thebufenator said:
It's almost like those victims are running unpatched, pirated Windows.

Zfg

Running Vista 32 on a loaner laptop I reinstalled 8 years ago (thought I activated it back then) that's not registered because I'm too lazy to do a clean install today with the key it still has.

Verge · Dec 28, 2018

Can we not detect chinese IP's and route them so the virus goes active again?

They are pretty much hacking us daily with no recourse.

S-F · Dec 28, 2018

The blatant racism against the Chinese on this forum is repulsive.

mkk · Dec 28, 2018

thebufenator said:
It's almost like those victims are running unpatched, pirated Windows.

If only, pirated Windows 10 could get so popular if it actually put a limit on Windows Update.

(not that anyone really needs to "pirate" Windows 10)

GoldenTiger · Dec 28, 2018

S-F said:
The blatant racism against the Chinese on this forum is repulsive.

Chinese is not a race.

thebufenator · Dec 28, 2018

S-F said:
The blatant racism against the Chinese on this forum is repulsive.

Its more of a real understanding that a Chinese hegemony is going to suck in the future.

subspeed6 · Dec 28, 2018

ordray said:
Company that I work for had a scare with this pretty recently... I would say that manufacturing companies are at a fairly high risk still since their process control networks tend to be populated with older and likely unpatched machines. If the networks aren't setup properly (in my experience that isn't uncommon,) then you can see rampant infections due to 1 breach. Fortunately for us, those process control devices (at my site) didn't suffer any downtime as our security guys responded pretty quickly (after the first plant had an issue,) and I ended up with a decent chunk of OT from the incident.

Same here. It hit one of my customer's process control network for multiple sites. The customer's IT department said that it must of been a contractor that did it.... Nope. All your process control networks are connected to your business network and for the virus to hit 4 sites in 3 days, I don't believe you.

I have one customer site that is using a DELL 486DX to run our systems. They don't want to spend the money to upgrade. I didn't get to see what version of Windows they had, but I know it isn't anything new.

Zarathustra[H] · Dec 28, 2018

I'm almost starting to think that if there is a network outage and this domain goes down, and these 630k computers that are infected get screwed, that this is a good thing.

We have a real problem with people not taking security and patching seriously. Maybe this could change peoples minds.

The number one priority, above performance, convenience or anything else should be to make sure all of your software, OS included has the latest security patches, and that you run periodic scans for malware and viruses.

The message needs to be "Patch or GTFO the Internet."

Burticus · Dec 28, 2018

Because people don't update OS patches or bother to run updated AV software.

subspeed6 said:
I have one customer site that is using a DELL 486DX to run our systems. They don't want to spend the money to upgrade. I didn't get to see what version of Windows they had, but I know it isn't anything new.

$2 says Win 98 or NT 4. Anything newer won't run on a 486 without serious modification.

OTOH if it's some ancient linux/unix build that only does simple tasks.... don't touch it.

Lakados · Dec 28, 2018

Burticus said:
Because people don't update OS patches or bother to run updated AV software.

$2 says Win 98 or NT 4. Anything newer won't run on a 486 without serious modification.

OTOH if it's some ancient linux/unix build that only does simple tasks.... don't touch it.

As somebody who is still legally required to operate an NT4 server for our old pension data I can confirm it runs fine in VirtualBox. I have not been able to get it running in Hyper-V or VMWare.

Ranulfo · Dec 28, 2018

GoldenTiger said:
Chinese is not a race.

Tell that to the Han. Or Tibetans.

GoldenTiger · Dec 28, 2018

Ranulfo said:
Tell that to the Han. Or Tibetans.

Uh huh. So is American a race to you too then?

Mazzspeed · Dec 28, 2018

GoldenTiger said:
Uh huh. So is American a race to you too then?

A race is a grouping of people by physical or social qualities according to Wikipedia. So yes, I would class Chinese as a race as much as I would class Americans as a race of people.

cjcox · Dec 28, 2018

In related news, the Kazaa and Napster networks came back online allowing for free sharing of music and media.

"We believe that with the resurgence of these two entities piracy will increase by as much as .0001% over current levels."

Red Falcon · Dec 28, 2018

Mazzspeed said:
A race is a grouping of people by physical or social qualities according to Wikipedia. So yes, I would class Chinese as a race as much as I would class Americans as a race of people.

That's why we have "African-Americans", "Japanese-Americans", etc.

I get what you mean, though.

Mazzspeed · Dec 28, 2018

Red Falcon said:
That's why we have "African-Americans", "Japanese-Americans", etc.
I get what you mean, though.

That's just the media trying not to be racist.

tangoseal · Dec 29, 2018

Umm..

Format. Reinstall. Issue done.

tangoseal · Dec 29, 2018

Red Falcon said:
That's why we have "African-Americans", "Japanese-Americans", etc.
I get what you mean, though.

There are no African Americans blah blah...

Either your African or American etc....

Mega6 · Dec 29, 2018

Christ now i can't even peruse tech forums without this race shit. Pisses me off, now i have to fire up COD: WAW.

WannaCry is Still Active in Hundreds of Thousands of Computers

[H]ard|Gawd

[H]F Junkie

n00b

[H]ard|Gawd

2[H]4U

Supreme [H]ardness

Gawd

Weaksauce

Fully [H]

[H]ard|Gawd

Limp Gawd

Extremely [H]

Supreme [H]ardness

[H]F Junkie

2[H]4U

Fully [H]

2[H]4U

2[H]4U

[H]ard DCOTM December 2023

2[H]4U

[H]F Junkie

[H]F Junkie

2[H]4U