China, U.S. Most Affected by WannaCry Ransomware

New data released by security company Kryptos Logic reveals that China and the United States were affected the most by the WannaCry outbreak over the past weeks.

The WannaCry ransomware made a name for itself on May 12, when it started spreading like wildfire by leveraging an NSA-linked exploit called EternalBlue. Within days it had already hit hundreds of thousands of computers, medical devices, and other types of machines worldwide, mainly those running Windows 7.

While initial estimates suggested that WannaCry might have hit around 200,000 devices, Kryptos Logic now says that approximately 727,000 unique IP addresses are confirmed victims of the ransomware. The exact number of infected machines, however, still remains unknown.

According to Kryptos Logic, which operates the main WannaCry sinkhole domain, there are around 2 to 3 million affected systems that haven’t been disrupted by the payload. The security company also estimates between 14 to 16 million infections and reinfections that have been mitigated since May 12.

What stopped the infection to spread further was the registration of a kill-switch domain hardcoded in the ransomware. The domain was meant as a sandbox-evasion technique, but proved the best mitigation option: upon system compromise, the malware would attempt a connection to the hardcoded domain and expected no response; if a response was received, it would terminate itself and not infect the machine.

“We observed WannaCry reached over 9,500 unique ISP and/or organization IP WHOIS registrations, 8,900 cities, 90 countries with a measurable (1000+ uniques) impact, and some infection traces reaching virtually all countries worldwide,” Kryptos Logic said.

Data aggregated from the sinkhole allowed the security company to create a graph of the top most affected countries by unique IP address count, and China is placed first, with 6.26 million hits (infection and reinfection attempts) registered in 2 weeks. Second is the United States, with over 1.17 million hits, while Russia was the third most affected country, with just over 1 million hits.

While the WannaCry attack started to unfold on May 12, however, China started to register a sharp increase in hits only on May 15, and peaked on May 18. Following several days of regression, the sinkhole registered a massive jump on May 22-May 23.

The aforementioned EternalBlue exploit allowed the ransomware to propagate fast, as each of the infected machines would turn into a bot and immediately started scanning for other vulnerable systems connected to the Internet. Basically, the more infected machines, the faster the attack would propagate to new systems.

“What this tells us is the real reason WannaCry was so dangerous, velocity. Velocity was so high that within one week it could propagate more than every spam campaign, exploit kit, website hijack, you name it attack type using a single vulnerability. We can only imagine the damage this worm would have unleashed had it been used while EternalBlue was still a zero-day vulnerability (not fixed by Microsoft),” Kryptos Logic points out.

The question that remains unanswered to date is who was behind this attack. Some evidence suggests that a North Korean-linked hacking group known as Lazarus might have created the first WannaCry version, which emerged in February, while other clues point to Chinese-speaking authors. One expert suggested that the motive behind WannaCry was currency manipulation, with Bitcoin being the real target.

Related: Can We Ever be Prepared for the Next WannaCry?

Related: The Impact of WannaCry on the Ransomware Conversation