Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

China, U.S. Most Affected by WannaCry Ransomware

New data released by security company Kryptos Logic reveals that China and the United States were affected the most by the WannaCry outbreak over the past weeks.

New data released by security company Kryptos Logic reveals that China and the United States were affected the most by the WannaCry outbreak over the past weeks.

The WannaCry ransomware made a name for itself on May 12, when it started spreading like wildfire by leveraging an NSA-linked exploit called EternalBlue. Within days it had already hit hundreds of thousands of computers, medical devices, and other types of machines worldwide, mainly those running Windows 7.

While initial estimates suggested that WannaCry might have hit around 200,000 devices, Kryptos Logic now says that approximately 727,000 unique IP addresses are confirmed victims of the ransomware. The exact number of infected machines, however, still remains unknown.

According to Kryptos Logic, which operates the main WannaCry sinkhole domain, there are around 2 to 3 million affected systems that haven’t been disrupted by the payload. The security company also estimates between 14 to 16 million infections and reinfections that have been mitigated since May 12.

What stopped the infection to spread further was the registration of a kill-switch domain hardcoded in the ransomware. The domain was meant as a sandbox-evasion technique, but proved the best mitigation option: upon system compromise, the malware would attempt a connection to the hardcoded domain and expected no response; if a response was received, it would terminate itself and not infect the machine.

“We observed WannaCry reached over 9,500 unique ISP and/or organization IP WHOIS registrations, 8,900 cities, 90 countries with a measurable (1000+ uniques) impact, and some infection traces reaching virtually all countries worldwide,” Kryptos Logic said.

Data aggregated from the sinkhole allowed the security company to create a graph of the top most affected countries by unique IP address count, and China is placed first, with 6.26 million hits (infection and reinfection attempts) registered in 2 weeks. Second is the United States, with over 1.17 million hits, while Russia was the third most affected country, with just over 1 million hits.

While the WannaCry attack started to unfold on May 12, however, China started to register a sharp increase in hits only on May 15, and peaked on May 18. Following several days of regression, the sinkhole registered a massive jump on May 22-May 23.

Advertisement. Scroll to continue reading.

The aforementioned EternalBlue exploit allowed the ransomware to propagate fast, as each of the infected machines would turn into a bot and immediately started scanning for other vulnerable systems connected to the Internet. Basically, the more infected machines, the faster the attack would propagate to new systems.

“What this tells us is the real reason WannaCry was so dangerous, velocity. Velocity was so high that within one week it could propagate more than every spam campaign, exploit kit, website hijack, you name it attack type using a single vulnerability. We can only imagine the damage this worm would have unleashed had it been used while EternalBlue was still a zero-day vulnerability (not fixed by Microsoft),” Kryptos Logic points out.

The question that remains unanswered to date is who was behind this attack. Some evidence suggests that a North Korean-linked hacking group known as Lazarus might have created the first WannaCry version, which emerged in February, while other clues point to Chinese-speaking authors. One expert suggested that the motive behind WannaCry was currency manipulation, with Bitcoin being the real target.

Related: Can We Ever be Prepared for the Next WannaCry?

Related: The Impact of WannaCry on the Ransomware Conversation

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Madhu Gottumukkala has been named Deputy Director of the cybersecurity agency CISA.

Wendi Whitmore has taken the role of Chief Security Intelligence Officer at Palo Alto Networks.

Phil Venables, former CISO of Google Cloud, has joined Ballistic Ventures as a Venture Partner.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.