Connect with us

Hi, what are you looking for?



China, U.S. Most Affected by WannaCry Ransomware

New data released by security company Kryptos Logic reveals that China and the United States were affected the most by the WannaCry outbreak over the past weeks.

New data released by security company Kryptos Logic reveals that China and the United States were affected the most by the WannaCry outbreak over the past weeks.

The WannaCry ransomware made a name for itself on May 12, when it started spreading like wildfire by leveraging an NSA-linked exploit called EternalBlue. Within days it had already hit hundreds of thousands of computers, medical devices, and other types of machines worldwide, mainly those running Windows 7.

While initial estimates suggested that WannaCry might have hit around 200,000 devices, Kryptos Logic now says that approximately 727,000 unique IP addresses are confirmed victims of the ransomware. The exact number of infected machines, however, still remains unknown.

According to Kryptos Logic, which operates the main WannaCry sinkhole domain, there are around 2 to 3 million affected systems that haven’t been disrupted by the payload. The security company also estimates between 14 to 16 million infections and reinfections that have been mitigated since May 12.

What stopped the infection to spread further was the registration of a kill-switch domain hardcoded in the ransomware. The domain was meant as a sandbox-evasion technique, but proved the best mitigation option: upon system compromise, the malware would attempt a connection to the hardcoded domain and expected no response; if a response was received, it would terminate itself and not infect the machine.

“We observed WannaCry reached over 9,500 unique ISP and/or organization IP WHOIS registrations, 8,900 cities, 90 countries with a measurable (1000+ uniques) impact, and some infection traces reaching virtually all countries worldwide,” Kryptos Logic said.

Data aggregated from the sinkhole allowed the security company to create a graph of the top most affected countries by unique IP address count, and China is placed first, with 6.26 million hits (infection and reinfection attempts) registered in 2 weeks. Second is the United States, with over 1.17 million hits, while Russia was the third most affected country, with just over 1 million hits.

Advertisement. Scroll to continue reading.

While the WannaCry attack started to unfold on May 12, however, China started to register a sharp increase in hits only on May 15, and peaked on May 18. Following several days of regression, the sinkhole registered a massive jump on May 22-May 23.

The aforementioned EternalBlue exploit allowed the ransomware to propagate fast, as each of the infected machines would turn into a bot and immediately started scanning for other vulnerable systems connected to the Internet. Basically, the more infected machines, the faster the attack would propagate to new systems.

“What this tells us is the real reason WannaCry was so dangerous, velocity. Velocity was so high that within one week it could propagate more than every spam campaign, exploit kit, website hijack, you name it attack type using a single vulnerability. We can only imagine the damage this worm would have unleashed had it been used while EternalBlue was still a zero-day vulnerability (not fixed by Microsoft),” Kryptos Logic points out.

The question that remains unanswered to date is who was behind this attack. Some evidence suggests that a North Korean-linked hacking group known as Lazarus might have created the first WannaCry version, which emerged in February, while other clues point to Chinese-speaking authors. One expert suggested that the motive behind WannaCry was currency manipulation, with Bitcoin being the real target.

Related: Can We Ever be Prepared for the Next WannaCry?

Related: The Impact of WannaCry on the Ransomware Conversation

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...