There have been almost 1 billion WannaCry infections, and they're still growing

If it hadn't been neutralised, the malware would have cost tens of billions of dollars, says Kryptos Logic

WannaCry was perhaps the most impactful cyber attack to hit the world in history, affecting thousands of organisations, including hospitals, banks and factories. Marcus Hutchins, a researcher employed by Kryptos Logic, found and registered the domain that the malware was pinging in days - effectively neutering the attack, and providing the company with a tool to review WannaCry's potential.

Kryptos Logic has been monitoring the domain for the last seven months, tracking potential and repeat infections to determine the scale of the attack and analyse how easy it now is to begin and maintain ‘a global security crisis'.

At the time of writing, the killswitch has been pinged about 900 million times (although many of these were due to IP churn like reboots of infected machines), and Kryptos' servers have been attacked in multiple revenge hacks.

These pings can come from multiple sources (old Windows images and legacy deployments, residual infections and sporadic outbreaks in large firms from the original internet scanning utility) and the rate has been growing over time; there are at least 100 million total hits each month.

Interestingly, the highest spike in infections came months after the malware was neutralised, on the the 24th July, which Kryptos puts down to ‘firewall...or infrastructure changes' at ‘a well-known US cloud services provider'.

By analysing the infections and their source, Kryptos estimates that WannaCry, had it not been stopped, could have cost ‘tens of billions of dollars'. The result would have been even worse had it been released as a zero day vulnerability when Eternalblue was first stolen.

The Blame Game

Attribution is a nightmare when it comes to global attacks like WannaCry (unless they come from Russia), although the possibility of it being a state-sponsored attack from North Korea has been bandied about for months. It was only this week that the USA officially laid the hack at Kim's feet, calling North Korea "directly responsible."

Tom Bossert, homeland security adviser to President Donald Trump, said: "North Korea has acted especially badly, largely unchecked, for more than a decade, and its malicious behaviour is growing more egregious." He added, "WannaCry was indiscriminately reckless."

North Korea is often cited as the source of state-sponsored cyber terrorism, even though its resources - in terms of both infrastructure, skills and finances - are under more strain than other countries. This demonstrates the relative ease with which a global attack like WannaCry can be arranged, with Kryptos writing:

‘Where there used to be a significant entry barrier required to match the capabilities of well-funded nation-states focused on socioeconomic topics and corporate espionage, we find ourselves in a disrupted landscape, defending against a new trend - wiper components - which is difficult to track, relatively low budget, and requires minimal resources to do damage on a global scale.

‘Given reports affirming North Korea is responsible, it would be a clear example of the possibility of the type of potential digital warfare we could anticipate in the future - attacks that are indiscriminate, impactful and reckless in nature, as the design intent of WannaCry indisputably perpetuates.'