Kryptos Logic, the cyber-security firm running the main WannaCry sinkhole, announced today plans to allow organizations access to some of the WannaCry sinkhole data.
The security firm cites recurring WannaCry ransomware infections that are still taking place at various companies, even eleven months after the first WannaCry outbreak in May 2017.
For example, Boeing, Connecticut state agencies, Honda, and Victoria state police suffered WannaCry infections long after Kryptos Logic researcher Marcus "MalwareTech" Hutchins registered the WannaCry killswitch domain, effectively stopping the global outbreak on May 12, last year. Unpatched systems keep WannaCry alive. Since then, new WannaCry infections have been popping at organizations here and there, while traffic to the killswitch domain has shown "little signs of slowing down," according to a Kryptos Logic.
"We estimate [...][that] hundreds of thousands of untreated and dormant Microsoft Windows infections maintain a foothold and are responsible for the residual and continued propagation of WannaCry," researchers said today.
The reasons that WannaCry continues to make problems is that many organizations have not patched Windows systems by applying the MS17-010 security update that mitigates the vulnerability used by EternalBlue, the exploit at the heart of WannaCry's self-spreading module.
This wouldn't be a big issue if the configuration of some enterprise networks wouldn't accidentally or temporarily block access to the WannaCry sinkhole/killswitch domain. In situations where this happens, WannaCry goes from SMB self-spreading worm behavior to actual ransomware and starts encrypting files.
Kryptos Logic launches Telltale
To address this issue, Kryptos Logic released today a tool named Telltale that offers organizations access to free WannaCry sinkhole data and additional tools.
Companies can use Telltale to monitor their IP address ranges for hits to the WannaCry sinkhole, which in turns allows system administrators to track down local machines infected by the WannaCry worm on their network. These machines are infecting other unpatched systems or could, at any time, turn into an internal ransomware outbreak, similar to what happened at Honda or Boeing this past year.
"To be clear, an enterprise with no detectable WannaCry infections can still be reasonably susceptible to an outbreak at any given moment if patching is incomplete," Kryptos researchers say.
"A key takeaway is millions of actively infected WannaCry devices continue to relentlessly work to infect unpatched Windows systems. Most of these attack efforts go unnoticed due to the kill-switch and corporate proxy’s mitigating the ransom payload. However, any number of common failures can result in an outbreak, one where the ransom payload will not be mitigated." The same advice given last year regarding mitigating WannaCry still stands today. Patch and get it over with!