WannaCry ransomware is still infecting PCs - and some victims are still trying to pay the ransom

More than two years on from the global outbreak, WannaCry ransomware is still spreading - and sometimes still successful at infecting users.
Written by Danny Palmer, Senior Writer

Over two years on from the initial outbreak, WannaCry ransomware is still infecting victims – and some people are still paying the ransom in a futile effort to retrieve their encrypted data.

In May 2017, WannaCry ransomware spread quickly around the world, encrypting networks and taking down services. High-profile targets included the UK's National Health Service (NHS).

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

The initial campaign was disrupted when security researchers managed to activate WannaCry's killswitch, meaning that while it still attempted to spread via the use of EternalBlue – a worm-like NSA cyber weapon that cyber criminals took advantage of after it was leaked by hackers – the ransomware itself stopped doing damage for the most part.

But over two years on from the attack – which has been attributed to North Korea – there are still some people out there who are seemingly becoming infected with WannaCry and paying the ransom demand.

Even when WannaCry first hit, paying the ransom didn't solve anything, but researchers at Sophos have detailed how, despite this, the ransomware still appears active, is still occasionally infecting victims – and sometimes, they're paying the ransom demand.

It's possible to see that ransoms are still being paid because the bitcoin accounts associated with the attack are still active and while the payments are anonymous, the transactions are open to the public, so every payment can be seen.

While there's only a handful of people paying up, the payments show that WannaCry is still able to cause problems for users – and that these users are seemingly unaware that the global ransomware attack showed that even those who do pay don't get their files back.

It also demonstrates that despite the WannaCry attack, there are many users out there who still haven't patched their systems against the EternalBlue vulnerability. Not only does this put them at risk of falling victim to WannaCry, but they're at risk of other attacks including cryptojacking or trojan malware campaigns, which have since adopted EternalBlue to help spread.

"When you consider that most home users automatically apply windows updates by default, it is a good guess that it is businesses with slow patching policies who are driving this," Peter Mackenzie, security specialist at Sophos and lead author of the research told ZDNet.

"And if you haven't installed updates that were released more than two years ago – how many other patches have you missed?," he continued, adding standard practice should be a policy of installing patches whenever they are issued, and a robust security solution should be in place that covers all endpoints, networks and systems.

SEE MORE: Ransomware: Cyber-insurance payouts are adding to the problem, warn security experts

Researchers explicitly state that if anyone finds themselves falling victim to WannaCry that they shouldn't pay the ransom because the attackers don't monitor the wallet and won't provide a key in return. Law enforcement and cybersecurity companies also recommend that users don't pay ransoms in general, because it funds cyber-criminal activity.

The United States Department of Justice has charged a North Korean national of being behind the Wannacry attack – but Pyongyang claims the accused doesn't exist.


Editorial standards