That's according to an analysis by researchers at the SANS Institute, who ran an internet scan using the Shodan.io service to find systems that are exposed to the internet and vulnerable to the BlueKeep RDP flaw.
The research aimed to see if recent reports about exploitation had any noticeable effect on how many systems were vulnerable over time. Apparently, not much.
Jan Kopriva details his method for assessing the rate of BlueKeep patching on the SAN Institute's blog. On a positive note, it appears that vulnerable systems have been steadily patched ever since May, when Microsoft released the patch alongside a warning that it was "wormable", meaning it could be exploited by a worm to quickly infect all unpatched machines on a network.
"As we may see, the percentage of vulnerable systems seems to be falling more or less steadily for the past couple of months and it appears that media coverage of the recent campaign didn't do much to help it," he wrote.
But perhaps the failure of these reports to have an impact is not surprising. Researchers detected BlueKeep attacks hitting a honeypot from October 23, but the malware was not a self-propagating worm like WannaCry and only delivered a cryptocurrency miner. The first report of these attacks was on November 2.
The percentage of vulnerable machines is likely to decline again this week after today's Patch Tuesday release from Microsoft.
However, there are still many machines that are ripe for the picking for an attacker who develops a BlueKeep worm.
"Since there still appear to be hundreds of thousands of vulnerable systems out there, we have to hope that the worm everyone expects doesn't arrive any time soon," Kopriva added.
Currently, researchers have found that the BlueKeep hackers were scanning the internet for Windows systems with open RDP ports and using a BlueKeep exploit recently added to the Metasploit penetration testing framework.
Besides media reports of the attacks, Microsoft last week issued a new alert for users and admins to be aware of BlueKeep attacks with worse payloads than coin miners.
But a BlueKeep worm might not be the worst threat to come from BlueKeep. UK researcher Marcus Hutchins, who is credited with stopping the WannaCry outbreak, argues that since most devices vulnerable to BlueKeep are servers, a worm might not be necessary to create havoc.
If an attacker can compromise a network server, it would be easy to use automated tooling to cause the server to deliver ransomware to every system on the same network, he pointed out.