Security Technology

WannaCry Still Lurking in Half-Million+ Windows PCs

Technology has come a long way. Nothing proves this more convincingly than the fact that in the 21st century, you can actually hold computers hostage for ransom. 

May 2017 was the time that WannaCry, the insidious ransomware, affected organizations and individuals all over the world, with China, Russia, and the UK suffering serious financial and informational losses.

The good news is that the cryptoworm was stopped in its tracks before it could wreak more havoc. The bad news is that WannaCry still lies dormant in over 639,507 computers across the globe!

But what does that really mean? 

It pays to understand a bit of how WannaCry works as well as to be wary of some myths about this particularly pesky malware.

Origins of WannaCry

Before we examine the behavior of this ransomware and how it can still activate on infected PCs, let’s revisit the origins of this malware.

WannaCry takes advantage of an exploit in Windows developed by the NSA called EternalBlue. Incidentally, Microsoft criticized NSA for keeping knowledge of the vulnerability a secret and exploiting it.  

A group of hackers, who call themselves The Shadow Brokers,stole the exploit from the NSA and released it some months before the spread of WannaCry.

Although Microsoft had released a patch for the EternalBlue exploit months before the ransomware infection began, many systems which hadn’t applied the patch succumbed to the outbreak.

The UK’s NHS was the most seriously affected target of WannaCry, resulting in the cancellation of more than 19,000 appointments. The added costs of service disruption and IT infrastructure upgrade in the NHS following the attack are estimated at £92m.

Suffice to say, the damage caused by WannaCry was immense. 

This is exactly why it is important to know how the ransomware worked so the world can be better prepared for future outbreaks.

Inside WannaCry

WannaCry encrypts computer files, making them inaccessible without a decrypt key. 

The victim then gets a demand to pay ransom through bitcoin of about $300 to $600 with a 3 day deadline.

If the deadline runs out, the chances of file retrieval evaporate with it.

So, how does WannaCry achieve this lockdown of files?

Knowledge about the Eternal Blue exploit in the hands of criminals was all it took for the WannaCry outbreak to commence.

But EternalBlue is only one of a few components that make up WannaCry. The other two are DoublePulsar malware and a kill switch domain.

DoublePulsar creates a backdoor after EternalBlue exploits the SMB (Server Message Block) protocol in the vulnerable Windows systems. 

With the backdoor created, hackers can remotely access the affected system to install the actual WannaCry program in your system. 

Finally – and here’s the coolest part – once WannaCry is installed in your PC, it will constantly check for a gibberish domain on the web:

If the domain doesn’t exist, WannaCry is programmed to start the encryption process on the affected PC and continue spreading to other systems through the network.

But if the domain was registered, WannaCry won’t activate or spread. This discovery was actually how the outbreak was controlled: MalwareTech, the guy who “stopped” WannaCry, registered the domain and stopped its spread.

There is,however, one problem. Systems that are still infected with WannaCry can be encrypted all over again if an Internet outage occurs or you disconnect from the web, because the malware won’t be able to connect to the kill switch URL. 

Companies that use proxies to connect to the Internet are therefore at risk because connection to the kill switch domain won’t be supported by the proxy. 

Moreover, organizations that have totally disconnected from the Internet can trigger WannaCry, if one or more of their systems are already infected.

Key takeaway: The kill switch requires continuous connection to the web in order to prevent WannaCry from triggering on infected PCs.

Curing the infection

For starters, don’t shut down the internet!

The cryptoworm won’t activate as long as your Windows is updated, has the patch to close the SMB vulnerability, and is directly connected to the web (NOT via proxies).

This will give you the breathing space to identify infected machines in your corporate network and start operation clean up.

Kryptos Logic has developed a service named TellTale, which will check all IP addresses in an organization’s network for signs of infection. 

This is incredibly helpful and enables organizations to isolate systems infected with WannaCry and execute a data backup strategy before cleaning up affected systems.

A couple of myths about WannaCry

As with anything, there are a couple of misconceptions about this particular ransomware you should be wary of. 

1. It only affects Windows XP

When WannaCry was unleashed to the world, the blame was pinned to organizations using legacy system software. 

Initial reports assumed that the primary target of the malware were Windows XP PCs, even though NHS asserted less than 4.7 percent of its systems were using Windows XP.

Kaspersky Lab soon confirmed that only a negligible fraction of the affected systems were running Windows XP. 

In an overwhelming majority of cases, it was Windows 7 x64 systems that were infected with WannaCry. 

So the real problem was the negligence of people in general to install Windows patches for their respective systems.

If you are running Windows 8, 7, or 10, this is no guarantee that you are safe from WannaCry. Do yourself a favor and install all updates as soon as they are released. 

You might dodge a bullet without even realizing it.

2. Paying the ransom will restore files

Other than the obvious fact that paying the ransom is a bad idea because it encourages cybercriminals to carry out these kind of attacks in the future, there is also the fact there’s no guarantee your system will be released if you do go ahead with the ransom.

This is due to design problems in the code of WannaCry itself. There is no automatic mechanism to decrypt your files following the ransom payment. 

Instead, the hackers have to manually give you the decryption key. 

It’s unlikely they are conscientious enough to take the time to individually hand off keys to each infected computer paying the ransom. We’re dealing with criminals, after all.

But assuming they are nice enough to hold up their end of a criminal bargain, there is still little to be gained. 

It turns out that WannaCry has no way of determining which payment is associated to which individual computer. So even if you pay, the hackers receive no proof that you have done so.

Paying the ransom is therefore a gamble where the odds are against you. In my opinion, your money would be better spent on data backup systems to safeguard against future attacks. 


It wouldn’t be wrong to say that WannaCry was one of the most destructive malware outbreaks in history, disrupting operations of dozens of organizations around the world. If there’s anything to learn from the incident, it is to keep your systems updated at all times and not forgo backing up data to an offline disk, isolated from the web.

About the author


Osama Tahir

Osama Tahir is a writer who covers online privacy, science, and the sociological impact of technology in modern times. He is a contributing author at Hackernoon and BetaNews.