Last week’s WannaCry outbreak caused havoc in many parts of the world before subsiding thanks to the discovery of a “kill switch” hidden in the code. But that doesn’t mean it’s gone away. In fact, F-Secure Labs is detecting another large spike in WannaCry-related activity coming out of Asia, specifically, Indonesia and Vietnam.
F-Secure Labs first noticed a surge in detections coming from Indonesia yesterday at about 4:00am UTC.
We’re seeing a significant uptick in #WannaCry detections (on our back end telemetry) from Indonesia. Started 5 to 6 hours ago.
— News from the Lab (@FSLabs) May 17, 2017
Detections from Indonesia continued to increase throughout a significant part of the morning before subsiding in the afternoon. Then a second spike of activity coming from Indonesia was detected on the morning of the 18th. This was followed by a surge in detections from Vietnam a few hours later.
These outbreaks in Indonesia and Vietnam accounted for nearly 80 percent of total detections in what amounts to a significant upsurge in total WannaCry activity observed over the past 48 hours.
The overall amount of detections on the 17th and 18th were nearly double what we saw during the 15th and 16th, and slightly more than what we detected during last Friday’s outbreak.
So it appears we haven’t heard the last from WannaCry.
F-Secure products have several different detections to block WannaCry, so these detections mean that the devices under attack weren’t infected. Furthermore, this variant has a flawed payload, so it can’t actually inflict the kind of damage seen last week. It’s essentially a neutered variant of last week’s more infamous version of WannaCry (the one with the kill switch).
But it can still cause network problems for organizations and networks by eating up bandwidth, and is definitely a sign to remain cautious according to F-Secure Security Advisor Sean Sullivan.
“Worms tend to hang around for a while and can be really persistent, unless networks are hardened to stop the spread,” says Sean. “Conficker has been around for years, and it’s still widespread. This variant isn’t successful in dropping ransomware, but another variant might be, so we shouldn’t ignore the underlying security problems that the worm is taking advantage of.”
Some organizations, particularly those like hospitals and other critical services, are particularly susceptible to WannaCry infections due to the complexity of their infrastructure and the malware’s worm characteristics. The fresh outbreak should remind users that they need to secure their devices if they want to avoid being infected, or spreading the infection to others.
Check out these two blog posts for advice on how to protect yourself from WannaCry and similar threats.