Data released yesterday by Kryptos Logic reveals that most WannaCry victims are located in China, and not Russia, as various antivirus vendors have announced during the WannaCry ransomware outbreak.
The numbers released by Kryptos Logic are more accurate as this is the company that operates the main WannaCry kill-switch domain, and is the company for which MalwareTech works for — the researcher who registered the kill-switch domain.
The Kryptos Logic statistics, released yesterday, are based on the total number of requests made to the main kill-switch domain in the past two weeks.
While the actual number of computers that had their data locked by the WannaCry ransomware could never be determined, the Kryptos Logic data reveals that during the past two weeks, the kill-switch domain has received between 14 and 16 million queries.
Although initial reports claimed that between 50% and 75% of WannaCry victims were from Russia, the Kryptos Logic data suggests that China was by far the most affected country, with 6.2 million requests.
The rest of the top 10 is occupied by the US (1.1 million), Russia (1 million), India (0.54 million), Taiwan (0.375 million), Mexico (0.3 million), Ukraine (0.238 million), Philippines (0.231 million), Hong Kong (0.192 million), and Brazil (0.191 million).
These numbers do not include kill-switch domain requests from users accessing the domain in their browser, or from the several DDoS attacks that hit the kill switch domain, attempting to take it down and allow the ransomware to spread even further.
Even after filtering out all these requests, the Kryptos Logic team was surprised by the size of the WannaCry outbreak.
"[I]t turns out that within 48 hours WannaCry potentially became one of the largest worm outbreaks we have seen, rivaling botnets which have been in operation and growing for years," researchers said.
"[WannaCry] velocity was so high that within one week it could propagate more than every spam campaign, exploit kit, website hijack, you name it attack type using a single vulnerability," the Kryptos Logic team added. "We can only imagine the damage this worm would have unleashed had it been used while ETERNALBLUE was still a zero day vulnerability (not fixed by Microsoft)."
There are many reasons why WannaCry made six times more victims in China when compared to Russia or the US. The most important of these is the low adoption rate of Windows 10 in China, where most users are still running Windows 7 or Windows XP.
A previous report highlighted that 98% of all WannaCry victims ran Windows 7. Kryptos Logic also confirmed the WannaCry worm has problems spreading to most operating systems except Windows 7.
Furthermore, the Kryptos Logic data reveals that despite registering the kill-switch domains, WannaCry has continued to make victims.
This most likely happened because some organizations mistakenly blocked access to the kill-switch domain. As the name implies, the kill-switch domain stops WannaCry from encrypting files, but many companies have mistaken this URL for the ransomware's C&C server and blocked infected computers from connecting to it.
As system administrators realized their mistake, they released traffic to the kill-switch domain, which Kryptos Logic picked up at later dates, which also show the huge spike in traffic following the initial outbreak, with the biggest spike coming from China. In normal circumstances, someone would expect traffic to go down, as WannaCry wouldn't be able to infect new computers. Unfortunately, there are other factors that contributed to this spike, like sysadmins failing to patch their systems, victims failing to clean their infected computers, and a recurring 24-hour scan period preconfigured in the WannaCry source code that kept the ball rolling and allowed WannaCry to spread to new victims, despite the activation of the kill-switch domain.
The kill-switch domain is a URL hard-coded inside WannaCry's source code, part of its SMB worm component, and is in reality an anti-sandbox feature and not a kill-switch domain per-se. The ransomware queries this domain, and if it's not registered, it moves to encrypt the user's files.
By registering this domain, MalwareTech had defanged WannaCry, which never moved on to the next step of its infection process, which was encrypting files.
Despite not encrypting files, the WannaCry ransomware+worm combo remains on an infected PC until it is deleted, and it will scan random IP addresses and attempt to spread to other victims.
This scan process takes place for 24 hours after a computer is infected with WannaCry, and 24 hours after a user reboots his WannaCry-infected PC.
This recurring 24-hour scan period is what kept the WannaCry outbreak rolling for two weeks after MalwareTech registered the kill-switch domain.
The Kryptos Logic chart from above shows that the WannaCry SMB worm component continued to make a huge amount of victims even after May 12-14, the weekend when the ransomware broke out, and why it's important to remove the WannaCry files from your PC as soon as possible, even if it encrypted your files or not.
The 14-16 million estimate Kryptos Logic has put forward should be taken with a grain of salt, as the number includes requests from shared public IP addresses, which cannot be traced back to one computer alone.
Furthermore, when a WannaCry PC is rebooted, it also makes a new request to the kill-switch domain, attempting to encrypt the user's files. These post-reboot kill-switch domain requests also poison the estimate.
Despite this, it's fair to say that the number of computers affected by WannaCry — encrypted files or infected by the SMB worm — is in the millions, which is by far the most aggressive and virulent ransomware know to date.
In the meantime, the easiest way to protect against WannaCry is to apply Microsoft's MS17-010 security update, which prevents WannaCry from taking root on an infected system to begin with. Applying the patch and cleaning older PCs infected with WannaCry will help in shutting down this threat for good.
Interactive versions of the charts presented in this article are available in the Kryptos Logic report.