Buzz
If infection can connect to the Kill Switch domain, the ransomware component won't activate. However, noteworthy is that the infection will still operate stealthily in the background, while users regularly connect to the Kill Switch domain to scan and check if the malware persists.
According to the tweet content by Jamie Hankins, Head of Security Research and Threats at Kryptos Logic posted last Friday, leaked data continues to connect in significant numbers and unique IP addresses to the Kill Switch. Although the Kill Switch is hosted by Cloudflare to provide readiness and high protection against DDoS attacks. In response to BleepingCompute, Hankins mentioned they still have access to statistics about this domain.
According to Hankins, the WannaCry kill switch domain received over 17 million beacons or connections within a week. These connections came from over 630 thousand unique IP addresses from 194 different countries within just one week.
The chart below illustrates the top-threatened countries by WannaCry, where China, Indonesia, and Vietnam stand as the top three. Security researchers also added that the United Kingdom accounts for about 0.15% and the United States for 1.35% of the total connections in one day. However, these figures may be skewed by the DHCP rate over a longer period.
Additionally, Hankins shared a graph illustrating the number of beacons over a week. The number of connections gradually decreases towards the end of the week, simply because on regular days, there are more computer users and office workers.
The significant number of computers still infected with this malware remains a challenging issue. Users are advised to cease internet activities, so the Kill Switch domain cannot be accessed, and the ransomware cannot initiate. Also, utilizing the TellTale service to check and ensure their IP addresses are not infected with WannaCry. To find their IP address, users can refer to how to view an IP address here.
The TellTale service by Kryptos Logic
Last April, Kryptos Logic launched a service named TellTale, allowing organizations to monitor their IP address range to detect known malware. By using this service, organizations will receive notifications if their computers are detected to be infected with the WannaCry ransomware or other known threats monitored by Kryptos Logic. Access TellTale here.
With a large number of organizational computers affected by WannaCry and other malware, TellTale will undoubtedly be a useful tool to detect the root of these malicious software. Additionally, there are various methods to check for WannaCry infection on computers, which you can find references to on Mytour.
