Five years ago, two ransomware programs, WannaCry and NonPetya, used self propagation to spread quickly across the globe, infecting hundreds of thousands of computers, shutting down business operations, and causing billions in damages.
The two programs, often referred to as worms, have refused to die. In a back-of-the-napkin analysis of search terms for common ransomware programs, Canadian IT services and support firm Firewall Technical found that WannaCry and Petya claimed the top and third spot on a list of most searched-for ransomware — at 6,000 and 1,800 monthly searches, respectively — with Ryuk beating out Petya to claim the No. 2 slot, according to data collected from keyword-search tools commonly used by search engine optimization (SEO) firms.
With the Petya searches, it is likely that people are equating Petya with the more damaging NotPetya. People searching for information about Petya are more than likely looking for how to deal with NotPetya, as it has far more effect on everyone, the company says.
Certain other keyword phrases — such as "X decryptor" and "X ransomware removal" — highlighted different trends: "Locky ransomware removal" had a slight lead in monthly searches, and "Cerber decryptor" was the second most common after WannaCry. Arguably, searches for decryptors and removal information are more indicative of infections, according to the support firm's experts.
"Although reports of infections are the best way of detecting threats, monitoring search engine user behavior can give us a clue into both trends and the infections that users are dealing with," a Firewall Technical spokesperson said.
The fact that two worm-like programs continue to have a long-term impact on systems is not surprising. In its threat update on ransomware, security software firm WithSecure found that WannaCry still accounted for 53% of all detections in 2021 — more than the next four ransomware families combined.
The programs typically embed themselves inside organizations that do not have good visibility into the state of their systems and lack the ability to regularly patch systems, says Neeraj Singh, research and development manager at WithSecure.
"Most of the upstream ... cases that we receive come from the organizations [that] do not have the infrastructure to upgrade [or] patch operating systems," he says.
Luckily, the worms' impacts are blunted at present. Following a successful infection, WannaCry attempts to connect to a URL and, if successful, does not encrypt the files on the system — a behavior that researcher Marcus Hutchins used to create a kill switch that continues to work to this day.
While NotPetya has no kill switch, current volumes of infections are low enough to make tracking them difficult, according to WithSecure. To date, no new versions of either program have been observed since 2017, the company said.
If WannaCry and NotPetya follow the trajectory of past worm-like threats, they are unlikely to fade away quickly. Four years after the Slammer worm started spreading, for example, the so-called "flash" worm remained the most common network threat. More than a decade after the Conficker worm started spreading in 2008, endpoint security firms continue to block hundreds of thousands of intrusion attempts by infected systems every year.
The data collected by Firewall Tactical also shows the limits of relying on search terms for threat intelligence. Searches for "WannaCry ransomware" were only a sliver of the 201,000 hits in May 2017, when the crypto ransomware worm first appeared, suggesting that the long tail will continue to cause headaches for IT administrators. The 6,000 searches is also a far cry from the more general query for the keyword "WannaCry," which topped 3.4 million that month.