WannaCry cluster from 2017 still spreading in 2026 – 269 samples in 72h

dblanko1 pts0 comments

honeypot-analysis/dionaea/reports/wannacry_2026.md at main · dblanko/honeypot-analysis · GitHub

//blob/show" data-turbo-transient="true" />

Skip to content

Search or jump to...

Search code, repositories, users, issues, pull requests...

-->

Search

Clear

Search syntax tips

Provide feedback

--><br>We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

Cancel

Submit feedback

Saved searches

Use saved searches to filter your results more quickly

-->

Name

Query

To see all available qualifiers, see our documentation.

Cancel

Create saved search

Sign in

//blob/show;ref_cta:Sign up;ref_loc:header logged out"}"<br>Sign up

Appearance settings

Resetting focus

You signed in with another tab or window. Reload to refresh your session.<br>You signed out in another tab or window. Reload to refresh your session.<br>You switched accounts on another tab or window. Reload to refresh your session.

Dismiss alert

{{ message }}

dblanko

honeypot-analysis

Public

Notifications<br>You must be signed in to change notification settings

Fork

Star

FilesExpand file tree

main

/wannacry_2026.md

Copy path

Blame<br>More file actions

Blame<br>More file actions

Latest commit

History<br>History<br>History

58 lines (35 loc) · 4.66 KB

main

/wannacry_2026.md

Copy path

Top

File metadata and controls<br>Preview

Code

Blame

58 lines (35 loc) · 4.66 KB

Raw<br>Copy raw file<br>Download raw file

OutlineEdit and raw actions

WannaCry in the Wild — 2026

Cluster analysis of WannaCry samples captured by the Dionaea honeypot sensor.

1. Summary

The Dionaea sensor captured 285 suspicious binaries during the analysis window, of which 269 classified as WannaCry propagation-module samples, 14 as a generic Linux bot family, and 2 as unclassified. This document covers the methodology used to identify and cluster the WannaCry samples and what the resulting cluster structure says about how the worm is still propagating nine years after its original 2017 outbreak.

Tooling: hunter_1.py (sample analysis — string extraction, entropy, PE timestamp, IOC matching, family classification, and Jaccard-similarity clustering, all in dionaea/).

2. Data source

Dionaea captured all 269 samples via SMB, the same vector used by the original 2017 outbreak (MS17-010 / EternalBlue). Each sample was pulled from a distinct connection: different source IP, different timestamp, different SMB session.

3. Why these are classified as WannaCry

Several independent signals agree across all 269 samples:

IOC strings. Every sample contains the propagation-module marker (mssecsvr.exe), the persistence-component marker (tasksche.exe), the loader DLL name (launcher.dll), and SMB/MS17-010-related artifacts. None of these strings appear in any other classified family in this dataset.

File size. All samples fall in the 5.1–5.3 MB range, consistent with the known WannaCry loader DLL.

PE structure. PE32 DLLs with the expected .text/.rdata/.data/.reloc section layout and the same characteristic import set (CreateFileA, WriteFile, LoadResource, CreateProcessA).

PE compile timestamp. All samples carry a build timestamp of 11 May 2017 (within a few minutes), matching the original WannaCry build date — meaning these are unmodified binaries, not later recompiles.

Entropy. First-256KB entropy in the 6.8–7.4 range, consistent with a partially packed PE, matching the known WannaCry loader.

4. Why 269 separate samples rather than one

Each capture has a distinct SHA-256, meaning these are 269 separate binary instances rather than 269 copies of the same file. Combined with the fact that each was delivered over a different SMB session, from a different source IP, at a different time, this indicates 269 separate infected hosts independently attempting to propagate — not a single source repeatedly hitting the sensor. The binary-level differences between samples (padding, section layout, resource placement) are consistent with artifacts introduced during network delivery rather than deliberate modification of the payload logic.

5. Clustering result

Running the 269 WannaCry-classified samples through hunter_2.py's Jaccard-similarity clustering (threshold 0.4, based on extracted strings) produced a single cluster containing all 269 samples, connected as one component in the resulting similarity graph.

=== Family: WannaCry ===<br>Samples: 269<br>Clusters: 1

This is a strong signal of genetic homogeneity: the population of WannaCry samples currently circulating and being captured by this sensor is, at the string level, a single unmodified variant rather than several diverging strains.

6. Why WannaCry is still active in 2026

A few factors plausibly explain continued propagation nearly a decade after the original outbreak:

A meaningful population of unpatched or end-of-life Windows installations (Windows 7, Server 2008, embedded/industrial systems) remains reachable over SMB, often inside closed networks that nonetheless expose SMB...

samples wannacry file analysis different cluster

Related Articles