A WannaCry Cluster From 2017, Still Active in 2026

06/14/2026D.Blanko

For three days in February 2026, a Dionaea malware honeypot running on a single VPS recorded 10,271 connections from 668 unique IP addresses across more than 80 countries. It captured 285 suspicious binaries — full files, not just hashes or metadata.

269 of them were WannaCry.

Not one sample. A cluster.

Every file had a different SHA256 — each one a separate infection attempt from a separate source. Different IPs, different SMB sessions, different moments in time. But when clustered by string similarity (Jaccard distance, hunter_v2), all 269 collapsed into a single connected component. One population, one version, no mutations.

The evidence

Every sample shared the same markers: mssecsvr.exe, tasksche.exe, launcher.dll, SMB/MS17-010 artefacts, PE32 DLL structure at 5.1–5.3 MB, Shannon entropy between 6.8–7.4, and a PE compilation timestamp of May 11, 2017 — the original WannaCry build date. The kill-switch domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com appears in samples where it falls within the first 256 KB. It still resolves.

Why 269 samples, not one

WannaCry is a worm, not a trojan. It doesn't need a user. It scans, exploits, and propagates autonomously. Each of the 269 files came from a different infected host — machines that have been running unpatched for years, in some cases likely decades, silently continuing to spread the same binary across the internet.

The binary differences between samples — padding variations, section layout, resource changes — are artifacts of network delivery and the individual infected hosts, not deliberate modification. The core logic is identical across all 269.

What this says about 2026

MS17-010 (EternalBlue) is nine years old. The patch has existed since March 2017. And yet: 269 delivery attempts in 72 hours, from 668 unique IPs, across 80+ countries. Windows 7, Server 2008, XP in industrial environments — unpatched, unmonitored, and still facing the internet on port 445.

WannaCry didn't die. It didn't mutate. It didn't get rewritten. It's running in its original 2017 form, on machines that nobody has touched since before some of the people reading this started working in security.

Methodology and data

Detection used hunter_v1 for static PE analysis (string extraction, IoC classification, entropy, timestamp) and hunter_v2 for clustering by Jaccard string similarity and graph construction. Full report and both scripts are in the repository:

github.com/dblanko/honeypot-analysis

Direct link to the analysis report

The full 72-hour dataset, including the other 107 samples, the geographic distribution of the 668 source IPs,
and the deployment notes for the honeypot stack itself, is documented in Dionaea: Malware Honeypot -
part of the Security Research Series:
https://leanpub.com/dionaeahoneypot