SophosLabs found that WannaCry remained highly active in 2019 because thousands of modified binaries kept spreading on Windows systems that still lacked the 2017 patch for the wormable vulnerability. In a September–December 2018 sample, all 2,725 analyzed variants contained some form of kill-switch bypass, while most were broken enough that they could spread but no longer encrypt victims. Sophos also reported more than 4.3 million blocked WannaCry spread attempts in August 2019 and over 12,000 circulating variants, with a small number of versions driving most detections. The analysis underscores that delayed patching left organizations exposed to lingering WannaCry propagation and potentially more dangerous follow-on attacks.