5.15.2017

WannaCrypt Ransomware Forces Microsoft to Patch Old Systems

Emergency Fixes Issued for XP, 8, and Server 2003


Only one day after the WannaCrypt (also known as “WCry”) ransomware worm infected 75,000 machines in nearly 100 countries, Microsoft has issued a fix for officially “unsupported” operating systems. Windows XP and Server 2003 machines had their end of life back in 2014, while 8’s (8.1 is still supported) final patch was issued last year.

Microsoft has also created a virus definition for Windows Defender. The ransomware uses a recently leaked NSA tool to spread itself. In typical fashion, the malware encrypts the user’s files and demands a $300 bitcoin ransom to decrypt the files. If the payment is not sent within three days, the ransom will double. 

This has proven to be a formidable malware, as computer systems around the world were infected in only a few hours. Hospitals had to turn away patients, bank systems went down, and some companies had to shut down their computers for the weekend.

“Hospitals had to turn away patients, bank systems went down, and some companies had to shut down their computers for the weekend.”

The affected vulnerability (known as “EternalBlue”) was patched in Windows 7 back in March, along with other supported versions of Windows. Here is Microsoft’s official comment:

“Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download.

This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind.”

Microsoft wrote in a blog post Friday night that they haven’t yet found the original entry point for the malware. They are considering the possibility of spam emails, but there could be more than one infection method. 

“Microsoft wrote in a blog post Friday night that they haven’t yet found the original entry point for the malware.” 

Researchers say the attack would have been much worse had the attackers not failed to register a specific Internet domain hardcoded in the ransomware. It seems the domain would have acted as a “kill switch” to shut down the worm, but a quick-acting researcher registered the domain, inadvertently stopping the worm.

Anyone running Windows can find the supported Windows patch here, and the unsupported Windows patch here. Despite Windows 10’s increasing market share, older versions of Windows remain active for budget, compatibility, and other reasons. Microsoft’s decision serves as a reminder that infected PCs are not just a danger to themselves, but to the world. Those interested can find Kaspersky lab’s analysis of the malware here.