A security firm has found that machines running Windows XP “did not contribute much” to the total number of WannaCry ransomware infections.
Researchers at Kryptos Logic are still peeling back the layers of the WannaCry global outbreak on 12 May. As everyone in the security industry knows by now, the ransomware spread via a Windows-based SMB vulnerability using attack code developed by the National Security Agency (NSA) and leaked by the Shadow Brokers.
Leading estimates suggest the ransomware spread to 150 countries and over 200,000 organizations, including the United Kingdom’s National Health Service (NHS) and telecommunications giant Telefonica, in a matter of days.
Kryptos Logic has found these figures to be too conservative:
“We argue that the real number of affected systems, by assessing the sinkhole data, is in the millions, and we further estimate between 14 to 16 million infections and reinfections have been mitigated avoiding what would have been chaos, since May 12th. Our estimate is a few hundred thousand systems were disrupted by the ransomware payload until the kill switch was activated followed by a conservative 2 to 3 million affected systems which were not disrupted by the payload. Without the mitigating effect of the kill-switch, this number could have plausibly infected vulnerable systems well into the tens of millions or higher.”
The security firm confirmed that WannaCry had affected approximately 727,000 unique IP addresses over a two-week period beginning on 12 May.
To get a better sense of these infection statistics, Kryptos Logic decided to test WannaCry on four different operating systems: Windows XP with Service Pack 2, Windows XP with Service Pack 3, Windows 7 64 bit with Service Pack 1, and Windows Server 2008 with Service Pack 1. The researchers wanted to better understand the ransomware’s infection capabilities on machines running Windows XP. What they found was a bit surprising:
“Our first setup was to test propagation via the ETERNALBLUE exploit (MS17-010). The primary infection found the hosts and attempted to exploit it via SMB, this surprisingly turned out to be unsuccessful on Windows XP, and the infected host then attempted to send its payload via DOUBLEPULSAR which failed as the targets clean installs.”
The team didn’t achieve any infection on Windows XP with Service Pack 2. They got a blue screen of death (BSOD) on Windows XP with Service Pack 3 but no ransomware payload. Meanwhile, they did achieve an infection after a few tries on Windows 7 64 bit with Service Pack 1.
Determined to learn more, they attempted to manually backdoor each of the systems and achieve local infections. Windows 7 64 bit with Service Pack 1 proved successful, but both Windows XP versions yet again failed to yield an infection.
Here’s what Kryptos Logic thinks of its findings:
“It must be noted however that Windows XP is not safe from infection when the WannaCry binary is executed locally on the host. The ransomware will install successfully and encrypt the host’s files. That being said, since the main infection vector here was the SMB exploit, it seems like XP did not contributed much to the total infection counts. To be clear, the Windows XP systems are vulnerable to ETERNALBLUE, but the exploit as implemented in WannaCry does not seem to reliably deploy DOUBLEPULSAR and achieve proper RCE, instead simply hard crashing our test machines. The worst case scenario, and likely scenario, is that WannaCry caused many unexplained blue-screen-of-death crashes.”
Even in the absence of encrypted files, no one wants a BSOD crash. That’s why users should update all machines running Windows XP with the special patch issued by Microsoft after the WannaCry outbreak.
They should update their systems to Windows 10. Doing so won’t automatically protect you against attackers leveraging the Windows vulnerability to install WannaCry. But as compared to the end-of-life XP, Windows 10 still regularly receives security updates, which means you can better protect yourself against digital threats.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.