Windows XP so out-of-date it limited WannaCry spread
WannaCry contains seeds of its own destruction - crashed XP PCs before it could spread
In a survey for Reuters, security firm BitSight found that 67 per cent of WannaCry-infected PCs it investigated were running Windows 7 without important security patches, despite the OS being installed on fewer than half of Windows PCs worldwide.
Paul Pratley, of UK consulting firm MWR InfoSecurity, told Reuters that WannaCry's ability to infect other computers on the same network without human intervention appeared to be tailored to Windows 7.
Other versions of Windows were not as vulnerable - although not always for the right reasons. Windows 10 represented 15 per cent of infections, while Windows 8, 8.1, Vista and XP made up the remainder. Windows XP, which is used across the NHS and other organisations, played a much smaller role in the spread of WannaCry than initially thought - because the system crashes before the virus can replicate. Individual computers were vulnerable to the worm component, said researchers at MWR and Kryptos, but could not spread the ransomware themselves.
More modern operating systems - those currently being supported by Microsoft - were able to download a critical security patch released on the 14th March, immunising their computers against WannaCry. However, many users failed to do so.
A representative of cybersecurity firm Crowdstrike told Computing that the spread of WannaCry demonstrates the need for advanced prevention. "[T]hink of organisations with thousands of endpoints: you can't rely on every single one to be updated at the same time, it's simply unrealistic. This is why having threat prevention that combines machine learning and behavioral analytics to detect never-before-seen threats is so critical."
Another expert, who preferred not to be named, said, "While we...would always recommend that patching be an integral part of your security, the reasons why IT departments occasionally fall short is because it is rarely a simple exercise... Most have heterogeneous IT environments with critical applications; they cannot roll out a patch until they have tested it to make sure that there are no unforeseen side effects."
Trevor Luker, Director of Security Operations and Threat Intelligence, at email security firm Mimecast, agreed:
"Disjointed and inefficient internal processes can mean that security patches are simply not given a high enough priority. Often because of 'shadow-IT' and weak asset management practices, organisations don't know that the patch is important to them because they don't actually know what is running on their network.
"In addition, as a result of their automated vulnerability scanning, IT teams are regularly faced with lists of hundreds of discovered vulnerabilities at any time, with little sense of prioritisation.
"Making the situation more complex, large enterprise systems may be sensitive to even small changes in installed software and therefore require extensive regression testing before being deployed. It's a risk, but the cost of downtime caused by a functional regression is often considered too high."
Closing the gates
Despite its relative ineffectiveness in spreading WannaCry, Windows XP was the subject of a free patch from Microsoft on the 12th May to protect the system. Free support for XP was ended in April 2014; the release of a non-paid patch shows how seriously WannaCry was being treated by the company.
Malwarebytes tracked the WannaCry infection across the globe as it happened - from the first reported case in Russia on Thursday evening, to an explosion of infections less than 12 hours later. The threat was not brought under control until 8pm on Friday, when the rate of spread began to slow.