WannaCry was a Windows 7 phenomenon
24 May 2017 | 0
The WannaCry ransomware outbreak may have spurred Microsoft into updating its abandoned operating systems to protect against the malware, but it turns out virtually all of the action was around Windows 7, which remains in wide use.
A researcher with Kaspersky Labs noted that virtually all of the infections they found involved Windows 7, especially the 64-bit version. That is hardly surprising, since there have not been 32-bit x86 processors on the market in years.
Reuters reported that security ratings firm BitSight confirmed Kaspersky’s findings of Windows 7 being hardest hit, with around 67% of infections hitting Windows 7 machines, and XP getting far less infections.
The one thing Kaspersky did not say—nor have they answered the question—is whether those machines had additional malware protection or relied solely on Defender for defence. If it is the latter, then all that can be said is those people were unwise because even Microsoft has said Defender is not enough and third-party protection is required.
The point is, Windows 7 is still supported by Microsoft, while XP is not. What happened?
It turns out the problem is with the Windows 7 version of Windows Defender. The Windows Defender of Windows 7, released in 2009, protects only against spyware, which WannaCry is not. It is ransomware, a relatively new creation. Windows Defender for Windows 8.1 and 10 defends against all types of malicious software.
So, if another motivation was needed to update a computer to Windows 10, this is it. Of course, good third-party anti-malware on those machines might have helped.
There is, however, good news in the WannaCry battle. A security researcher for Quarkslab named Adrien Guinet was able to exploit a flaw in the way WannaCry operates and was able to build a decryptor that unlocks the files of users infected by the ransomeware.
WannaCry operates by generating a pair of keys on the victim’s computer, a public and private key for encryption and decryption, which rely on prime numbers. Guinet found that the malware “does not erase the prime numbers from memory before freeing the associated memory.”
Guinet created a tool called WannaKey which attempts to retrieve the prime numbers. It works only on Windows XP and under two conditions: the computer must not have been restarted post-infection (otherwise the primes are no longer in memory), and the associated memory must not have been erased or allocated by some other processes. Even then, Guinet warns that his solution “might not work in every case!”
As it turns out, more white hat hackers have come to the rescue. Another security researcher developed an easy-to-use tool called WanaKiwi, based on Guinet’s finding, which simplifies the whole process of the WannaCry decryption. And best of all, it works on Windows 7, along with Server 2003 and 2008. That tool is on GitHub.