Over 98% of All WannaCry Victims Were Using Windows 7

Over 98% of All WannaCry Victims Were Using Windows 7

Written by / Courtesy of Bleeping Computer

Numbers released by Kaspersky Lab on Friday reveal that over 98% of all documented WannaCry infections were running versions of the Windows 7 operating system.

Out of all Windows 7 users, the worst hit were users running Windows 7 64-bit edition, accounting for more than 60% of all infections.

The second and third most targeted OS versions were Windows Server 2008 R2, and Windows 10, respectively.

So! XP wasn’t to blame after all

The statistics come to disprove popular belief that WannaCry hit mostly Windows XP machines. “The Windows XP count is insignificant,” said Costin Raiu, director of Global Research and Analysis Team at Kaspersky Lab.

To infect all these computers, the WannaCry ransomware used an SMB worm that spread on its own to new computers that ran vulnerable SMB services.

That SMB worm was powered by an exploit named ETERNALBLUE. The exploit is part of a collection of hacking tools a group of hackers calling themselves The Shadow Brokers have stolen from the NSA and leaked online in April 2017.

ETERNALBLUE never worked properly on XP, only on Windows 7

Initial analysis of ETERNALBLUE revealed the worm could run on platforms from Windows XP up to Windows 8.1 and Server 2012.

It was during the WannaCry outbreak that researchers discovered the worm only worked reliably on Windows 7, causing errors on other platforms, including Windows XP, on which most infosec talking heads falsely blamed for most WannaCry infections.

Following this discovery, a user has patched the ETERNALBLUE exploit to work without errors on 64-bit editions of Windows 8/8.1 and Windows Server 2012.

Currently, WannaCry’s worm modules are still searching for new victims. The latest tally of computers that have been touched by this worm is 416,989, albeit not all computers have had their files encrypted, as WannaCry’s ransomware payload has been defanged by a clever British researcher.

Bleeping Computer has reached out to Kaspersky Labs to inquire on why we see Windows 10 machines in the chart, and any possible scenarios that WannaCry could have used to infect those systems.

Read the original article over at Bleeping Computer.