Windows XP isn’t as vulnerable to the WannaCry ransomware as many assumed, according to a new report from Kryptos research. The company’s researchers found that XP computers hit with the most common WannaCry attack tended to simply crash without successfully installing or spreading the ransomware. If true, the result would undercut much of the early reporting on Windows XP’s role in spreading the globe-spanning ransomware.
The core of WannaCry is a vulnerability in a Windows file-sharing system called SMB, which allowed WannaCry to spread quickly across vulnerable systems with no user interaction. But when Kryptos researchers targeted an XP computer with the malware in a lab setting, they found that the computers either failed to install or exhibited a “blue screen of death,” requiring a hard reset. It’s still possible to manually install WannaCry on XP machines, but the program’s particular method of breaking through security simply isn’t effective against the older operating system.
“The worst-case scenario, and likely scenario,” the Kryptos report reads, “is that WannaCry caused many unexplained blue-screen-of-death crashes.”
While they cut against much of the early analysis of WannaCry, Kryptos’ findings are consistent with early research from Kaspersky Lab, which found that Windows XP accounted for an “insignificant” percentage of the total infections. Kaspersky found the bulk of infections on machines running Windows 7 or Windows Server 2008.
Much of the early focus on Windows XP was the result of the UK’s National Health Service, one of the earliest and most damaging WannaCry victims. A number of outlets blamed the NHS infections on computers running Windows XP, leading to widespread concern over Microsoft’s failure to release a patch. The NHS itself vigorously denied the claim, saying fewer than 5 percent of the service’s computers ran Windows XP at the time of the attack. In light of the latest Kryptos research, it’s plausible that unpatched Windows 7 systems were more of an issue for NHS.
In the days after the attack, Microsoft drew significant criticism for its failure to issue a public patch to protect Windows XP against WannaCry. Microsoft stopped issuing public security patches for XP when it deprecated the operating system in 2014, but paying Custom Support users could still get patches directly from the company, including the patch protecting against WannaCry. Microsoft ultimately issued an emergency patch to protect XP against the core vulnerability, although it’s unclear how much of a difference the patch made.
The Kryptos report doesn’t rebut all of Windows XP’s security issues. Systems can still be infected by a direct installation of the WannaCry malware, and the general vulnerability is still very much an issue for anyone running an unpatched version of the system. Beyond this specific malware, XP is still vulnerable to dozens of attacks that have popped up in the years since support was discontinued. In the case of WannaCry, however, XP’s tendency to crash when presented with unusual code seems to have provided an unlikely protection against the ransomware attack.
Kryptos’ report also gives new insight into WannaCry’s broader impact. Researchers estimate the total number of infections was in the millions, with at least 727,000 unique IP addresses checking into domains associated with the malware. The research also suggests WannaCry could have been far more damaging: the early kill-switch registration on the 13th may have blocked as many as 16 million further infections.
But while most of the world has begun to recover from the malware, infections in China have skyrocketed in recent weeks. Kryptos registered nearly 1 million infected computers in China on May 23rd alone. It’s still unclear why Chinese computers have remained vulnerable, but the country’s low rate of Windows 10 adoption is a likely cause.