Numbers released by Kaspersky Lab on Friday reveal that over 98% of all documented WannaCry infections were running versions of the Windows 7 operating system.
Out of all Windows 7 users, the worst hit were users running Windows 7 64-bit edition, accounting for more than 60% of all infections.
The second and third most targeted OS versions were Windows Server 2008 R2, and Windows 10, respectively.
So! XP wasn't to blame after all
The statistics come to disprove popular belief that WannaCry hit mostly Windows XP machines. "The Windows XP count is insignificant," said Costin Raiu, director of Global Research and Analysis Team at Kaspersky Lab.
To infect all these computers, the WannaCry ransomware used an SMB worm that spread on its own to new computers that ran vulnerable SMB services.
That SMB worm was powered by an exploit named ETERNALBLUE. The exploit is part of a collection of hacking tools a group of hackers calling themselves The Shadow Brokers have stolen from the NSA and leaked online in April 2017.
ETERNALBLUE never worked properly on XP, only on Windows 7
Initial analysis of ETERNALBLUE revealed the worm could run on platforms from Windows XP up to Windows 8.1 and Server 2012.
It was during the WannaCry outbreak that researchers discovered the worm only worked reliably on Windows 7, causing errors on other platforms, including Windows XP, on which most infosec talking heads falsely blamed for most WannaCry infections.
Following this discovery, a user has patched the ETERNALBLUE exploit to work without errors on 64-bit editions of Windows 8/8.1 and Windows Server 2012.
Currently, WannaCry's worm modules are still searching for new victims. The latest tally of computers that have been touched by this worm is 416,989, albeit not all computers have had their files encrypted, as WannaCry's ransomware payload has been defanged by a clever British researcher.
Bleeping Computer has reached out to Kaspersky Labs to inquire on why we see Windows 10 machines in the chart, and any possible scenarios that WannaCry could have used to infect those systems.
Image credits: Costin Raiu / Kaspersky Labs
Comments
khuongduybui - 6 years ago
You want to know why Windows 10 was on the list?
I blame Microsoft for still allowing people to opt-out of auto-updates. The mass do not always know what's best for them, so it is our responsibility to firmly reject their demand when it's harmful, and educate them why so.
(To be fair, I also blame Microsoft for giving people reasons to opt-out of auto-updates, such as significant down-time while restarting after major updates, although they are getting slightly better.)
Yojji - 6 years ago
The chart says "affected" Windows versions, so if you have a dual- or multi-boot PC and picked up the infection while using, say, an unpatched Win 7, wouldn't it affect all the operating systems on that PC by encrypting their files?
SleepyDude - 6 years ago
"The chart says "affected" Windows versions, so if you have a dual- or multi-boot PC and picked up the infection while using, say, an unpatched Win 7, wouldn't it affect all the operating systems on that PC by encrypting their files? "
Yes. If the Windows infected can access the files to read/write then the malware can encrypt the files, it doesn't matter what OS is installed on other disk/partitions.
Any other Operating System you have on the machine that is off-line usually isn't infected by Ransomware because most only target data files like documents, photos, etc. and not system files.
TheWildCat - 6 years ago
That's what I said. Everybody was saying that it was because of the new Windows 10 update and something.
testa - 6 years ago
It's your fault that you have 445 port open and you disabled updates. I don't understand why you guys hate Win10 and updates. My friend adviced me 4 years ago to scan all my ports to make sure all are closed. They are always closed. That's why i'm not getting ransomware in my old laptop running Win7 with installed updates of sep 2016, yeah because i don't have important things in it, so i just disable updates to avoid stuck in boot screen. I only use my old laptop for watching TV and movies. My dad told me to try to not update for 3 days to see if i'm getting ransomware.... nothing happen, just nothing. but today i've reinstalled Win7 witn latest updates. Other compters are running Win10 and updated.