The global WannaCry attack that started 10 days ago touched just a handful of Windows XP PCs, a security expert said Monday, contradicting the narrative that the aged OS was largely responsible for the ransomware's crippling impact.
"There were no real WannaCry infections of Windows XP," said Costin Raiu, director of Kaspersky Lab's global research and analysis team, in an interview Monday. "We've seen only a handful of cases, less than a dozen, and it looks like most of them were testers [self-infecting systems]."
Raiu's claim countered an assertion made by virtually every media report and blog post published after "WannaCry" emerged June 12. Countless news stories blamed Windows XP, which Microsoft retired three years ago, for falling victim to the attack because the vulnerability that WannaCry exploited had not been patched in the obsolete OS.
Rather than take aim at Windows XP, WannaCry targeted Windows 7 and Windows Server 2008, Kaspersky's data showed. The vast majority -- 98.4% -- had put the crosshairs on Windows 7, which remains the world's most popular edition. To come up with that figure, Kaspersky tallied the WannaCry detections its security software logged -- and blocked -- on various versions of Microsoft's operating system.
The reason for XP's absence from the WannaCry count was simple. "WannaCry itself did not support Windows XP," Raui said, noting that the exploit neither focused on XP or reliably worked on the 2001 operating system. Individual machines could be infected -- the researchers and testers who put WannaCry on Windows XP systems likely ran it manually -- but the worm-like attack code would not spread from an XP PC, and in some cases, executing the exploit crashed the computer.
That put Microsoft's decision to issue a security patch for Windows XP in a different light.
Late on May 12, Microsoft took the unprecedented step of issuing patches for long-demoted versions of Windows, including Windows XP, to immunize PCs against WannaCry. "Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms [currently] in custom support," a Microsoft manager said at the time. Custom support is a post-retirement pay-for-patches program available only to corporate customers.
Computerworld, like many other publications, assumed Microsoft released patches for Windows XP and Server 2003 because it believed older -- and unprotected -- systems were instrumental in spreading WannaCry.
Raiu thought different. "I think Microsoft was worried about the possibility of someone leveraging this exploit," Raiu argued. "Their fear was that it could be theoretically possible to repurpose the exploit to attack Windows XP."
It wasn't a surprise that WannaCry's backers had primarily pointed the attack at Windows 7. "They focused on the most-widespread platform," said Raiu.
According to analytics vendor Net Applications, approximately 53% of all Windows personal computer ran Windows 7 last month. That was nearly double the share of the newer Windows 10, which clocked in at 29%, and more than eight times that of Windows XP's 8%. Cyber criminals typically aim attacks at the most popular operating systems and versions within each OS, a logical practice when profit is paramount. That's especially true of extortion rackets like WannaCry's payload, which encrypts files and then demands a ransom payment to decrypt those hijacked files.
Other factors may have played a part, however. "The newer Windows versions, like Windows 8.1 and Windows 10, include new security mitigations, which may have made it easier for them to [write an] exploit for Windows 7," Rauf said.
When it issued security fixes to Windows XP, Microsoft said that Windows 10 systems "were not targeted" by WannaCry.
Of the Windows 7 systems that were attacked -- but defended by Kaspersky's software -- most were 64-bit editions. Windows 7 Pro and Windows 7 Home (64-bit) outnumbered their 32-bit comrades by almost two to one. Windows 7 Pro 64-bit led all others, accounting for 60% of the total.
It was unclear whether the disparity reflected Kaspersky security software placement -- in, say, far more PCs running the 64-bit version of Windows -- the prevalence of 64-bit over 32-bit at this point, or a more efficient spreading mechanism of WannaCry under a 64-bit OS. With the data illustrating detection and stoppage rates -- not infection rates as some other reports cited -- it was plain, however, that the difference could not have stemmed from faster deployment of the March patches by 32-bit owners.