WannaCry was a Windows 7 phenomenon

The weakness of Windows 7’s Defender was partly to blame for the WannaCry ransomware outbreak

WannaCry was a Windows 7 phenomenon

The WannaCry ransomware outbreak may have spurred Microsoft into updating its abandoned operating systems to protect against the malware, but it turns out virtually all of the action was around Windows 7, which remains in wide use. 

A researcher with Kaspersky Labs noted that virtually all of the infections they found involved Windows 7, especially the 64-bit version. That’s hardly surprising, since there haven’t been 32-bit x86 processors on the market in years.

Reuters reported that security ratings firm BitSight confirmed Kaspersky’s findings of Windows 7 being hardest hit, with around 67 percent of infections hitting Windows 7 machines, and XP getting far less infections. 

The one thing Kaspersky did not say—nor have they answered my question—is whether those machines had additional malware protection or relied solely on Defender for defense. If it’s the latter, then all I can say is those people were pretty stupid because even Microsoft has said Defender is not enough and you need third-party protection.

Windows Defender of Windows 7 protects against spyware only

The thing is, Windows 7 is still supported by Microsoft, while XP is not. What happened? It turns out the problem is with the Windows 7 version of Windows Defender. The Windows Defender of Windows 7, released in 2009, protects only against spyware, which WannaCry is not. It’s ransomware, which is a relatively new creation. Windows Defender for Windows 8.1 and 10 defends against all types of malicious software.

So, if you needed another motivation to update your computer to Windows 10, here’s a good one. Of course, good third-party anti-malware on those machines might have helped.

There is good news in the WannaCry battle. A security researcher for Quarkslab named Adrien Guinet was able to exploit a flaw in the way WannaCry operates and was able to build a decryptor that unlocks the files of users infected by the ransomeware.

+ Also on Network World: What to do about WannaCry if you’re infected or if you’re not +

WannaCry operates by generating a pair of keys on the victim's computer, a public and private key for encryption and decryption, which rely on prime numbers. Guinet found that the malware "does not erase the prime numbers from memory before freeing the associated memory."

So, he created a tool called WannaKey which attempts to retrieve the prime numbers. It works only on Windows XP and under two conditions: the computer mustn't have been restarted post-infection (otherwise the primes are no longer in memory), and the associated memory must not have been erased or allocated by some other processes. Even then, Guinet warns that his solution "might not work in every case!"

As it turns out, more white hat hackers have come to the rescue. Another security researcher developed an easy-to-use tool called WanaKiwi, based on Guinet's finding, which simplifies the whole process of the WannaCry decryption. And best of all, it works on Windows 7, along with Server 2003 and 2008. That tool is on GitHub.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2017 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)