One week after it first hit, researchers are getting a better handle on how the WannaCry ransomware spread so quickly — and judging from the early figures, the story seems to be almost entirely about Windows 7.
According to data released today by Kaspersky Lab, roughly 98 percent of the computers affected by the ransomware were running some version of Windows 7, with less than one in a thousand running Windows XP. 2008 R2 Server clients were also hit hard, making up just over 1 percent of infections.
Windows 7 is still by far the most common version of Windows, running on roughly four times as many computers as Windows 10 worldwide. Since more recent versions of Windows aren’t vulnerable to WannaCry, it makes sense that most of the infections would hit computers running 7. Still, the stark disparity emphasizes how small of a role Windows XP seems to have played in spreading the infection, despite early concerns about the outdated operating system.
The new figures also bear on the debate over Microsoft’s patching practices, which generated significant criticism in the wake of the attack. Microsoft had released a public patch for Windows 7 months before the attack, but the patch for Windows XP was only released as an emergency measure after the worst of the damage had been done. The patch was available earlier to paying Custom Support customers, but most XP users were left vulnerable, each unpatched computer a potential vector to spread the ransomware further. Still, Kaspersky’s figures suggest that unpatched XP devices played a relatively small role in the spread of the ransomware.
Some help is already arriving for systems infected by WannaCry. Because of sloppy coding, researchers have found that private system encryption keys can often be recovered from infected machines, allowing users to undo the damage done by the ransomware. A researcher from Quark Security has published an automated tool to manage that process, which should work for Windows 7, XP, Vista, and other affected versions.