Microsoft releases WannaCrypt patch for Windows XP, Server 2003

By on
Microsoft releases WannaCrypt patch for Windows XP, Server 2003

"Highly unusual" step to protect users against NSA-derived ransomware.

Microsoft has provided a security update for the out-of-support Windows XP, Windows 8, and Windows Server 2003 operating systems as the number of computers infected by the WannaCrypt ransomware worm skyrockets.

The move, which Microsoft's security response centre said was "highly unusual", was taken to protect the company's customer ecosystem.

WannaCrypt spreads rapidly and encrypts files on victims' computes with the 2048-bit AES algorithm, before demanding a ransom of US$300 or US$600 (A$406 - A$812) payable in Bitcoin.

Current versions of WannaCrypt use two exploits leaked by the ShadowBrokers hackers, who gained access to systems at The Equation Group, which is linked to the United States NSA, last year.

The NSA exploits used by WannaCrypt,  code named ETERNALBLUE and DOUBLEPULSAR, target the older Windows Server Message Block (SMB) version 1 file sharing protocol. 

Although the WannaCrypt worm is initially believed to have been sent out via email, the worm is self-replicating and attempts to infect unpatched Windows computers that respond to SMBv1 requests over networks.

As of writing, Malware Intelligence pegged the number of WannaCrypt infections at just under 200,000.

There are fears that the number of infections could rise further this week, as workers return to their places of employment and start up unpatched Windows computers.

Currently, the infection rate for the worm has been slowed down, thanks to a British researcher registering a domain name found in the WannaCrypt malware.

WannaCrypt connects to the domain in question to see if it is up. If it gets a response from the server at the domain name, the malware won't drop its payload, and stops spreading. 

Although the sinkholing of the WannaCrypt domain has been successful, MalwareTech warned the measure will only provide temporary relief as the worm authors - or copycats - could release a new variant with modified code.

Another security researcher, Didier Stevens, noted that the sinkholing of the domain won’t work for organisations that use proxy servers between their networks and the internet.

WannaCry is not proxy-aware, and the check for the domain will fail and trigger the infection routines, Stevens found.

The ransomware worm has rampaged through computer systems around the world, starting in Europe where it hit the UK's National Health Service, resulting in surgery and treatment delays after locking doctors and staff out of patient files.

It also hit two major Indonesian hospitals, German rail operator Deutsche Bahn, and French car maker Renault, among many others across 150 countries.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © . All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?