Microsoft Releases XP Patch for WannaCry Ransomware

Microsoft has taken the extraordinary step of providing an emergency update for unsupported Windows XP and Windows 8 machines in the wake of Friday’s WannaCry ransomware outbreak.

Microsoft has taken the extraordinary step of providing an emergency update for unsupported Windows XP and Windows 8 machines in the wake of Friday’s WannaCry ransomware outbreak.

Unknown attackers were using the EternalBlue exploit leaked by the ShadowBrokers in April to spread WannaCry, a variant of the WCry malware, which surfaced in February. EternalBlue, an offensive hacking tool allegedly developed by the NSA, exploits a Windows SMBv1 vulnerability that was patched by Microsoft in March in security bulletin MS17-010.

Yesterday’s attack overran many businesses in Europe at the start, hitting hardest in Russia, Ukraine and India. Large telecommunications companies in Spain and many NHS healthcare facilities in the United Kingdom were also affected, as were other enterprises worldwide. Employees were told to shut down and unplug machines, and in the case of the U.K. hospitals, patient care at many facilities was affected. Non-emergency surgeries were postponed and patients were diverted to other facilities.

The ransomware locked up machines, encrypted files and demanded approximately $600 in Bitcoin for a recovery key.

Microsoft acknowledged the dire straits many of its customers were in, and rolled out a patch for all computers that were not protected by the March update.

“Seeing businesses and individuals affected by cyberattacks, such as the ones reported today, was painful,” Microsoft said last night. “Microsoft worked throughout the day to ensure we understood the attack and were taking all possible actions to protect our customers.”

The March update was made available one month before the ShadowBrokers’ high-profile leak of Windows exploits, including the Fuzzbunch platform that included EternalBlue and other exploits. EternalBlue targeted a then-unknown Windows SMBv1 remote code execution vulnerability. The widespread impact of yesterday’s attack—close to 100,000 infections so far in 99 countries by some accounts—indicates a lack of patching vigilance despite ample warning.

Experts immediately warned of the potential severity and staying power of MS17-010, comparing it to MS08-067 (Conficker). Some, such as Sean Dillon of RiskSense and Matthew Hickey of The Hacker House, telling Threatpost that it would be a matter of time before criminals would take advantage of the flaw to spread ransomware and other commodity attacks through this exploit.

While experts said that attackers could scan for SMB servers exposed to the internet on port 445 (not a recommended practice) and send malicious packets their way, Microsoft said yesterday it was also aware of phishing attacks spreading the ransomware.

“Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download,” Microsoft said. “This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind.”

Microsoft said that it also released an update for Windows Defender that detects the threat as Ransom:Win32/WannaCrypt.

“This attack type may evolve over time, so any additional defense-in-depth strategies will provide additional protections,” Microsoft said in its advisory. “For example, to further protect against SMBv1 attacks, customers should consider blocking legacy protocols on their networks.”

Kaspersky Lab on Friday published its analysis of the ransomware, providing a list of .onion domains used by the malware on Tor hidden services for command and control. It also published hashes for the ransomware samples it has found in the wild, and detection names.

In addition to installing the available patches from Microsoft, Kaspersky Lab said its System Watcher component is able to roll back changes implemented by the ransomware.

“This is extremely useful in case a ransomware sample slips past defenses and attempts to encrypt the data on the disk,” Kaspersky Lab said.

Suggested articles

Discussion

  • andy Preston on

    so how the hell do you GET the patch??
    • GHoltz on

      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
    • Attentive on

      Well to get the patch you could click on any one of the numerous links that take you to the page, but for clarification, go to the MS17-010 page at https://technet.microsoft.com/en-us/library/security/ms17-010.aspx and click on your appropriate OS version and it will take you to a download page (or list) and you can download it there.
    • Sert on

      here! https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
  • MorkenTheMonk on

    Microsoft patches for XP here... https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
  • John on

    The link to the patch on Microsoft's website is in the article.
  • xerics on

    https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
  • Mike on

    At the bottom, pick your flavor. https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
  • Kent McMahan on

    You can download the patch at this URL: https://www.microsoft.com/en-us/download/details.aspx?id=55245 The system requirement is Windows XP Service Pack 3. Even though my PC has that system, the downloaded patch gave an ERROR that my XP version was not the same as the patch. So, it was a waste of time for me.
    • ColdFusion on

      Same with me, Kent. do you have "media center edition" too? Maybe that's why it's doing that to me.
  • Anonymous on

    http://www.catalog.update.microsoft.com/Search.aspx?q=kb4012598
  • nfgergbfgb on

    Must not be too important because you can't even find a working link for the patch. The Microsoft blog it was on doesn't work. Biggest f'ing company in the world can't keep a web page working.
  • Emk on

    I really can't believe and understand, why this patch wasn't included in Windows Update automatically?
    • prl on

      Should have been an automatic urgent security update.
      • ColdFusion on

        I mean, I got one, so I assumed that was it. was it not? IS there not a patch for regular individual-PC XP?
  • Anonymous on

    No, I'm sure my operating system is not a "media center edition". Mine is Version 5.1. I'm guessing their XP patch was for a server version and was never intended for an individual PC.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.