UK hospitals, Telefonica, FedEx, and other businesses were hit by a massive ransomware attack on Friday. Around 75,000 computers in 99 countries were affected by malware known as WannaCry, which encrypts a computer and demands a $300 ransom before unlocking it. The malware was able to spread thanks to flaws in old versions of Windows that were originally used by the NSA to hack into PCs before being made public by the Shadow Brokers group last month.
While Microsoft quickly issued fixes for the latest versions of Windows last month, this left Windows XP unprotected. Many of the machines attacked today have been breached simply because the latest Windows updates have not been applied quickly enough, but there are still organizations that continue to run Windows XP despite the risks. Microsoft is now taking what it describes as a “highly unusual” step to provide public patches for Windows operating systems that are in custom support only. This includes specific fixes for Windows XP, Windows 8, and Windows Server 2003.
Microsoft usually charges businesses to provide custom support agreements for older versions of Windows, which include critical and important software updates from Microsoft beyond the normal end of extended support point. “Seeing businesses and individuals affected by cyberattacks, such as the ones reported today, was painful,” explains Phillip Misner, a security group manager at Microsoft. “Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only.”
It’s an unusual move for Microsoft, but this security flaw and the way it was discovered and made public is equally unusual. There are now signs that the ransomware attack has subsided thanks to a kill switch, discovered by a 22-year-old in the UK. Some experts believe the attackers behind the ransomware have only raised around $20,000 from the scam. Either way, this is yet another painful security lesson for everyone involved. Exploits should be disclosed by government agencies, systems should be patched in a timely manner, and nobody should be running an old supported version of Windows.