Microsoft Releases Windows Ransomware Patch, Blasts NSA for Malware Stockpile. 'We are taking the highly unusual step of providing a security update for all customers to protect Windows.
In a rare step, Microsoft published a patch for Windows XP, Windows Server 2003 and Windows 8—all of them operating systems for which it no longer provides mainstream support.
Users of old Windows systems can now download a patch to protect them from this week’s massive ransomware attack. In a rare step, Microsoft published a patch for Windows XP, Windows Server 2003.
Microsoft January 2019 Patch Tuesday Includes 51 Security Updates. GIBON Ransomware Decryptor Download. Download Now @BleepingComputer. Screenshots for GIBON Ransomware Decryptor.
WCry is so mean Microsoft issues patch for 3 unsupported Windows versions. Tool developed by the National Security Agency to virally spread ransomware known as. For download here.
Learn how to protect your Windows PC from #WannaCry Ransomware Attack. Tips to Prevent the malware infection to Windows XP, 7 and Windows 10 running PC's. Download Security Patches from Microsoft and follow our tips for 100% Security.
Users can download and find more information about the patches in Microsoft’s blog post about Friday’s attack from the WannaCry ransomware.
The ransomware, which has spread globally, has been infecting computers by exploiting a Windows vulnerability involving the Server Message Block protocol, a file-sharing feature.
Computers infected with WannaCry will have their data encrypted, and display a ransom note demanding $300 or $600 in bitcoin to free the files.
Fortunately, Windows 10 customers were not targeted in Friday’s attack. In March, Microsoft patched the vulnerability that the ransomware exploits—but only for newer Windows systems. That’s left older Windows machines, or those users who failed to patch newer machines, vulnerable to Friday’s attack.
Researchers originally believed the ransomware was spread through attachments in email phishing campaigns. That no longer appears to be the case.
Once a vulnerable PC becomes infected, the computer will attempt to spread to other machines over the local network as well as over the internet. The ransomware will specifically scan for unpatched machines that have the Server Message Block vulnerability exposed.
Businesses can prevent this by disabling the Server Message Block protocol in vulnerable PCs. They can also use a firewall to block unrecognized internet traffic from accessing the networking ports the Server Message Block uses.
Fortunately, Friday’s ransomware attack may have been contained. A security researcher who goes by the name MalwareTech has activated a sort of kill-switch in WannaCry that stops it from spreading.
As a result, over 100,000 new infections were prevented, according to U.K.’s National Cyber Security Centre. But experts also warn that WannaCry’s developers may be working on other versions that won’t be easy to disable.
“It’s very important everyone understands that all they (the hackers) need to do is change some code and start again. Patch your systems now!” MalwareTech tweeted.
Unfortunately, the kill-switch’s activation will provide no relief to existing victims. The ransomware will persist on systems already infected.
Friday’s ransomware attack appears to have spread mainly in Europe and Asia, with Russia among those nations hardest hit, according to security researchers.
Security experts are advising victims to wait before paying the ransom. It’s possible that researchers will develop a free solution that can remove the infection.
This story was updated at 11:33 AM on May 15 to add and correct misinformation from researchers.
reader comments
with 131 posters participating, including story author
A day after a ransomware worm infected 75,000 machines in 100 countries, Microsoft is taking the highly unusual step of issuing patches that immunize Windows XP, 8, and Server 2003, operating systems the company stopped supporting as many as three years ago.
Microsoft also rolled out a signature that allows its Windows Defender antivirus engine to provide 'defense-in-depth' protection. The moves came after attackers on Friday used a recently leaked attack tool developed by the National Security Agency to virally spread ransomware known as 'WCry' or 'WannaCrypt.' Within hours, computer systems around the world were crippled, prompting hospitals to turn away patients while telecoms, banks, and companies such as FedEx were forced to turn off computers for the weekend.
The chaos surprised many security watchers because Microsoft issued an update in March that patched the underlying vulnerability in Windows 7 and most other supported versions of Windows. (Windows 10 was never vulnerable.) Friday's events made it clear that enough unpatched systems exist to cause significant outbreaks that could happen again in the coming days or months. In a blog post published late Friday night, Microsoft officials wrote:
We also know that some of our customers are running versions of Windows that no longer receive mainstream support. That means those customers will not have received the above mentioned Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download here.
This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind.
This is possibly the first time ever that Microsoft has issued a patch for a product decommissioned so long ago. While the company issued an emergency patch for Windows XP in 2014, it came the same week support for that version ended, making the exception seem less unusual. This time around, the emergency patches are being applied to OS versions that Microsoft stopped supporting as many as three years ago.
Crucial entry point still missing
Microsoft announced the patches around the same time it said it still doesn't know what the precise starting point was for Friday's WCry outbreak. One of the key questions circulating once Friday's viral outbreak appeared to be contained was how did the self-replicating worm first gain entry so it could go on to spread from vulnerable machine to vulnerable machine.
At least two security firms—FOX-IT here and CrowdStrike here—said spam that sent fake invoices to end users provided the crucial initial vector to seed the self-replicating attack, but none of the three companies have produced copies. Some researchers doubted a generic e-mail campaign could have been the sole initial vector without leaving a mountain of evidence that would have surfaced by now. In a blog post published Friday night, Microsoft officials wrote:
We haven't found evidence of the exact initial entry vector used by this threat, but there are two scenarios we believe are highly possible for this ransomware family:
Arrival through social engineering emails designed to trick users to run the malware and activate the worm-spreading functionality with the SMB exploit
Infection through SMB exploit when an unpatched computer can be addressed in other infected machines
The blog post went on to say that the worm 'executes massive scanning on Internet IP addresses to find and infect other vulnerable computers.'
FOX-IT also said in its blog post that 'there appear to be multiple infection vectors,' but the post didn't elaborate. Maarten van Dantzig, a researcher with FOX-IT, said on Twitter here and here that he suspects e-mail was the initial vector for some, but not all, of the outbreaks. Researchers from Cisco Systems Talos group went even further, writing: 'Our research does not yet support that e-mail was the initial infection vector. Analysis is ongoing.'
Microsoft Ransomware Security Patch
The possibility that ransomware can spread virally across the Internet without any form of end-user interaction is a chilling prospect. Internet-wide scans performed in recent weeks show that as many as 2.3 million computers have the necessary port 445 exposed to the Internet. Those scans also reveal that 1.3 million Windows machines haven't been patched.
People who are running unpatched machines should take action immediately. The best measure is to patch the vulnerability using this link for supported versions or this one for XP, 8, and Server 2003. Those who can't patch should ensure their computers are locked down by, among other things, blocking outside access to ports 138, 139, and 445. They should also disable version 1 of the Server Message Block protocol.
Download Ransomware Test File
Friday's attack could have been much worse, had the perpetrators not slipped up by failing to register an Internet domain that was hardcoded into their exploit as a sort of 'kill switch' they could activate if they wanted to shut down the worm. That made it possible for a quick-acting researcher to register the domain and stop much of the attack just as it was gaining momentum.
A new attack could come at any time. Next time, defenders may not be so lucky. As Microsoft's blog posts makes clear, vulnerable machines aren't only a danger to themselves, but to the entire world at large.