Windows 7 PCs Account For 98 Percent Of All WannaCry Infections, Only $100K Ransomed So Far

Ransomware

For a quick minute, it looked as though a strain of ransomware that was seemingly stolen from the United States National Security Agency (NSA) was going to be a major problem for PCs around the world, and in particular Windows XP systems. Microsoft even made the unusual move of releasing an emergency patch for Windows XP even though it stopped supporting the legacy OS a long time ago. But now a week after the initial WannaCry outbreak it's been discovered that Windows 7 PCs were the hardest hit.

A researcher for Kaspersky Lab posted a message on Twitter saying "the Windows XP count is insignificant," adding that Windows 7 took the brunt of the ransomware's activity. When looking at the overall infection rate, various builds of Windows 7 collectively accounted for more than 98 percent of PCs to be hit by WannaCry.

Kaspersky WannaCry Graph
Source: Kaspersky/Costin Raiu

Also referred to as WannaCrypt, WCry, and a handful of other names, WannaCry made headlines after quickly spreading tens of thousands of PCs in dozens of countries in just a few hours. The ransomware infiltrated several hospitals in the United Kingdom, some of which had to turn down patients and send staff home because the systems they rely on (and store patient records on) had been hijacked.

WannaCry is believed to be one of several cyber tools that was previously swiped from the NSA and leaked to the web by an Italian hacking group. What made WannaCry especially nasty is that it was able to spread in a worm-like fashion across networks. However, the threat was relatively short lived.

A security researcher noticed that WannaCry was pinging a specific domain, one that was not registered. In an attempt to learn more about the ransomware, he registered the domain with intention of observing its activity. In doing so, he inadvertently neutralized the outbreak. As it turns out, the malware's author coded in a so-called kill switch, presumably in case he ever wanted to stop it from spreading. The way it worked is WannaCry would check to see if a specific domain was active before getting busy encrypting an infected system. If it determined the domain was active, it would stop what it was doing.

According to Elliptic, WannaCry has only collected a little more than $100,000 in Bitcoin. While not exactly chump change, it had the potential to collect much more, except for a combination of the discovery of the kill switch, owners of infected PCs opting to wipe their system clean, and the presence of a tool on GitHub that can help people recover data on infected systems.