Well, for one, it has to first infect one of your machines, which from my understanding is only possible through either:
1. successful phishing attack
2. being transmitted through the SMB protocol from another machine that has access to your network.

So if nobody where you are opened up an infected scam email you would most likely not be able to have your computers infected.

Some cheap or free mitigations:
1) hosted anti-spam service
2) CryptoPrevent software restriction policies
3) filtering DNS servers (for if you do click that link)

edit: the Wikipedia entry seems to indicate the XP is vulnerable, as MS apparently released the SMB patch for it:

The Windows vulnerability is not a zero-day flaw, but one for which Microsoft had made available a security patch on 14 March 2017,[20] nearly two months before the attack. The patch was to the Server Message Block (SMB) protocol used by Windows.[47][48] Organizations that lacked this security patch were affected for this reason, although there is so far no evidence that any were specifically targeted by the ransomware developers.[47] Any organization still running the older Windows XP[49] was at particularly high risk because, until 13 May,[3] no security patches had been released since April 2014.[50] Following the attack, Microsoft released a security patch for Windows XP.[3]

I heard from a few other people in the sec. field that a new string of wannacry can infact outlook and send out emails and infact backup servers.
I don't know if that's true, as I have yet to deal with it first hand. Just water cooler talk around the office so to say.

Ether way I just patched up about 30 odd some XP systems with the new M$ patch and our 7 computers should have installed the patch on their own. We probably don't need the patch with how our networks and systems are setup, but you can never be to careful.

But so far I'm good.

EDIT:
The patch can be found here.
http://www.catalog.update.microsoft.com/Searc … spx?q=KB4012598

I don't even use SMB, hell I'm a Linux user primarily.

WannaCrypt has a really strange killswitch though... and unless the malware author's have modified their program the virus is now useless because a malware researcher has registered the domain name it checks for and started a webserver responding to that domain name.

There is already a version 2.0 that nullified that fix.
Even still a new pice of malware could used the same vulnerability so one better patch your systems.

I'm still not clear on how this is worse than any other crypto malware. If the SMB flaw is patched, aren't you still susceptible to infection if you fall for the phishing attack? I thought SMB was the method of infecting other systems in a network once one user falls for the phishing attack. Is the big news because mostly XP systems (that were unpatched) are getting hit? I read something about 90% of UK healthcare systems are still running XP.

I could be wrong, I haven't had the time to fully test the worm and patch.
But it's my guess that the patch stops it from spreading after an infection takes place.

clueless1 wrote:

I'm still not clear on how this is worse than any other crypto malware. If the SMB flaw is patched, aren't you still susceptible to infection if you fall for the phishing attack? I thought SMB was the method of infecting other systems in a network once one user falls for the phishing attack. Is the big news because mostly XP systems (that were unpatched) are getting hit? I read something about 90% of UK healthcare systems are still running XP.

It seems the correct news is "90% of UK health care system has at least one Windows XP PC.

I received an email infection attempt from an older worm within the last week, too, but I doubt it was this ransomware, but more some older thing. It was an attached .doc file claiming to contain some codes for some Bitcoin trading platform, and I couldn't even get the copy of Office in my throwaway non-networked VM to open the file, so I guess it was a dud from a really old infection that still hasn't been cleaned up.

Kreshna Aryaguna Nurzaman wrote:

clueless1 wrote:

I'm still not clear on how this is worse than any other crypto malware. If the SMB flaw is patched, aren't you still susceptible to infection if you fall for the phishing attack? I thought SMB was the method of infecting other systems in a network once one user falls for the phishing attack. Is the big news because mostly XP systems (that were unpatched) are getting hit? I read something about 90% of UK healthcare systems are still running XP.

It seems the correct news is "90% of UK health care system has at least one Windows XP PC.

...without a support contract covering security holes, as one Jeremy Hunt (Conservatives) was so graceful to cancel it because it cost too much a few years back 😠 . And many NHS systems are indeed still running Windows XP because they are specced too low to use anything Windows later than XP.

As for not getting hit by the worm on unpatched XP systems, that may be related to your firewall system (certain ports blocked), having SMB disabled, and not being stupid enough to click on a spam email's attachment.

...without a support contract covering security holes, as one Jeremy Hunt (Conservatives) was so graceful to cancel it because it cost too much a few years back 😠 . And many NHS systems are indeed still running Windows XP because they are specced too low to use anything Windows later than XP.

As for not getting hit by the worm on unpatched XP systems, that may be related to your firewall system (certain ports blocked), having SMB disabled, and not being stupid enough to click on a spam email's attachment.

The systems still running XP are generally because of needing to run old software (for which there is no replacement) that isn't compatible with Windows 7. Also most of NHS systems where switched off as a precaution rather than actual infection.

lvader wrote:

...without a support contract covering security holes, as one Jeremy Hunt (Conservatives) was so graceful to cancel it because it cost too much a few years back 😠 . And many NHS systems are indeed still running Windows XP because they are specced too low to use anything Windows later than XP.

As for not getting hit by the worm on unpatched XP systems, that may be related to your firewall system (certain ports blocked), having SMB disabled, and not being stupid enough to click on a spam email's attachment.

The systems still running XP are generally because of needing to run old software (for which there is no replacement) that isn't compatible with Windows 7. Also most of NHS systems where switched off as a precaution rather than actual infection.

Another reason for the mess has turned up:

Microsoft made a Windows XP patch back in February, yet did not release it back then

Guess what the build date of the "recent" Windows XP patch is?

I hope M$ end up in court over this.

They're under no obligation to support an expired OS. People were warned to move off XP years ago.

yawetaG wrote:

As for not getting hit by the worm on unpatched XP systems, that may be related to your firewall system (certain ports blocked), having SMB disabled, and not being stupid enough to click on a spam email's attachment.

And yet Kevin Beaumont deliberately infect XP computers with it (here and here), and he failed to make the computers infected.

Realistically, XP user base is only about 7% now; only a quarter of Windows 10 user base. Since hackers write Ransomware for profit, it makes more sense for them to target Windows 7, which has the largest user base, or Windows 10, whose user base is growing.

I'm not saying XP is absolutely safe; I recently installed CryptoPrevent on my XP computers. I just wonder if WannaCry makers ignore Win XP because they didn't think XP is worth it.

Errius wrote:

They're under no obligation to support an expired OS. People were warned to move off XP years ago.

This. How ever xp pos and embedded are still supported and I'm betting people that pay for support got that patch sooner.

Kreshna Aryaguna Nurzaman wrote:

And yet Kevin Beaumont deliberately infect XP computers with it (here and here), and he failed to make the computers infected. […]
Show full quote

yawetaG wrote:

As for not getting hit by the worm on unpatched XP systems, that may be related to your firewall system (certain ports blocked), having SMB disabled, and not being stupid enough to click on a spam email's attachment.

And yet Kevin Beaumont deliberately infect XP computers with it (here and here), and he failed to make the computers infected.

Realistically, XP user base is only about 7% now; only a quarter of Windows 10 user base. Since hackers write Ransomware for profit, it makes more sense for them to target Windows 7, which has the largest user base, or Windows 10, whose user base is growing.

I'm not saying XP is absolutely safe; I recently installed CryptoPrevent on my XP computers. I just wonder if WannaCry makers ignore Win XP because they didn't think XP is worth it.

I had a xp VM I was able to infect.
Maybe there is more then one stran of the malware?
I can also confirm that the patch only prevents it from spreading.
this is my experience with the 2.0 version

I run XP on the system I use for online gaming at the moment.

It still gets updates and I'm not the least worried about it's security. The system is not behind a router as I want low latency and I do not run any kind of anti virus software either.

I dont visit shady sites, don't open shady attachments, don't download shady files and keep the Windows firewall enabled.

Skyscraper wrote:

I run XP on the system I use for online gaming at the moment.

It still gets updates and I'm not the least worried about it's security. The system is not behind a router as I want low latency and I do not run any kind of anti virus software either.

I dont visit shady sites, don't open shady attachments, don't download shady files and keep the Windows firewall enabled.

You are brave not running behind a router. You're basically putting all your trust in Windows Firewall. To me that sounds like it would put more strain on the system, as your CPU now has to do all the network filtering, rather than the router.

Other than running behind a router/firewall, I do the same as you. I don't use A/V either. But I have a real firewall (IPFire) with an intrusion prevention system and transparent proxy. Plus filtering DNS servers and CryptoPrevent software retriction policies.

What can be done with old XP computers that haven't the horsepower to run newer Windows?