A security firm has found that the majority of those computers affected by the WannaCry ransomware last week were running older OSes, without installing important security patches.
In a survey for Reuters, BitSight found that 67 per cent of infected PCs it investigated were running Windows 7, despite the OS being installed on fewer than half of Windows PCs worldwide.
Paul Pratley, of UK consulting firm MWR InfoSecurity, told Reuters that WannaCry's ability to infect other computers on the same network without human intervention appeared to be tailored to Windows 7.
Other versions of Windows were not as vulnerable - although not always for the right reasons. Windows 10 represented 15 per cent of infections, while Windows 8, 8.1, Vista and XP made up the remainder. Windows XP, which is used across the NHS and other organisations, played a much smaller role in the spread of WannaCry than initially thought - because the system crashes before the virus can replicate. Individual computers were vulnerable to the worm component, said researchers at MWR and Kryptos, but could not spread the ransomware themselves.
More modern operating systems - those currently being supported by Microsoft - were able to download a critical security patch released on the 14th March, immunising their computers against WannaCry. However, many users failed to do so.
A security expert, who preferred not to be named, told Computing, "While we...would always recommend that patching be an integral part of your security, the reasons why IT departments occasionally fall short is because it is rarely a simple exercise... Most have heterogeneous IT environments with critical applications; they cannot roll out a patch until they have tested it to make sure that there are no unforeseen side effects."
Trevor Luker, Director of Security Operations and Threat Intelligence, at email security firm Mimecast, agreed:
"Disjointed and inefficient internal processes can mean that security patches are simply not given a high enough priority. Often because of 'shadow-IT' and weak asset management practices, organisations don't know that the patch is important to them because they don't actually know what is running on their network.
"In addition, as a result of their automated vulnerability scanning, IT teams are regularly faced with lists of hundreds of discovered vulnerabilities at any time, with little sense of prioritisation.
"Making the situation more complex, large enterprise systems may be sensitive to even small changes in installed software and therefore require extensive regression testing before being deployed. It's a risk, but the cost of downtime caused by a functional regression is often considered too high."
Closing the gates
Despite its relative ineffectiveness in spreading WannaCry, Windows XP was the subject of a free patch from Microsoft on the 12th May to protect the system. Free support for XP was ended in April 2014; the release of a non-paid patch shows how seriously WannaCry was being treated by the company.
Malwarebytes tracked the WannaCry infection across the globe as it happened - from the first reported case in Russia on Thursday evening, to an explosion of infections less than 12 hours later. The threat was not brought under control until 8pm on Friday, when the rate of spread began to slow.
British Airways blames 'global systems outage' for IT meltdown
Mark Zuckerberg mercilessly trolled by Harvard student newspaper after return to university he dropped out of 12 years ago
'Unauthorised user' blamed by Harvard for insulting Mark Zoinkerberg
Android under attack from 'Judy', Google Play Store malware that has infected up to 36.5 million users
Yet more Android malware discovered on the Google Play Store
Airport believes new system will be more reliable than GPS or Google Maps