In the midst of the ongoing WannaCrypt attacks, Microsoft has issued an unusually strongly-worded warning to governments around the world to quit hoarding vulnerabilities.

The bug exploited by the attack was hoarded by the United States national security agency (NSA), leaked earlier this year and since patched by Microsoft – but patches aren't perfect, rollouts take time and WannaCrypt locked up a lot of machines in its first wave.

Microsoft is not pleased, and in this post, renews its call for a “Digital Geneva Convention”, and its long-standing demand that governments disclose vulnerabilities to vendors instead of stockpiling them.

“An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen,” writes Brad Smith, Redmond president and legal boss.

Noting the “unintended but disconcerting” link between nation-state activity and criminal activity, Smith adds that governments need “to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits”. The “Digital Geneva Convention” Redmond recommends would therefore require governments “to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them”.

It ain't over 'till it's over

There's more than a whiff of confusion about the current state of WannaCrypt, particularly about the longevity of the “kill switch” discovered by MalwareTech, which stalled the spread of WannaCrypt by registering its “magic domain”; the malware checked for the existence of iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com and stopped executing once it appeared.

Costin Raiu of Kaspersky believes all the versions currently circulating contain the kill switch:

My bad - finished analyzing all #Wannacry worm mods we have and they all have the kill switch inside. No version without a kill-switch yet. — Costin Raiu (@craiu) May 14, 2017

… but well-regarded hacker Matthieu Suiche disagrees:

A patched (non recompiled) variant with *NO* kill-switch is out there too. Patched jump and zeroed the URL. See screenshots below. #WannaCry pic.twitter.com/RliIRigXwH — Matthieu Suiche (@msuiche) May 14, 2017

It should be noted that in his explanatory blog post, Suiche says the “no kill switch” version was recovered by Kaspersky as a Virus Total upload, but it's incomplete:

Although, this build does only work *partially* as the ransomware archive is corrupted — the spreading still works though.

Suiche also found and registered a new kill switch domain.

Crucible Oceania

The accident of timezones means Australian and New Zealand businesses start today as the crucible for the ransomware/worm outbreak.

If Australian prime minister Malcolm Turnbull's cyber-man Alastair MacGibbon's and assistant cyber-security minister Dan Teehan's figures are accurate, at the time of writing few businesses here reported infections over the weekend, but without insane good fortune there'll be more infections when people log in and start opening e-mails.

Whether that is accurate depends on whose malware map you prefer. One live map eventually loads a couple of infections for Australia, while another briefly showed one in Adelaide.

At the time of writing, New Zealand was only showing a single infection; it appears that for now, the kill switch is holding.

UK's NHS recovering slowly

England's National Health Service, among the first high-profile victims of WannaCrypt, is slowly returning to normal operation, according to statements gathered by the BBC.

The Scottish government says the attack has been isolated and most services will return to normal by Monday.

Of the 47 NHS trusts hit by the attack on Friday, the NHS reckons most should be operating as normal on Monday, but the BBC reports seven trusts are still either at reduced capacity or have cancelled outpatient appointments, diagnostic tests, routine procedures, and long accident and emergency wait times.

Patch if you can, cry if you can't

During the weekend, debate raged about who to blame for the spread of the infection, with most of what we'll call “Infosec Twitter” blaming victims for not being fully patched, or in the case of the NHS, having Windows XP running anywhere at all.

Long time readers of The Register will know that NHS sysadmins had no choice in the matter: trusts were warned in 2014 that they needed to put Premier Service Agreements in place to continue receiving patches, but even those trying to keep up had the budgetary rug pulled from under them in 2015 by then-Health Secretary Jeremy Hunt.

Some security bods showed both sympathy and an understanding of the real world.

Duo Security's Wendy Nather had plenty to say in a Twitter thread starting here:

Thread. Help me explain why orgs can't "just patch." I'll start with a few examples from my own experiences: — Wendy Nather (@wendynather) May 13, 2017

Microsoft's Jessica Payne chimed in:

'Just patch' doesn't work for industries where vendors lock them into outdated software. Many places forced to have XP/old flash/etc to run. — Jessica Payne (@jepayneMSFT) May 12, 2017

And here's your reminder: Redmond's patches commendably reach all the way back to Windows XP. You know what to do. ®

Now read our analysis of the WannaCrypt epidemic.