The WannaCry ransomware attack has created at least tens of millions of dollars of damage, taken down hospitals, and as of the time of this writing, another round of attacks is considered imminent as people show up to work after the weekend. Of course, the perpetrators of the malware are to blame for all the damage and suffering that has resulted. It’s not right to blame the victims of a crime, right?
Well, actually, there are cases when victims have to shoulder a portion of the blame. They may not be criminally liable as accomplices in their own victimhood, but ask any insurance adjuster whether a person or institution has a responsibility to take adequate precautions against actions that are fairly predictable. A bank that leaves bags of cash on the sidewalk overnight instead of in a vault is going to have a hard time getting indemnified if those bags go missing.
I should clarify that in a case such as WannaCry, there are two levels of victims. Take the U.K.’s National Health Service, for example. It was badly victimized, but the real sufferers, who are indeed blameless, are its patients. The NHS itself carries some blame.
WannaCry is a worm introduced into its victims’ systems via a phishing message. If a system’s user clicks on the phishing message and that system has not been properly patched, the system becomes infected, and if the system has not been isolated, the malware will seek out other vulnerable systems to infect. Being ransomware, the nature of the infection is for the system to be encrypted so that it’s basically unusable until a ransom is paid and the system is decrypted.
Here’s a key fact to consider: Microsoft issued a patch for the vulnerability that WannaCry exploits two months ago. Systems to which that patch had been applied did not fall victim to the attack. Decisions, had to be made, or not made, to keep that patch off systems that ended up compromised.
The security practitioner apologists who say you should not blame organizations and individuals for being hit try to explain away those decisions. In some cases, the systems that were hit were medical devices whose vendors will withdraw support if the systems are updated. In other cases, the vendors are out of business, and if an update causes the system to stop working, it would be useless. And some applications are so critical that there can be absolutely no downtime, and patches do require at least a reboot. Besides all that, patches have to be tested, and that can be expensive and time-consuming. Two months just isn’t enough time.