I remember fighting with my siblings as a child. Suddenly mom or dad would come in and we’d both point at the other one and say, “It was his fault!” When it comes to difficult situations, we are born with a desire to shift the blame onto someone else. In the epic ripples of last week’s massive ransomware attack, fingers are being pointed at Microsoft, but it doesn’t seem that the blame is fair. The cyberattack last week (nicknamed WannaCry) exploited a hole in Windows XP security in order to take computers for ransom.
The program required $300 in order to free the system from the ransomware. The hold in Windows XP is not surprising. The operating system is fifteen years old, and Microsoft stopped providing updates to the OS all the way back in 2014. When the ransomware attack hit, Microsoft quickly released a patch that would address the hole in the system.
When the ransomware spread rapidly last week, the sounds of groans in IT departments around the world could be heard. More than 110 countries have been affected, and a huge number of businesses have had parts of their systems shut down as well. Cries have come against Microsoft for making it possible for such ransomware to take advantage of their operating system. People are arguing that Microsoft should have to pay for the losses incurred by the ransomware, since their security flaw allowed the process to start. Microsoft, in response, argued that the attack was simply a repurposing of a security hole that was developed by the NSA and leaked online, and that therefore the government is actually to blame for the massive attack. Microsoft’s Brad Smith also argued that governments’ stockpiling of security weaknesses in operating systems will continue to cause these sorts of devastating attacks until something is done to help manage how governments see and use cybersecurity. He also called for a ‘Digital Geneva Convention’ which would allow countries to work together to protect the cyber world in the same way they do with the conventional weapons world.
However, while Microsoft and governments around the world point fingers at each other, the real truth is that the fault may lie with the individual users who didn’t update their OS’s. Windows XP is a completely obsolete system, and yet it is still being used on 7% of PCs around the world. What’s more, Microsoft actually released a patch two months that would have protected computers with more recent operating systems from the Wannacry hack, but because so few people install the recent updates, computers were left vulnerable. The reality is that, had the world upgraded and updated its operating systems, the Wannacry ransomware attack would have been limited and small, rather than the massive problem it’s become.
While it can be tempting to blame the victims at times, it usually isn’t true. In this case, though, with the most recent attack, it seems the blame doesn’t lie with Microsoft or the governments of the world, primarily. Rather, it sits squarely on the shoulders of lazy users and IT departments. Keeping up to date is crucial.
Learn about how to protect your business from Ransomware and other security topics at our Research Center.