Why the WannaCry coverage may have missed the mark

Last Friday’s WannaCry ransomware attack made its mark on the thousands of organizations that found themselves locked out of their systems. It is believed that over 75,000 organizations were impacted by this massive, global-scale attack that left hospitals, retailers and service providers paralyzed. Subsequently, many IT professionals found themselves working like crazy over the weekend to respond to an attack that, for so many, came out of left field.

It was an interesting and important event: a run-of-the-mill ransomware, made extra-powerful by an exploit that may or may not have originated from an NSA leak, is wreaking havoc on computer systems around the world. The attack is an important reminder to stay up-to-date, backed up and informed.

The sheer number of people affected was astounding. The attack grabbed our attention, and pulled it away from the dangerous exploit that enabled this ransomware to run rampant in the first place. All of a sudden WannaCry was at the center of attention, and the Eternal Blue exploit didn’t receive as much attention as it should have. We’ve become enamored with the symptom, and lost track of the disease.

Understandably so, but at what cost?

A ransomware attack is a truly despicable form of criminal activity, one that is sure to ruin anyone’s day, but it is not unstoppable, not irreparable. While damaging, ransomware attacks aren’t all that devastating. There are far more insidious ways in which we could have been hit, using the Eternal Blue exploit. Plane traffic could have been messed with, infrastructure disrupted or shut down, personal information stolen.

Perhaps a great deal of context was lost when we turned our gaze to the padlocked, red screens of WannaCry. Yes, there was much talk about patching and updating, but it was drowned by the discussion of ransomware. On a larger scale, addressing the vulnerabilities exposed by the ShadowBrokers’ dump, Eternal Blue being one of them, was much more important. If we were looking to stop the next attack that would spread via the SMB port, we would have benefitted much from a discussion of these exploits and how they work.

We IT people know this, but would a general manager of a retail store? Would a CEO of a company, for that matter? When faced with a request to update all of their systems, would they consider it mandatory, knowing that their antivirus now stops this latest ransomware, perhaps thinking the worst is behind them? And what of the false sense of security that this implies? Many will rest assured knowing that they are safe from ransomware, not giving thought to the next threat that might piggyback this dangerous exploit. How many will prepare themselves when a new vulnerability presents itself?

In some ways, Friday’s attack was a gift. A relatively benign demonstration of a dangerous exploit. An opportunity to turn things around, so that we don’t get caught unprepared again. The large number organizations affected showed just how vulnerable we were to an exploit that was highly publicized, and patched a month prior to being dumped on the Web.

Perhaps good will come of this now that we’ve received a wake up call. One that is awarded to us rather safely, all things considered. Perhaps now we will learn the far reaching effect of a cyber attack, and how prepared we should be. Because the next attack may not trigger a relatively benign ransomware, but a true armageddon that targets water or electricity providers or other infrastructure and results in fatalities.

Or maybe we’ll just patch everything today, neglecting patching in the future and wait for the next attack to come.

Eliad Kimhy
About the Author

Eliad Kimhy

Eliad Kimhy is on the Cybereason Marketing team, leading production of the Malicious Life podcast.