WannaCry: Don't Believe the Hype

The media hype machine has gone into overdrive about WannaCry. It made the US national televised news. It’s in my family’s Twitter feed. It’s got sponsored ads from countless security companies. It’s officially “big” news.

But many have gone way over the top with the excitement about this attack. This isn’t game over for businesses. It’s just another in a series of exploits and attacks that are making their way into mainstream news.

So why did this make so much news?

Interestingly, many “regular people” have approached me over the last couple of days and asked me about the attack. “You work in security—Is this the worst thing ever? Is it unstoppable? How much money do you think these attackers are making?” Conversations with security minded folks tend to focus more specifically, “I’ve patched my systems, but how do I know I’m covered? Can I test to be sure?” (The short answer to that last part is yes. Testing is critical here, which is why SafeBreach Labs worked hard simulating these attacks.)

But people also just want to also know why this attack has garnered so much attention. The truth is, this isn’t a particularly sophisticated attack. In fact, I think it’s popular for all the wrong reasons:

It’s easy to explain

1. There’s a clear “bad guy” who is literally holding something important for ransom. That’s a tale as old as time, the plot of countless books and movies, and something that the “regular” press can explain without an advanced degree in human-computer interaction.

It’s widespread, and seems relentless

1. This adds to the drama: People are generally scared by things that have a big impact, and seem hard to stop. See “The Terminator,” or “Outbreak,” or every zombie movie ever made.

Regular people don’t trust “The Internets”

1. Okay, I have no stats for this, but I truly believe it. Many people, in a weird perverse way, are almost hoping that the Internet eats itself alive. Some folks are quick to point to “computers” as terrible things that introduce huge risk that will just plain ruin everything (see the aforementioned “The Terminator” for example). When something bad happens and makes the news, they like to point and say, “See! See! I knew it!” (Also, cynics like me see that this involved an NSA backdoor, and say “See! See! I knew it!”)

The truth behind the sensation

So besides the fact that it’s got all the high-drama things a story needs to make news, what’s really going on with WannaCry? While it’s certainly not good, this attack is really quite simple, and not much different from thousands of other attack campaigns that use worm-like behavior to infect many machines. Remember Conficker? Well What’s old is new again.

Worms are bad. Ransomware is bad. Stopping business, especially when literal lives are on the line, as in healthcare, is much, much worse. In no way am I suggesting that WannaCry isn’t a real threat. But it isn’t that novel, and it isn’t that sophisticated. Yet it still works.

And that’s the real lesson for all of us.

If we allow ourselves—through lack of proper patching, and inability to validate our security controls—to fall victim to these simple attacks, we should expect this kind of news to continue. The sensational headlines are masking the real issue: This is not a new problem. This is not a novel crime. It’s one we can get ahead of. We just need to realize that the power is in our hands.

It’s time to get proactive. Let’s get patching! And let’s also start validating security controls after a patch, update, config change. Let’s break this cycle of headline hype, and get back to business as usual!