The cybersecurity news cycle that unfolded recently has been unlike any before it. WannaCry, once a National Security Agency cyberweapon, and more recently, a variant on the Petya ransomware with similar capabilities unleashed two separate global crises. In both, the ransomware infected hundreds of thousands of computers, phones and mobile devices in more than 150 countries. These were the first cybersecurity dramas to unfold in real time; network media outlets provided coverage as though it were an epidemic or a natural disaster. In a sense, they were both, demonstrating both the ease with which malware can penetrate seemingly critical infrastructure (e.g., the National Health Service in the UK or the DeutscheBahn railway system in Germany) and the helplessness of the average person to do anything about it.
Yet in another way, both ransomware outbreaks were more of a whimper than a roar. Of the many thousands who were hacked, a fraction of a percent actually paid the requested ransom of $300 in Bitcoin—around one tenth of 1 percent of affected users. One reason for this low percentage, perhaps, was the fact that ransomware typically attacked Windows XP, a 16-year-old operating system. Thus, the universe of potential victims was limited to those who had not updated their devices in quite some time. Another limiting factor was that Microsoft, this past March, had already issued a curative “patch” for the vulnerability that WannaCry exploited, shrinking further the universe of those who would initially be affected. Admittedly, the Petya variant that plagued Ukraine and parts of Europe worked around the patch, but the effects were limited nevertheless. Cybersecurity experts are engaging in some self-congratulations, positing that the attack was a bust, and that the world’s swift response stemmed the potential harms.
