Last Friday, on May 12, 2017, security firms across the world woke up to reports about numerous Windows-powered computers getting infected with a ransomware known as WannaCry. The virus exploits a controversial vulnerability in the Microsoft Windows operating systems, which was detailed in the leaked NSA documents released by the hacking group Shadow Brokers last month. After falling victim to phishing scams, infected users face a ransom demand of up to $300 USD in bitcoin as their data gets encrypted by the crimeware. Other vulnerable systems within the network can also be compromised. At risk are computers that have not installed a Windows security patch released in March, those that are running Windows XP, which is still in wide use yet no longer supported with regular security patches, and those on unsupported pirate copies of Windows. Within two days since the outbreak, the ransomware triggered global frenzy as it hit over 150 countries and 200,000+ computers, becoming one of the most reported issues of the weekend.
The global takeover by WannaCry has exposed the public to a side of cyber that’s been seriously underplayed in mainstream media. We’re talking about profit-motivated cybercrime targeting non-state actors – the attacks that can turn me into a victim.
Over the past year, the keyword “cyber” has become a regular in global news headlines. High-profile e-mail leaks have gone hand-in-hand with big presidential elections, most notably those of the United States and France. Moscow and Pyongyang get declared as the cyberenemies of the Western political world. But with all news focused on WikiLeaks, state-sponsored hackers, and intelligence data breaches, how is the average citizen supposed to picture cyberthreats on an individual level? Like, where do we fit in?
This promotion of an exclusively state-level narrative of cybersecurity is bound to give uninvested parties the misleading impression that hackers only target those in power. The lack of visibility of non-high profile hacks is sustained by narrow media agenda and missing public interest. The cyberthreat landscape is active and evolving, yet prospective victims are chronically undereducated on what to look out for. And it’s not a situation easy to improve; information security tends to feel abstract and overwhelmingly complicated. It’s not something you bring up over post-lunch coffee.
But enter WannaCry.
It has evoked something rare if not previously unwitnessed: popular engagement. Maybe it’s the unfamiliarity with ransomware or the fact it’s disrupting operations of hospitals, but we’re getting public debate on automatic updates. Windows OS versions. Hackers. Bitcoin. Users have expressed genuine curiosity in learning how to protect their systems from the ransomware. In South Korea, the most popular search term on Monday, when workers returned to offices after the eventful weekend, was “How To Prevent Ransomware.” This suggests cybercriminals hit targets disturbingly close to us. You know, what if my computer was affected and I had to contemplate whether to pay that ransom? Who cares about White House aides.
This case has proven how public consciousness is capable of tuning in to cybersecurity, but not unless it’s an issue posing a direct threat to the average user. It certainly helps if we’re dealing with a less talked-about and nuanced variation of a computer virus, such as WannaCry, that challenges the public to learn what is even being talked about. Ones that even make it to Rolling Stone.
The curse of cyberattacks is that they are often forgotten as fast as they emerged. Realistically, it’s unlikely this peaked concern over system security will last as days pass and operations resume. But then again, the prospects of avoiding crimeware are not looking too favorable for… anyone. Just between 2015 and 2016, the number of detected ransomware families jumped from 35 to 193. You may read that as: it’s not a good time to forget everything about WannaCry. But even if information security loses its momentum, it’s only bound to gain it back, tenfold. If the public won’t educate itself first, the criminals will be sure to provide the reality checks, probably much sooner than later.