view counter

CybersecurityThe Petya ransomware attack shows how many people still don’t install software updates

By Elissa Redmiles

Published 29 June 2017

A new global ransomware attack, called “Petya” or “NotPetya,” exploits the same vulnerability as the “WannaCry” attack back in May. As Petya spreads across Europe, it’s becoming clear how few people and companies – including major corporations – actually update their software, even in the wake of major cyberattacks. Attackers got into computers through that weakness and encrypted users’ data, demanding a ransom from anyone who wanted the data made usable again. But they didn’t win the race to exploit the flaw as much as people and computer companies collectively lost it. Our human tendencies and corporate policies worked against us. Research, including my own, tells us why, and offers some suggestions for how to fix it before the inevitable next attack.

A new global ransomware attack, called “Petya” or “NotPetya,” exploits the same vulnerability as the “WannaCry” attack back in May. As Petya spreads across Europe, it’s becoming clear how few people and companies – including major corporations – actually update their software, even in the wake of major cyberattacks.

WannaCry could have been avoided, or at least made much less serious, if people (and companies) kept their computer software up to date. The WannaCry attack demonstrated how hundreds of thousands of computers in more than 150 countries are running outdated software that leaves them vulnerable. The victims included Britain’s National Health Service, logistics giant FedEx, Spanish telecom powerhouse Telefonica and even the Russian Interior Ministry.

As WannaCry spread, media outlets, technology firms and cybersecurity companies around the world recommended people update their computer systems immediately if they hadn’t already. The Petya attack targets computers that weren’t updated, despite those very clear public alerts.

The security flaw that allowed both attacks to occur was fixed by Microsoft in March. But only people who keep their computers updated were protected. Details of the flaw were revealed to the public in April by the Shadow Brokers, a group of hackers who said they had stolen the information from the U.S. National Security Agency.

Attackers got into computers through that weakness and encrypted users’ data, demanding a ransom from anyone who wanted the data made usable again. But they didn’t win the race to exploit the flaw as much as people and computer companies collectively lost it. Our human tendencies and corporate policies worked against us. Research, including my own, tells us why, and offers some suggestions for how to fix it before the inevitable next attack.

Updating is a pain
All people had to do to stay safe from Petya and WannaCry was update their software. But people often don’t, for a number of specific reasons. In 2016, researchers from the University of Edinburgh and Indiana University asked 307 people to discuss their experiences of installing software updates.