Friday, May 12th, the \u201cWannaCry\u201d network worm joined the ranks of Conficker and Code Red. It\u2019s infected tens of thousands of systems worldwide, and climbing. Among those victimized were England\u2019s National Health Service, automobile manufacturers, and government systems. The worm\u2019s ominous red ransom screen, informing the user that all files have been encrypted, was found not only on users\u2019 desktops, but also on ATM screens, parking meters, digital billboards, and industrial control systems interfaces.\nCollege textbooks on computer security have a table of terms for malicious software, including \u201cvirus,\u201d \u201cworm,\u201d \u201cTrojan horse,\u201d and (more recently) \u201cransomware.\u201d Neatly-defined categories are useful when a professor wants to give a multiple-choice test, but the real world is no longer so well-defined. WannaCry combines the defining characteristics of both ransomware and worms.\nThe Dangerous Combination of Ransomware and Worms\nA network worm is a type of malicious software that spreads from machine to machine, autonomously, typically using some common vulnerability. Worms that infect large numbers of hosts are not as common as other types of malware, since it requires a reliable exploit for a wide-spread vulnerability that has a public attack surface. The recent Server Message Block (SMB) vulnerability in Microsoft Windows has readily-available exploit code and, despite being patched in March by Microsoft, many organizations have not updated their systems with the fix. This gives WannaCry a target-rich environment in which to spread.\nMost users and organizations are more familiar with ransomware than worms\u2014in fact, many have first-hand experience. Combining the rapid and broad spread of a network worm with the damage and monetary demands of ransomware can make for a painful world-wide incident. In a post several months ago, I discussed the evolution of ransomware away from spreading mechanisms that rely on \u201ctricking\u201d the user, towards exploitation of IT infrastructure vulnerabilities.\nWho is to blame?\nThe knee-jerk reaction of the security community is to point the finger at the victims: they should have already applied the patches that fix the SMB vulnerability. The patches have been available for a couple months now. Still some contend that this is not a realistic expectation. There are devices that cannot be patched easily by the end user (including medical devices and manufacturing equipment), and there is also software that must be tested extensively before being run on a modified operating system.\nTo Patch or Not to Patch\nShould you patch? The answer to this seems obvious, but is more nuanced. When a security advisory is published, you should patch as many systems as you can, as soon as you can. The security industry\u2019s advice to clients can\u2019t end there, however.\nYou already know that patches occasionally cause as many problems as they fix: destabilizing systems and causing incompatibility with software and hardware. A balance has to be struck where the majority of systems\u2014those running typical desktop software\u2014get patched automatically and quickly, while testing is performed to determine if the patch is safe for the more mission-critical systems. A decision should be made for critical security advisories: is the risk presented by a new patch greater than the certainty of getting infected with something like WannaCry if the patch is not applied?\nImplications of Not Patching\nThe decision not to patch a system, such as an old workstation connected to a medical imaging device, is not to be taken lightly. You might be forced to maintain a vulnerable software version by incompatibilities and lack of support by the vendor. That means you have to take further action to secure that system. Network segmentation and isolation are key elements of defending these systems. So implement firewalls and access controls that prevent other systems from communicating with these vulnerable devices unless they have an operational need to do so.\nFuture outbreaks of malicious software are likely to contain damaging and expensive ransomware payloads. Keeping up-to-date with operating system and software patches is important. When it\u2019s not possible to patch, it\u2019s your responsibility to implement security controls and intensive monitoring around the otherwise-vulnerable systems \u2013 or reap the consequences.