While department heads and IT administrators deserve some of the blame, ultimately, elected officials who refuse to allocate money for necessary upgrades are culpable.
Then there's the US government, whose Windows hacking tools were leaked to the internet and got into the hands of cybercriminals. However, many organizations - including hospitals - had not appropriately updated their systems.
Weisman: At the moment we don't know who is behind the attack. If you do not have patch management solutions or other vehicles to deploy the patch, I would resort to manually installing the patch on critical systems first and then progress throughout the environment. "Still, the NSA can't be very proud of this".
On Wednesday security firms Bitdefender and Proofpoint found hackers using the same exploit to spread cryptocurrency-mining malware called Adylkuzz.
Smith has also suggested a "Digital Geneva Convention" that would include "a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them". In a blog posted on Sunday by Brad Smith, president and chief legal officer for Microsoft, he discussed that with the growing sophistication of cyberattacks, the practice of collecting malicious tools by the government has done more harm than good. It has been widely accepted that the malware was accessed from America's National Security Agency (NSA), WannaCry ransomware is believed to be the "Eternal Blue Hacking Weapon" which was used by the US National Security Agency to infiltrate and gain access to Windows run computers and laptops used by terrorist organisations and enemy states.
"As software has become ever more complex, interdependent and interconnected, our reputation as a company has in turn become more vulnerable", Gates wrote in an email to employees identifying trustworthy computing as Microsoft's top priority. And even when available, many users simply didn't download the patch. But, Nather said, there's a prominent mindset that if the tech works just fine, there's no real need to update it. Yet in an unusual step, they released a patch for those older systems because of the magnitude of the outbreak.
However, the Financial Times report points out that Windows XP users are still expected to pay extra if they want security and it now stands at $1,000 per device. The same goes for cloud services, though they can be helpful. IBM observed that 95% of all security incidents involve some kind of human error.
Some experts also believe that a widespread use of bootleg software in India might have forced companies to cover up their losses as they can not report the same due to licensing issues. Companies can also install white listing software that prevents the downloading of unauthorized computer software.
Companies and institutions are often slow to update their computers because it can screw up internal software that is built to work with a certain version of Windows. Multiple backups also help.
However, if you do pay, you're only fueling the fire.
"It's not rocket science", Litan said.
The investigations into the attack were in the early stages, however, and attribution for cyber attacks is notoriously hard. IT major firms Infosys and Wipro reportedly were unaffected as they monitor threats independently on a regular basis. Microsoft puts out periodic security patches to the software and sometimes, they apply to all versions of the operating systems. Russia's Interior Ministry and companies including Spain's Telefonica, FedEx Corp.in the US and French carmaker Renault all reported troubles.