The WannaCry cyberattack lasted for over a week starting May 12, taking as many as 300,000 computers hostage in 150 different countries. The attack used ‘ransomware’ malware and is the largest known attack of its kind. According to two reporters who covered WannaCry, the media missed key factors while explaining the attack to readers, which may have confused victims of the attack and readers alike.

Ransomware is a type of malware that takes over a computer and forces the owner to either pay a ransom, or risk losing all data stored on the device. In this case, the WannaCry malware entered computers and displayed a warning– pay a $300 (or even $600) ransom, or the program will delete all of the computer’s data. According to The Verge, over $80,000 was paid to known WannaCry accounts (which is a low figure considering the thousands attacked.) However, according to Elliptic data, $122,225.87 has been paid to WannaCry to date. 

This graph shows the total amount of payments to WannaCry accounts, tracked and recorded by Elliptic, from May 12 until May 23.

“I think the media conveyed the basics, and that people get that there was this big virus, that it was bad and that we got a handle on it,” Russell Brandom, staff reporter at The Verge, said in an interview with MediaFile. “However, we’re 95% sure this code originated from the NSA.”

Brandom said that the WannaCry ransomware malware was unusual in scale because it was a worm. Worm programs, once infected in one computer, can then infect all computers in that network. WannaCry specifically targeted computers through outdated Microsoft Windows software. Microsoft Windows normally updates itself whenever the software is shown to be infected: aka, a “vulnerability” in the program. According to Brandom, the NSA stockpiles these vulnerabilities and how to solve them (called exploits) to bolster intelligence capabilities. ShadowBrokers leaked parts of the NSA stockpile of code detailing this type of vulnerability in Microsoft Windows, thus giving the WannaCry attack means to exploit thousands of people.

Due to the NSA’s clear involvement and knowledge of the vulnerabilities that lead to the attack, Sen. Brian Schatz introduced a bill last week to make the NSA accountable. The bill, called Protecting Our Ability to Counter Hacking Act of 2017, the PATCH Act, would provide a legal framework for federal agencies to follow when stockpiling vulnerabilities. This may help avoid leaks and government involvement in future attacks, and may even provide the means to prevent them.

The Verge, being one of the only media outlets connecting the NSA code leak to the WannaCry attack, said that there were multiple actors in play – so it is hard to place the blame for the attacks.

“The weird thing is the attribution,” Brandom said. “There are even links between the way this (WannaCry) code was deployed and other viruses deployed from North Korea. I’m very skeptical of that, obviously. But this is just to say that it’s very difficult for the media to talk about this situation with circumstantial evidence and the huge problem of attribution.”

Sam Petulla, visual/data journalist at NBC News, said the media should have done a better job covering what victims should do if hacked by WannaCry.

“The issue was if you pay that money to WannaCry, you don’t get anything back,” Petulla said. “That should have been explained pretty quickly and much earlier, because there is no way to trace that money back since the hackers used Bitcoin. Therefore, anyone who paid had no chance of getting their files back.”

Petulla reported on the kill switch, and said that by Saturday, May 13, infections and payments slowed significantly as a result. Marcus Hutchins, also known as MalwareTech, discovered the kill switch built into the WannaCry code and released it.

“The WannaCry malware sent a request to a domain, and if in sending that request out the malware was able to reach the domain, then the malware is disabled,” Petulla explained. “Hutchins created the specific domain to disable the WannaCry malware, registered the domain, and then published it. That, in essence, was the kill switch.”

The WannaCry malware attack was the largest of its type, and managed to even disable 16 hospitals in the UK when it was first released. Though, relatively, not much money was paid in ransom, WannaCry disturbed businesses and infrastructure in many countries. According to both Brandom and  Petulla, major media outlets did not clearly or timely specify this, the attribution of the attacks, or what to do when and if you were infected by the malware. The kill switch helped slow the WannaCry malware significantly in lieu of the media’s lack of clear information.