When WannaCry struck, it exploited a known weakness in Windows computers. Microsoft had released a fix a few months before the attack and systems administrators could have protected their networks by simply installing the patch.
But there were enough unpatched computers for both WannaCry – and then last year’s other big ransomware attack involving Petya/NotPetya – to create an opening for attacks to create serious disruption. That’s why you hear security experts preaching the virtue of patching to resolve any newly-discovered security vulnerabilities.
Another reason for their concern: Ransomware is no longer the exclusive preserve of run-of-the-mill cyber criminals. Targeted attack groups – often backed by the resources of nation-states – are taking an interest too.