The latest ransomware attack which affected thousands of victims around the world brings a strong sense of d\u00e9j\u00e0 vu. The malware is different from the one used by WannaCry back in May, and the criminal group responsible is different, but the advice for dealing with the infection outbreak remains the same: Patch vulnerable systems, don\u2019t pay the ransom, and restore from backups.The new ransomware--Kaspersky Lab named it ExPetr after determining it was not a variant of the Petya malware\u2014involved several vectors of compromise, including EternalBlue and EternalRomance, exploits ostensibly developed by the United States National Security Agency. EternalBlue, a Windows-based SMBv1 exploit, was also used in WannaCry back in May.Unlike WannaCry, ExPetr appears to spread over local networks and not the Internet, but ExPetr encrypts the Master Boot Record, which is far more damaging than just encrypting individual files. ExPetr may be a new attack, but there is nothing new in terms of what it does. It exploits several known vulnerabilities, spreads via a protocol that shouldn\u2019t be exposed to the Internet, and abuses an existing operating system utility (PsExec).What\u2019s also familiar is the finger-pointing and the blaming. Security experts took to blogs, social media and email to pontificate:This attack was yet another example of organizations not taking security as seriously as they should.These attacks could have easily been avoided if organizations had their systems patched properly and implemented a defense-in-depth approach to securing their networks.[Related: -->NotPetya ransomware hits hospitals, while Shadow Brokers touts its July VIP service]WannaCry should have been the wake-up call, but the fact that the new ransomware spread around the world so rapidly showed that there are still plenty of organizations and users who have yet to apply the MS17-010 patch released by Microsoft back in March.SMBv1 is old\u2014there is no reason for the port to be open to the Internet. Neglecting security\u2014in terms of investment, time, or priority\u2014is irresponsible.And the list goes on and on.Stop. Scolding doesn\u2019t help.IT and operations are fully aware that core IT and security fundamentals, such as patch management, regular backups, disaster recovery and business continuity, and incident response, are critical to protecting their networks and users from damaging attacks. Acting like they are irresponsible or incompetent for being behind on patching is unhelpful and ignores the challenges they and their beleaguered security colleagues face. It\u2019s undisputed reality that vulnerable systems are running software that is out of support, out of date, or just unpatched. This is not a surprise to anyone\u2014or it shouldn\u2019t be\u2014in security.[Related: -->These ransomware tricks fool the most hardened security pro]\u201cWhat always seems to take some by surprise, however, is that no matter how much we talk about patching as the solution, it doesn\u2019t happen in many cases,\u201d said Wendy Nather, principal security strategist at Duo Security. \u201cIt\u2019s almost as if talking about the problem and \u2018raising awareness\u2019 isn\u2019t enough to actually solve it.\u201dDon\u2019t assume negligence. Understand the challenges.If the system isn\u2019t under your control, you can\u2019t update itIt\u2019s easy to say that all systems should be patched regularly, but it overlooks a key issue: IT doesn\u2019t always have access to the systems on its networks. When patching systems can void the warranty or license terms, then staying on top of updates for those systems is not an option. Or consider what happens at manufacturing plants, where PCs connected to machinery may be considered part of the machinery and not under IT control. Shop floor management doesn't want IT messing with equipment but IT has to consider security and continued compatibility with other systems.\u00a0\u201cThe issue is widespread, especially among organizations below the security poverty line, but it applies just as much to financial trading terminals and banks as it does to the network run by a centralized higher education system,\u201d Nather said.Recognize the organizational constraintsThis is a big issue in the public sector, where legislative rules and spending cuts designed to rein in government spending interfere with IT security spending. \u201cTaxpayers are not going to pay to update hardware and software that are working just fine,\u201d Nather said. Outside the public sector, there may be other constraints on the organization. A non-profit has strict rules on what it can do and where it can spend money, for example.\u201cBuilt to last\u201d directly conflicts with \u201cupdate early and often\u201dWhen technology costs millions of dollars (say, an MRI machine), you expect it to last for years. Needing regular maintenance windows to update the software seems the antithesis of that promise. In healthcare, patient safety is critical, which means the equipment has to be retested and recertified as being safe every single time the software gets changed.Any system with external, highly entangled dependencies will take longer to updateOrganizations on average take 120 days to patch their systems. That includes testing against different system configurations, making sure there are no application conflicts, and verifying that current functionality doesn\u2019t get lost. The complex web of dependencies means an update can inadvertently break something important. Consider Windows XP\u2014an old operating system that continues to live on in kiosks and equipment, and can\u2019t easily be phased out despite the fact that the desktop version is no longer supported.\u201cWe need to address decades of legacy systems and organizational constraints, as well as the plain fact that nobody knows today how much effective security should cost a given enterprise; we don\u2019t even know whether it\u2019s affordable,\u201d Nather said.Be realistic and pragmaticCome up with answers that reflect the architecture that currently exists, and not the utopian ideal of what IT infrastructure should look like. Organizations have legacy systems and many have made massive investments over the years in unpatchable systems and equipment. Migrations aren\u2019t always the answer, and the security industry needs to be more creative about finding ways to work with organizations on upgrading obsolete systems or putting in safeguards to protect what is in place. There are restrictions on what the organization can do with its funds, which requires another set of creative ideas on making do with limited resources.\u201cGiven the levels of complexity, externalized risk, economic incentives, and technical debt involved in this problem, we may need the equivalent of an Affordable Healthcare Act for technology,\u201d Nather said.If the organization has systems running unpatched software, updating the software is a good first step. But when that isn\u2019t an option, as is frequently the case, cut out the finger-wagging and look for workarounds. Precautions include limiting and securing the use of PsExec, restricting user permissions, disabling SMBv1, and blocking ports 445 (SMB) and 139 (file and printer sharing) from users outside the organization. In the case of ExPetr, it appears blocking c:Windowsperfc.dat from writing or executing can stop the infection. Proactively creating a file called perfc with no extension in %windir% will also prevent the ransomware from executing.\u00a0\u201cWe shouldn\u2019t be terribly surprised to see another WannaCry-esque attack rear its ugly head, and frankly, we should all admit that this won\u2019t be the last time. And it will probably get worse before it gets better,\u201d Nather said.