I suspect this is not the first such incident, but it’s the first that anyone has been willing to cop to. I also suspect that, somewhere, a lawyer is screaming, “NO SHUT UP YOU IDIOT!”
Admitting that this happened is probably not a very good move for the inevitable and totally justified lawsuit:
Getting ransomware is a lifestyle choice; it’s remarkably similar to going to a big “unmask” party and coming home with COVID-19. You get ransomware when your computing infrastructure is not carefully compartmented, your systems are poorly managed, and do don’t have backups.
The current state of play in the ransomware world is to scan a bunch of targets and, if you find one is vulnerable, break in, find some critical systems, and upload the ransomware onto them. It used to be that you just emailed in the ransomware in an attachment and expected some unfortunate ignoramus to click on it. A lot of organizations have moved past basic attachment security (and I do mean “basic”) so the attackers had to improve their play a tiny bit in order to continue their efforts.
A few years ago I pointed out that this is the end game for computer security: it’s so bad and our systems are so deeply compromised by government and commercial interests and crappy software, that attackers will always be able to try just a little bit harder and bypass anything useful that security people attempt to do. Let me explain that better: imagine that you’re running a foot-race against someone who is 100 times faster than you. But, they are cunning, and never reveal that fact. They always beat you by just a nose.* On the flip side, security practitioners have been (rightly) pointing out that systems are important and dangerous and that “eventually, this stuff is going to get someone killed.”
That’s that Rubicon, crossed.
(Alternatively, if you’re a fan of the book Horse Heaven: you’re racing against Justa Bob, the horse that was the fastest horse ever, but who was so lazy that he never bothered to win by more than the thinnest margin) [wc]