On May 12, a computer worm called WannaCry began infecting over 300,000 Windows computers in 150 countries—and made headlines around the world. Here’s what you need to know.

Meet ransomware

Why the headlines? First, because WannaCry is one of the most widespread cases of ransomware—software that encrypts all of the files on your PC, and will not unlock them until you pay the bad guys. In WannaCry’s case, you’re supposed to pay $300 within three days; at that point, the price goes up. If you still haven’t paid in a week, all your files are gone forever. (Here’s what it looks like if you’re infected.)

(Why can’t the authorities just track who the money’s going to, and thereby catch the bad guys? Because you have to pay in Bitcoin, which is a digital currency whose transactions are essentially anonymous. Here’s my explainer on Bitcoin.)

The second notable feature: The WannaCry malware took advantage of a security hole in Windows that had already been discovered by the U.S. National Security Agency (NSA). But instead of letting Microsoft (MSFT) know what it had found, the NSA kept it a secret and, in fact, decided to write a “virus” of its own to exploit it.

Ransomware is nasty. There’s no way out, no fix. And even if you pay up, there’s no guarantee you’ll get your files back; some of these ransomware people take your money and run. (Why can’t these low-life hackers have more of a sense of decency?)

How security holes get patched

So why doesn’t Microsoft fix Windows’s security holes? It does—all the time. For example, if you have Windows 10, you’re safe from WannaCry. And even if you have Windows 7 or 8, and you accept Microsoft’s steady flow of software updates, you’re fine, too; Microsoft patched this hole back in March.

The only people vulnerable to WannaCry are people running old versions of Windows, and people who don’t keep their Windows updated with Microsoft’s free patches.

Here’s the real irony: Typically, a researcher discovers a security hole in Windows—and quietly tells Microsoft. Microsoft’s engineers write and release a patch—for a hole the hackers hadn’t known about before. But the bad guys know that millions of people won’t install that patch. So they write the virus after Microsoft has fixed the hole! They get the idea from the fix.

In any case, ransomware loves to target corporate networks: hospitals, banks, airlines, governments, utility companies, and so on. These are places that often don’t regularly update their copies of Windows. (Lots of them still run Windows XP, which is 16 years old. Microsoft no longer supports Windows XP, but to its credit, it has written and released a patch to prevent WannaCry for Windows XP, too.)