Ransomware ‘WannaCry’ spreads to thousands more computers at start of workweek

By Jason Contant | May 15, 2017 | Last updated on October 30, 2024
5 min read

TOKYO – The worldwide “ransomware” cyberattack spread to thousands of more computers on Monday as people logged in at work, disrupting business, schools, hospitals and daily life, though no new large-scale breakdowns were reported.

A security camera stands outside the main Telefonica headquarters in Madrid, Spain, Friday, May 12, 2017. The Spanish government said several companies including Telefonica had been targeted in ransomware cyberattack that affected the Windows operating system of employees’ computers. It said the attacks were carried out with a version of WannaCry ransomware that encrypted files and prompted a demand for money transfers to free up the system. (AP Photo/Paul White)

In Britain, whose health service was among the first high-profile targets of the attack Friday, some hospitals and doctors’ offices were still struggling to recover.

The full extent of the damage from the cyberattack felt in 150 countries was unclear and could worsen if more malicious variations of the online extortion scheme appear.

The initial attack, known as “WannaCry,” paralyzed computers running factories, banks, government agencies and transport systems in scores of countries, including Russia, Ukraine, Brazil, Spain, India and Japan, among others. Among those hit were Russia’s Interior Ministry and companies including Spain’s Telefonica and FedEx Corp. in the U.S.

Though the ransomware continued to spread at a more subdued pace on Monday, many companies and government agencies were still struggling to recover from the first attack.

Carmaker Renault said one of its French plants, which employs 3,500 people, wasn’t reopening Monday as a “preventative step” while technicians deal with the aftermath of the attack.

Britain’s National Health Service said about a fifth of NHS trusts – the regional bodies that run hospitals and clinics – were hit by the attack on Friday, leading to thousands of cancelled appointments and operations. Seven of the 47 affected trusts were still having IT problems Monday.

Ciaran Martin, chief executive of the U.K.’s National Cyber Security Centre, has warned that more computers could be infected Monday as doctors’ practices re-opened after the weekend.

In Asia, where Friday’s attack occurred after business hours, thousands of new cases were reported on Monday as people came back to work.

The Japan Computer Emergency Response Team Coordination Center, a non-profit group, said 2,000 computers at 600 locations in Japan were affected. Companies including Hitachi and Nissan Motor Co. reported problems but said they said had not seriously affected their business operations.

Chinese state media said 29,372 institutions there had been infected along with hundreds of thousands of devices.

Universities and other educational institutions in China were among the hardest hit, possibly because schools tend to have old computers and be slow to update operating systems and security, said Fang Xingdong, founder of ChinaLabs, an internet strategy think-tank.

On social media, students complained about not being able to access their work, and people in various cities said they hadn’t been able to take their driving tests over the weekend because some local traffic police systems were down.

Railway stations, mail delivery, gas stations, hospitals, office buildings, shopping malls and government services also were affected, China’s Xinhua News Agency said, citing the Threat Intelligence Center of Qihoo 360, a Chinese internet security services company.

In Indonesia, the malware locked patient files on computers in two hospitals in the capital, Jakarta, causing delays.

Experts urged organizations and companies to immediately update older Microsoft operating systems, such as Windows XP, with a patch released by Microsoft Corp. to limit vulnerability to a more powerful version of the malware – or to future versions that can’t be stopped.

Related: Ransomware cyberattack cripples hospitals across the United Kingdom

Paying ransom will not ensure any fix, said Eiichi Moriya, a cybersecurity expert and professor at Meiji University.

“You are dealing with a criminal,” he said. “It’s like after a robber enters your home. You can change the locks but what has happened cannot be undone. If someone kidnaps your child, you may pay your ransom but there is no guarantee your child will return.”

New variants of the rapidly replicating malware were discovered Sunday. One did not include the so-called kill switch that allowed researchers to interrupt the malware’s spread Friday by diverting it to a dead end on the internet.

Ryan Kalember, senior vice-president at Proofpoint Inc., which helped stop its spread, said the version without a kill switch could spread. It was benign because it contained a flaw that prevented it from taking over computers and demanding ransom to unlock files but other more malicious ones will likely pop up.

“We haven’t fully dodged this bullet at all until we’re patched against the vulnerability itself,” Kalember said.

The attack held users hostage by freezing their computers, popping up a red screen with the words, “Oops, your files have been encrypted!” and demanding money through online bitcoin payment – $300 at first, rising to $600 before it destroys files hours later.

Just one click on an infected attachment or bad link would lead to all computers in a network becoming infected, said Vikram Thakur, technical director of Symantec Security Response.

“That’s what makes this more troubling than ransomware was a week ago,” Thakur said.

The attack has hit more than 200,000 victims across the world since Friday and is seen as an “escalating threat,” said Rob Wainwright, the head of Europol, Europe’s policing agency.

“The numbers are still going up,” Wainwright said.

Microsoft’s top lawyer is laying some of the blame at the feet of the U.S. government. Brad Smith criticized U.S. intelligence agencies, including the CIA and National Security Agency, for “stockpiling” software code that can be used by hackers. Cybersecurity experts say the unknown hackers who launched this weekend’s “ransomware” attacks used a vulnerability that was exposed in NSA documents leaked online.

It was too early to say who was behind the onslaught, which struck 100,000 organizations, and what their motivation was, aside from the obvious demand for money. So far, not many people have paid the ransom demanded by the malware, Europol spokesman Jan Op Gen Oorth told The Associated Press.

Researchers who helped prevent the spread of the malware and cybersecurity firms worked around the clock over the weekend to monitor the situation and install the software patch.

“Right now, just about every IT department has been working all weekend rolling this out,” said Dan Wire, spokesman at Fireeye Security.

Microsoft distributed the patch two months ago, which could have forestalled much of the attack, but in many organizations it was likely lost among the blizzard of updates and patches that large corporations and governments strain to manage.

Watt reported from Beijing. AP researcher Yu Bing and news assistant Liu Zheng in Beijing, John Leicester in Paris, Jill Lawless in London, Youkyung Lee in Seoul and Kelvin Chan in Hong Kong contributed to this report.

Jason Contant