TOKYO - (AP) -- The worldwide "ransomware" cyberattack spread to thousands of more computers on Monday as people logged in at work, disrupting business, schools, hospitals and daily life, though no new large-scale breakdowns were reported.
In Britain, whose health service was among the first high-profile targets of the attack on Friday, some hospitals and doctors' offices were still struggling to recover.
The full extent of the damage from the cyberattack felt in 150 countries was unclear and could worsen if more malicious variations of the online extortion scheme appear.
The initial attack, known as "WannaCry," paralyzed computers running factories, banks, government agencies and transport systems in scores of countries, including Russia, Ukraine, Brazil, Spain, India and Japan, among others. Among those hit were Russia's Interior Ministry and companies including Spain's Telefonica and FedEx Corp. in the U.S.
Carmaker Renault said one of its French plants, which employs 3,500 people, wasn't reopening Monday as technicians dealt with the cyberattack's aftermath. The temporary halt in production was a "preventative step," Renault said.
Britain's National Health Service said about a fifth of NHS trusts -- the regional bodies that run hospitals and clinics -- were hit by the attack on Friday, leading to thousands of canceled appointments and operations. Seven of the 47 affected trusts were still having IT problems Monday.
HOW THE VIRUS WORKS
Cybersecurity experts say the worm affects computers using Microsoft operating systems and takes advantage of a vulnerability in the software to spread the infection. "WannaCry" is particularly malicious because it takes just one person to click on an infected link or email attachment to cause the virus to spread to other machines on the same network.
Infected computers are frozen and display a big message in red informing users, "Oops, your files have been encrypted!" and demanding about $300 in online bitcoin payment. Victims have only hours to pay the ransom, which rises to $600 before the files are destroyed.
Money has been trickling in, according to a Twitter account monitoring bitcoin wallets linked to the attacks, with victims paying nearly $39,000 by Monday afternoon in Asia.
The worm has claimed at least 200,000 victims since Friday, according to one count by Europol, Europe's policing agency. Cases have been reported in 150 countries, and include Chinese gas stations, Japanese broadcasters, Indonesian and British hospitals, and German railways.
"We think Asia-Pacific was impacted probably not as heavily as the European regions, but I don't think they dodged a bullet," said Tim Wellsmore, Asia-Pacific director for threat intelligence at FireEye, a California-based network security company. He said ransomware attacks are an everyday occurrence, and that victims tend to be small businesses that don't have as much money to invest in cybersecurity.
Wellsmore said Asia was likely spared the brunt of the attack because of the timing. "Just as those attacks were picking up speed, we were heading into Friday evening and turning off a lot of computer systems," he said.
HOW CAN I PROTECT MY PC?
Computer users should patch their machines with updates from Microsoft, especially those using older versions of operating systems such as Windows XP. Microsoft did put out a patch two months ago for more recent systems, but not all users may have downloaded it. After "WannaCry," it released an emergency patch for older systems too.
RANSOMWARE IS BIG BUSINESS
The "WannaCry" attack grabbed headlines around the world because of its scale, but it's just one of many types of ransomware that cybersecurity experts see every day. That's because it's a very easy way to make money. "It's a business model that works and you don't need a lot of investment to actually get a decent return," said Wellsmore.
"You can buy ransomware kits on the dark web, you can buy all the tool sets you need to undertake your own ransomware campaign quiet easily," he said, referring to an area of the internet often used for illegal activity. Would-be extortionists can launch a global campaign with little effort, yet authorities can do little because it's very difficult to investigate, Wellsmore said.
WHO IS BEHIND THE ATTACK?
Wellsmore and other cybersecurity experts say the identity of the perpetrators is still unknown. The hackers were using tools stolen from the U.S. National Security Agency and released on the internet. The software vulnerability was purportedly first identified by the NSA for its own intelligence-gathering work.
"We don't expect this to be a sophisticated group," said Wellsmore. "We expect this is a small operation that is undertaking this. They just happen to hit the motherlode. Unfortunately for the rest of us, this thing went quite global quite quickly."
Ciaran Martin, chief executive of the U.K.'s National Cyber Security Centre, has warned that more computers could be infected Monday as doctors' practices re-opened after the weekend.
The Japan Computer Emergency Response Team Coordination Center, a nonprofit group providing support in computer attacks, said 2,000 computers at 600 locations in Japan were reported affected. Companies including Hitachi and Nissan Motor Co. reported problems but said they said had not seriously affected their business operations.
Chinese state media said 29,372 institutions there had been infected along with hundreds of thousands of devices.
Universities and other educational institutions in China were among the hardest hit, possibly because schools tend to have old computers and be slow to update operating systems and security, said Fang Xingdong, founder of ChinaLabs, an internet strategy think tank.
On social media, students complained about not being able to access their work, and people in various cities said they hadn't been able to take their driving tests over the weekend because some local traffic police systems were down.
Railway stations, mail delivery, gas stations, hospitals, office buildings, shopping malls and government services also were affected, China's Xinhua News Agency said, citing the Threat Intelligence Center of Qihoo 360, a Chinese internet security services company.
Microsoft Solution Customer Guidance for WannaCrypt Attacks
Microsoft solution available to protect additional products
Today many of our customers around the world and the critical systems they depend on were victims of malicious “WannaCrypt” software. Seeing businesses and individuals affected by cyberattacks, such as the ones reported today, was painful. Microsoft worked throughout the day to ensure we understood the attack and were taking all possible actions to protect our customers. This blog spells out the steps every individual and business should take to stay protected. Additionally, we are taking the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only, including Windows XP, Windows 8, and Windows Server 2003. Customers running Windows 10 were not targeted by the attack today.
Details are below.
- In March, we released a security update which addresses the vulnerability that these attacks are exploiting. Those who have Windows Update enabled are protected against attacks on this vulnerability. For those organizations who have not yet applied the security update, we suggest you immediately deploy Microsoft Security Bulletin MS17-010.
- For customers using Windows Defender, we released an update earlier today which detects this threat as Ransom:Win32/WannaCrypt. As an additional “defense-in-depth” measure, keep up-to-date anti-malware software installed on your machines. Customers running anti-malware software from any number of security companies can confirm with their provider, that they are protected.
- This attack type may evolve over time, so any additional defense-in-depth strategies will provide additional protections. (For example, to further protect against SMBv1 attacks, customers should consider blocking legacy protocols on their networks).
We also know that some of our customers are running versions of Windows that no longer receive mainstream support. That means those customers will not have received the above mentioned Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download (see links below).
Customers who are running supported versions of the operating system (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8.1, Windows Server 2012, Windows 10, Windows Server 2012 R2, Windows Server 2016) will have received the security update MS17-010 in March. If customers have automatic updates enabled or have installed the update, they are protected. For other customers, we encourage them to install the update as soon as possible.
This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind.
Some of the observed attacks use common phishing tactics including malicious attachments. Customers should use vigilance when opening documents from untrusted or unknown sources. For Office 365 customers we are continually monitoring and updating to protect against these kinds of threats including Ransom:Win32/WannaCrypt. More information on the malware itself is available from the Microsoft Malware Protection Center on the Windows Security blog. For those new to the Microsoft Malware Protection Center, this is a technical discussion focused on providing the IT Security Professional with information to help further protect systems.
We are working with customers to provide additional assistance as this situation evolves, and will update this blog with details as appropriate.
Phillip Misner, Principal Security Group Manager Microsoft Security Response Center
Download localized language security updates: Windows Server 2003 SP2 x64, Windows Server 2003 SP2 x86, Windows XP SP2 x64, Windows XP SP3 x86, Windows XP Embedded SP3 x86, Windows 8 x86, Windows 8 x64
General information on ransomware: https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx
MS17-010 Security Update: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Elsewhere in Asia, the Indonesian government urged businesses to update computer security after the malware locked patient files on computers in two hospitals in the capital, Jakarta.
Patients arriving at Dharmais Cancer Hospital had to wait several hours while staff worked with paper records.
Experts urged organizations and companies to immediately update older Microsoft operating systems, such as Windows XP, with a patch released by Microsoft Corp. to limit vulnerability to a more powerful version of the malware -- or to future versions that can't be stopped.
Paying ransom will not ensure any fix, said Eiichi Moriya, a cybersecurity expert and professor at Meiji University.
"You are dealing with a criminal," he said. "It's like after a robber enters your home. You can change the locks but what has happened cannot be undone. If someone kidnaps your child, you may pay your ransom but there is no guarantee your child will return."
New variants of the rapidly replicating worm were discovered Sunday. One did not include the so-called kill switch that allowed researchers to interrupt the malware's spread Friday by diverting it to a dead end on the internet.
Ryan Kalember, senior vice president at Proofpoint Inc. which helped stop its spread, said the version without a kill switch could spread. It was benign because it contained a flaw that prevented it from taking over computers and demanding ransom to unlock files but other more malicious ones will likely pop up.
"We haven't fully dodged this bullet at all until we're patched against the vulnerability itself," Kalember said.
The attack held users hostage by freezing their computers, popping up a red screen with the words, "Oops, your files have been encrypted!" and demanding money through online bitcoin payment -- $300 at first, rising to $600 before it destroys files hours later.
Just one click on an infected attachment or bad link would lead to all computers in a network becoming infected, said Vikram Thakur, technical director of Symantec Security Response.
"That's what makes this more troubling than ransomware was a week ago," Thakur said.
The attack has hit more than 200,000 victims across the world since Friday and is seen as an "escalating threat," said Rob Wainwright, the head of Europol, Europe's policing agency.
"The numbers are still going up," Wainwright said.
Microsoft's top lawyer is laying some of the blame at the feet of the U.S. government. Brad Smith criticized U.S. intelligence agencies, including the CIA and National Security Agency, for "stockpiling" software code that can be used by hackers. Cybersecurity experts say the unknown hackers who launched this weekend's "ransomware" attacks used a vulnerability that was exposed in NSA documents leaked online.
It was too early to say who was behind the onslaught, which struck 100,000 organizations, and what their motivation was, aside from the obvious demand for money. So far, not many people have paid the ransom demanded by the malware, Europol spokesman Jan Op Gen Oorth told The Associated Press.
Researchers who helped prevent the spread of the malware and cybersecurity firms worked around the clock over the weekend to monitor the situation and install the software patch.
"Right now, just about every IT department has been working all weekend rolling this out," said Dan Wire, spokesman at Fireeye Security.
Microsoft distributed the patch two months ago, which could have forestalled much of the attack, but in many organizations it was likely lost among the blizzard of updates and patches that large corporations and governments strain to manage.
Watt reported from Beijing. AP researcher Yu Bing and news assistant Liu Zheng in Beijing, John Leicester in Paris, Jill Lawless in London, Youkyung Lee in Seoul and Kelvin Chan in Hong Kong contributed to this report.