By Dustin Volz and Eric Auchard
WASHINGTON/FRANKFURT (Reuters) – U.S. and European officials scrambled to catch the culprits behind a massive ransomware worm that caused damage across the globe over the weekend, stopping car factories, hospitals, shops and schools, amid fears it could wreck fresh havoc on Monday when employees return to work.
Cybersecurity experts said the spread of the virus dubbed WannaCry – “ransomware” which locked up more than 200,000 computers in more than 150 countries – had slowed, but the respite might only be brief.
New versions of the worm are expected, they said, and the extent of the damage from Friday’s attack remains unclear.
The investigations into the attack were in the early stages, and attribution for cyber attacks is notoriously difficult.
U.S. President Donald Trump on Friday night ordered his homeland security advisor, Tom Bossert, to convene an “emergency meeting” to assess the threat posed by the global attack, a senior administration official told Reuters.
Senior U.S. security officials held another in the White House Situation Room on Saturday, and the FBI and the National Security Agency were working to help mitigate damage and identify the perpetrators of the massive cyber attack, said the official, who spoke on condition of anonymity to discuss internal deliberations.
The NSA is widely believed to have developed the hacking tool that was leaked online in April and used as a catalyst for the ransomware attack.
The original attack lost momentum late on Friday after a security researcher took control of a server connected to the outbreak, which crippled a feature that caused the malware to rapidly spread across infected networks.
Infected computers appear to largely be out-of-date devices that organizations deemed not worth the price of upgrading or, in some cases, machines involved in manufacturing or hospital functions that proved too difficult to patch without possibly disrupting crucial operations, security experts said.
Marin Ivezic, cybersecurity partner at PwC, said that some clients had been “working around the clock since the story broke” to restore systems and install software updates, or patches, or restore systems from backups.
Microsoft released patches last month and on Friday to fix a vulnerability that allowed the worm to spread across networks, a rare and powerful feature that caused infections to surge on Friday.
Code for exploiting that bug, which is known as “Eternal Blue,” was released on the internet in March by a hacking group known as the Shadow Brokers. The group claimed it was stolen from a repository of National Security Agency hacking tools. The agency has not responded to requests for comment.
Hong Kong-based Ivezic said that the ransomware was forcing some more “mature” clients affected by the worm to abandon their usual cautious testing of patches “to do unscheduled downtime and urgent patching, which is causing some inconvenience.”
He declined to identify clients who had been affected.
The head of the European Union police agency said on Sunday the cyber assault hit 200,000 victims in at least 150 countries and that number will grow when people return to work on Monday.
“At the moment, we are in the face of an escalating threat. The numbers are going up, I am worried about how the numbers will continue to grow when people go to work and turn (on) their machines on Monday morning,” Europol Director Rob Wainwright told Britain’s ITV.
MONDAY MORNING RUSH?
Monday was expected to be a busy day, especially in Asia which may not have seen the worst of the impact yet, as companies and organizations turned on their computers.
“Expect to hear a lot more about this tomorrow morning when users are back in their offices and might fall for phishing emails” or other as yet unconfirmed ways the worm may propagate, said Christian Karam, a Singapore-based security researcher.
Targets both large and small have been hit.
Renault said on Saturday it had halted manufacturing at plants in Sandouville, France, and Romania to prevent the spread of ransomware in its systems.
Among the other victims is a Nissan manufacturing plant in Sunderland, northeast England.
Hundreds of hospitals and clinics in the British National Health Service were infected on Friday, forcing them to send patients to other facilities.
German rail operator Deutsche Bahn said some electronic signs at stations announcing arrivals and departures were infected.
In Asia, some hospitals, schools, universities and other institutions were affected. International shipper FedEx Corp said some of its Windows computers were also breached.
Telecommunications company Telefonica was among the targets in Spain. Portugal Telecom and Telefonica Argentina both said they were also targeted.
A Jakarta hospital said on Sunday that the cyber attack had infected 400 computers, disrupting the registration of patients and finding records. The hospital said it expected big queues on Monday when about 500 people were due to register.
In Singapore, a company that supplies digital signage, MediaOnline, was rushing to fix its systems after a technician’s error had led to 12 kiosks being infected in two of the island country’s malls. Director Dennis So said the systems were not connected to malls’ or tenants’ networks.
“RANSOM” PAYMENTS MAY RISE
Account addresses hard-coded into the malicious WannaCry software code appear to show the attackers had received just under $32,500 in anonymous bitcoin currency as of 1100 GMT on Sunday, but that amount could rise as more victims rush to pay ransoms of $300 or more to regain access to their computers, just one day before the threatened deadline expires.
The threat receded over the weekend after a British-based researcher, who declined to give his name but tweets under the profile @MalwareTechBlog, said he stumbled on a way to at least temporarily limit the worm’s spread by registering a web address to which he noticed the malware was trying to connect.
Security experts said his move bought precious time for organisations seeking to block the attacks.
Researchers remained on high alert for new variants that could lead to a fresh wave of infections. Researchers from three security firms dismissed initial reports on Saturday that a new version of WannaCry/WannaCrypt had emerged, saying this was based on a rushed analysis of code data that proved erroneous.
The MalwareTech researcher warned on Twitter on Sunday: “Version 1 of WannaCrypt was stoppable but version 2.0 will likely remove the flaw. You’re only safe if you patch ASAP.”
Bryce Boland, Asia Pacific chief technology officer for FireEye, a cybersecurity company, said it would be straightforward for existing attackers to launch new releases or for other ransomware authors to start copying the way the malware replicated.
The U.S. government on Saturday issued a technical alert with advice on how to protect against the attacks, asking victims to report any to the Federal Bureau of Investigation or Department of Homeland Security.
(Additional reporting by Eric Auchard, Neil Jerome Morales, Masayuki Kitano, Kiyoshi Takenaka, Jose Rodriguez, Elizabeth Piper, Emmanuel Jarry, Orathai Sriring, Jemima Kelly, Alistair Smout, Andrea Shalal, Jack Stubbs, Antonella Cinelli, Dustin Volz, Kate Holton, Andy Bruce, Michael Holden, David Milliken, Tim Hepher, Luiza Ilie, Patricia Rua, Axel Bugge, Sabine Siebold and Eric Walsh, Engen Tham, Fransiska Nangoy, Soyoung Kim and Mai Nguyen; editing by Mark Heinrich and Nick Zieminski)