SINGAPORE/TORONTO Technical staff scrambled on Sunday to patch computers and restore infected ones, amid fears that the ransomware worm that stopped car factories, hospitals, shops and schools could wreak fresh havoc on Monday when employees log back on.
The spread of the virus dubbed WannaCry – “ransomware” which locked up more than 100,000 computers – had slowed, cybersecurity experts said, but they warned that the respite may be brief.
New versions of the worm were expected, and the extent of the damage from Friday’s attack was still unclear.
Marin Ivezic, cybersecurity partner at PwC, said that some clients had been “working around the clock since the story broke” to restore systems and install software updates, or patches, or restore systems from backups.
Microsoft released patches last month and on Friday to fix a vulnerability that allowed the worm to spread across networks, a rare and powerful feature that caused infections to surge on Friday.
Code for exploiting that bug, which is known as “Eternal Blue,” was released on the internet in March by a hacking group known as the Shadow Brokers.
The group claimed it was stolen from a repository of National Security Agency hacking tools. The agency has not responded to requests for comment.
Hong Kong-based Ivezic said that the ransomware was forcing some more “mature” clients affected by the worm to abandon their usual cautious testing of patches “to do unscheduled downtime and urgent patching which is causing some inconvenience.”
He declined to identify which clients had been affected.
MONDAY MORNING RUSH?
Monday was expected to be a busy day, especially in Asia which may not have seen the worst of the impact yet, as companies and organisations turned on their computers.
“Expect to hear a lot more about this tomorrow morning when users are back in their offices and might fall for phishing emails” or other as yet unconfirmed ways the worm may propagate, said Christian Karam, a Singapore-based security researcher.
Targets both large and small have been hit.
Renault on Saturday said it had halted manufacturing at plants in Sandouville, France, and Romania to prevent the spread of ransomware in its systems.
Among the other victims is a Nissan manufacturing plant in Sunderland, northeast England.
Hundreds of hospitals and clinics in the British National Health Service were infected on Friday, forcing them to send patients to other facilities.
German rail operator Deutsche Bahn said some electronic signs at stations announcing arrivals and departures were infected.
In Asia, some hospitals, schools, universities and other institutions were affected. International shipper FedEx Corp said some of its Windows computers were also breached.
Telecommunications company Telefonica was among the targets in Spain. Portugal Telecom and Telefonica Argentina both said they were also targeted.
A Jakarta hospital said on Sunday that the cyber virus had infected 400 computers, disrupting the registration of patients and finding records. The hospital said it expected big queues on Monday when about 500 people were due to register.
In Singapore, a company that supplies digital signage, MediaOnline, was rushing to fix its systems after a technician’s error had led to 12 kiosks being infected in two of the island’s malls. Director Dennis So said the systems were not connected to the malls’ or tenants’ networks.
Symantec, a cybersecurity company, predicted infections so far would cost tens of millions of dollars, mostly from cleaning corporate networks. Ransoms paid amount to tens of thousands of dollars, one analyst said, but he predicted they would rise.
Governments and private security firms on Saturday said that they expected hackers to tweak the malicious code used in Friday’s attack, restoring the ability to self-replicate.
“This particular attack was relatively easy to shut down,” said Bryce Boland, Asia Pacific chief technology officer for FireEye, a cybersecurity company.
But he said it would be straightforward for the existing attackers to launch new releases or for other ransomware authors to start copying the way the malware replicated.
The U.S. government on Saturday issued a technical alert with advice on how to protect against the attacks, asking victims to report attacks to the Federal Bureau of Investigation or Department of Homeland Security.
(Additional reporting by Additional reporting by Neil Jerome Morales, Masayuki Kitano, Kiyoshi Takenaka, Jose Rodriguez, Emmanuel Jarry, Orathai Sriring, Jemima Kelly, Alistair Smout, Andrea Shalal, Jack Stubbs, Antonella Cinelli, Dustin Volz, Kate Holton, Andy Bruce, Michael Holden, David Milliken, Tim Hepher, Luiza Ilie, Patricia Rua, Axel Bugge, Sabine Siebold and Eric Walsh, Engen Tham, Fransiska Nangoy, Soyoung Kim, Mai Nguyen; Editing by Mike Collett-White)