Businesses around the world are preparing for a further cyber attack amid fears that a lull in the computer bug that halted production at car factories, operations at hospitals and work at schools and other organisations is only temporary.
The pace of the attack by the destructive virus dubbed “WannaCry” slowed late on Friday.
However, this has done little to calm fears of further attacks.
WannaCry exploited a vulnerability to spread itself across networks, a rare and powerful feature that caused infections to surge on Friday.
More than 100,000 computers were locked up by the ransomware. Users were told to pay $300 to $600 to get their data back.
How many computers were affected?
A lot. Security software maker Avast says it logged 126,534 ransomware infections in 99 countries.
Russia, Ukraine and Taiwan were the top targets.
BREAKING: IT security firm Avast says it has detected more than 75,000 “WannaCry” ransomware attacks across 99 countries; Russia hardest hit pic.twitter.com/r2YtMst45B— BNO News (@BNONews) 12 mai 2017
NBC News (@NBCNews) 14 mai 2017
Was it just individuals who were affected?
No. Government organisations and business conglomerates were also impacted.
French car-maker Renault says it halted manufacturing at its plants in Sandouville in France and Romania to prevent the spread of ransomware in its systems.
Car-maker Nissan was also affected but a spokesman said there has been no major impact on the business.
NHSDigital</a> statement on <a href="https://twitter.com/hashtag/NHScyberattack?src=hash">#NHScyberattack</a> and Windows XP: <a href="https://t.co/ww6pbh0dK2">https://t.co/ww6pbh0dK2</a></p>— NHS Digital (NHSDigital) 13 mai 2017
Hundreds of hospitals and clinics in the UK’s National Health Service were affected on Friday. Patients had to be sent to other facilities.
Rançongiciels : les systèmes d'affichage de la Deutsche Bahn (équivalent des CFF en Allemagne) infectés:https://t.co/LuQ3lNKuEf— starbuck3000 (@starbuck3000) 13 mai 2017
German rail operator Deutsche Bahn said some electronic signs at stations were corrupted.
Further afield in Asia some hospitals, schools, universities and other institutions were affected.
International shipper FedEx Corp said some of its Windows systems were also breached.
Comunicado de Telefónica sobre incidencia de ciberseguridad https://t.co/4WdjICfz0P— Telefónica (@Telefonica) 12 mai 2017
Telecommunications giant Telefonica is among many targets in Spain.
Portugal Telecom and Telefonica Argentina also say they were targeted.
Do they know who is behind the attack?
There are suspicions. Code for exploiting the bug, which is known as “Eternal Blue”, was released on the internet in March by a hacking group known as the Shadow Brokers.
The group claimed it was stolen from a repository of National Security Agency hacking tools.
The NSA has not responded to requests for comment.
The identity of the Shadow Brokers is not known although there are suggestions from researchers that they are based in Russia.
The country is a major source of ransomware and was one of those hit first and hardest by WannaCry.
Is an investigation underway?
Yes. Europol’s European Cybercrime Cenre says it is working closely with national law enforcement agencies and private security firms to combat the threat and help victims.
EC3Europol</a> is supporting countries. <a href="https://twitter.com/hashtag/WannaCry?src=hash">#WannaCry</a> <a href="https://twitter.com/hashtag/Ransomware?src=hash">#Ransomware</a> attack at unprecedented level and requires international investigation.</p>— Europol (Europol) 13 mai 2017
CCNCERT</a> has developed a tool to prevent the <a href="https://twitter.com/hashtag/WannaCry?src=hash">#WannaCry</a> 2.0 <a href="https://twitter.com/hashtag/ransomware?src=hash">#ransomware</a> infection <a href="https://t.co/3msScNhe5f">https://t.co/3msScNhe5f</a></p>— EC3 (EC3Europol) 13 mai 2017
Finance chiefs from the G7 have committed to joining forces to fight the growing threat of international cyber attacks, according to a draft statement from their meeting in Italy.
Is it likely there will be further attacks?
It is possible. Cyber security experts have been on the watch for months for an “Eternal Blue”-based attack.
They are expecting the computer code to be used in types of cyber attacks beyond extortion campaigns, including efforts to seize control of networks and steal data.
Governments and private security firms say they expect hackers to tweak the malicious code used in Friday’s attack, restoring its ability to self-replicate.
There are concerns infections could surge again on Monday, when workers return to the office and turn on computers.
What are companies doing?
They are working to protect their Windows systems with patches released by Microsoft last month and again on Friday.
How much has it cost so far?
A lot. Experts have predicted the cost of cleaning corporate networks could run into tens of millions of dollars.
Tens of thousands of dollars have been paid out in ransom and analysts say that figure could rise.
Elliptic, a private security firm that investigates ransomware attacks, says around $32,000 has been sent to bitcoin addresses listed in on-screen ransom demands.
What they are saying
“It’s paused but it’s going to happen again. We absolutely anticipate that this will come back,” – Patrick McBride from cyber-security firm Claroty.
“It’s all hands on deck,” – Shane Shook, independent security consultant working with large corporations and governments.
“The expensive part is the clean-up of the machine and restoring the encrypted data,” – Symantec researcher Vikram Thakur.
“We are implementing remediation steps as quickly as possible” – FedEx statement.
“The recent attack is at an unprecedented level and will require a complex international investigation to identify the culprits,” – Europol statement.
“Appropriate economy-wide policy responses are needed,” – draft statement from G7 ministers