‘Ransomware’ outbreak slows as search for culprits picks up
Thousands more infections were reported with the start of the workweek, largely in Asia, which had been closed for business when the “ransomware” locked up computers Friday at hospitals, factories, government agencies, banks and other businesses. But the second wave of outbreaks that many feared when users returned to their offices Monday and switched their computers back on failed to materialize.
The IT expert who helped stop the spread of the attack says he believes the fight against the infection is “done and dusted.” Marcus Hutchis, 22, who works for Los Angeles-based cybersecurity firm Kryptos Logic, says although he was the person who registered a domain name that took down the virus, hundreds of others helped in the effort.
Lynne Owens, director-general of Britain's National Crime Agency, said there was no indication of a second surge in the cyberattack but warned, “That doesn't mean there won't be one.”
Security researchers have been disassembling the malicious software, known as WannaCry, in hopes of uncovering clues to who released it. They are doing the same with the “phishing” emails that helped the ransomware embed itself in computers.
Investigators also hope to learn more by examining ransom payments made by computer users via bitcoin, the hard-to-trace digital currency often used by criminals.
WannaCry paralyzed computers running mostly older versions of Microsoft Windows in some 150 countries. It encrypted users' computer files and displayed a message demanding anywhere from $300 to $600 to release them; failure to pay would leave the data mangled and likely beyond repair.
Steve Grobman of the security company McAfee said forensics experts are looking at how the ransomware was written and how it was run. WannaCry is a sophisticated piece of work, he said, which helps rule out the possibility it was released by pranksters or lower-level thieves.
As for anonymous bitcoin transactions, he said, it is sometimes possible to follow them until an identifiable person is found.
Not may people paid the ransom, said Jan Op Gen Oorth, a spokesman for Europol, the European police agency.
Eiichi Moriya, a cybersecurity expert and professor at Japan's Meiji University, warned that paying the ransom would not guarantee a fix.
“You are dealing with a criminal,” he said. “It's like after a robber enters your home. You can change the locks, but what has happened cannot be undone.”
Meanwhile, automaker Renault decided not to reopen a 3,500-employee plant in France on Monday as a “preventative step.”
In Britain, many hospitals and clinics that are part of the country's national health service were still having computer problems. Patients have had to be turned away because their records were inaccessible.
In the U.S., where the effects haven't appeared to be widespread, investigators believe additional companies have been attacked but have not yet come forward to report it, a law enforcement official said.
In China, state media said more than 29,000 institutions there had been infected along with hundreds of thousands of devices.
In Japan, companies such as Hitachi and Nissan reported problems but said their operations had not been seriously affected. In Indonesia, the ransomware locked patient files on computers in two hospitals in the capital, Jakarta, causing delays.
Experts urged organizations and companies to immediately update older Microsoft operating systems, such as Windows XP, with a patch released by the company.