LONDON (REUTERS, AFP) - The world's biggest cyber attack hobbled Chinese traffic police and schools on Monday (May 15) as it rolled into Asia for the new work week but levelled off in Europe thanks to a pushback by cyber security officials after causing havoc in 150 countries.
In Britain, where the virus first raised global alarm when it caused hospitals to divert ambulances on Friday, it gained traction as a political issue just weeks before a general election. The opposition Labour Party accused the Conservative government of leaving the National Health Service vulnerable.
But global fears eased on Monday as the number of incidents reported tapered off.
President Vladimir Putin denied Russia, which has been accused of cyber meddling in several countries around the world in recent years, had anything to do with an attack that hit hundreds of thousands of computers.
"Microsoft's leadership stated this directly, they said the source of the virus was the special services of the United States," Putin said on the sidelines of a summit in Beijing.
Putin said the incident was "worrisome" but had done "no significant damage" in Russia and called for urgent international talks on countering the hackers.
"A protection system... needs to be worked out," he said.
Brad Smith, Microsoft's president and chief legal officer, earlier said the code used in the attack was originally developed by the US National Security Agency.
He warned governments against stockpiling such code and said instead they should report vulnerabilities to manufacturers - not sell, store or exploit them, lest they fall into the wrong hands.
"An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen," Smith wrote. "The governments of the world should treat this attack as a wake up call."
The cross-border police agency Europol said the situation was now "stable", defusing concerns that attacks that struck computers in British hospital wards, European car factories and Russian banks would spread further at the start of the working week.
"The number of victims appears not to have gone up and so far the situation seems stable in Europe, which is a success," senior spokesman for Europol, Jan Op Gen Oorth, told AFP.
"It seems that a lot of internet security guys over the weekend did their homework and ran the security software updates," he said.
The indiscriminate attack was unleashed on Friday, striking hundreds of thousands of computers worldwide by exploiting known vulnerabilities in older Microsoft computer operating systems.
US package delivery giant FedEx, Spanish telecoms giant Telefonica and Germany's Deutsche Bahn rail network were among those hit in the attacks, which demanded money to allow users to unblock their computers.
French carmaker Renault said its Douai plant, one of its biggest sites in France employing 5,500 people, would be shut on Monday as systems were upgraded.
IMPACT IN ASIA LIMITED
Over in Asia, China appeared over the weekend to have been particularly vulnerable, raising worries about how well the world's second largest economy would cope when it opened for business on Monday. However, officials and security firms said the spread was starting to slow.
"The growth rate of infected institutions on Monday has slowed significantly compared to the previous two days," said Chinese Internet security company Qihoo 360. "Previous concerns of a wide-scale infection of domestic institutions did not eventuate." Qihoo had previously said the attack had infected close to 30,000 organisations by Saturday evening, more than 4,000 of which were educational institutions.
An official from Cybersecurity Administration China (CAC) told local media on Monday that while the ransomware was still spreading and had affected industry and government computer systems, the spread was slowing.
Chinese government bodies from transport, social security, industry watchdogs and immigration said they had suspended services ranging from processing applications to traffic crime enforcement.
It was not immediately clear whether those services were suspended due to attacks, or for emergency patching to prevent infection. "If a system supports some kind of critical processes those systems typically are very hard to patch ... We don't have a precedent for something of this scale (in China)," said Marin Ivezic, a cybersecurity expert at PwC in Hong Kong.
Affected bodies included a social security department in the city of Changsha, the exit-entry bureau in Dalian, a housing fund in Zhuhai and an industry watchdog in Xuzhou.
Energy giant PetroChina said payment systems at some of its petrol stations were hit, although it had been able to restore most of the systems.
Elsewhere in Asia, the impact seems to have been more limited.
Japan's National Police Agency reported two breaches of computers in the country on Sunday - one at a hospital and the other case involving a private person - but no loss of funds.
Industrial conglomerate Hitachi Ltd said the attack had affected its systems at some point over the weekend, leaving them unable to receive and send e-mails or open attachments in some cases.
In India, the government said it had only received a few reports of attacks on systems and urged those hit not to pay attackers any ransom. No major Indian corporations reported disruptions to operations.
At Indonesia's biggest cancer hospital, Dharmais Hospital in Jakarta, around 100-200 people packed waiting rooms after the institution was hit by cyber attacks affecting scores of computers. By late morning, some people were still filling out forms manually, but the hospital said 70 per cent of systems were back online.
South Korea's presidential Blue House office said nine cases of ransomware were found in the country, but did not provide details on where the cyber attacks were discovered.
A coal port in New Zealand shut temporarily to upgrade its systems.
'OOOPS' MESSAGE
The attack blocks computers and puts up images on victims' screens demanding payment of US$300 (S$420) in the virtual currency Bitcoin, saying: "Ooops, your files have been encrypted!"
Payment is demanded within three days or the price is doubled, and if none is received within seven days the locked files will be deleted, according to the screen message.
Bitcoin, the world's most-used virtual currency, allows anonymous transactions via heavily encrypted codes.
Experts and governments alike warn against ceding to the demands and Wainwright said few victims so far had been paying up.
Still, there were reports of some victims ignoring official advice and paying the ransom. Brian Lord, managing director of cyber and technology at cyber security firm PGI, said victims had told him "the customer service provided by the criminals is second to none", with helpful advice on how to pay: "One customer said they actually forgot they were being robbed."
Security firm Digital Shadows said on Sunday that transactions totalling US$32,000 had taken place through Bitcoin addresses used by the ransomware.
The culprits used a digital code believed to have been developed by the US NSA - and subsequently leaked as part of a document dump, according to researchers at the Moscow-based computer security firm Kaspersky Lab.
A hacking group called Shadow Brokers released the malware in April, claiming to have discovered the flaw from the NSA, Kaspersky said.
The attack is unique, according to Europol, because it combines ransomware with a worm function, meaning once one machine is infected, the entire internal network is scanned and other vulnerable machines are infected.
The attack therefore spread faster than previous, smaller-scale ransomware attacks.
HOSPITALS, BANKS AND AUTOMOBILES
Anti-virus experts Symantec said the majority of organisations affected were in Europe.
Europol said few banks in Europe had been affected, having learned through the "painful experience of being the number one target of cyber crime" the value of having the latest cyber security in place.
Infected computers appear to largely be out-of-date devices that organisations deemed not worth the price of upgrading. Some have also been machines involved in manufacturing or hospital functions, difficult to patch without disrupting operations.
A fifth of regional hospital associations in Britain's National Health Service were affected and several still had to cancel appointments on Monday, as doctors warned of delays as they cannot access medical records.
"The government's response has been chaotic, to be frank," the British Labour Party's health spokesman Jon Ashworth said."They've complacently dismissed warnings which experts, we now understand, have made in recent weeks." "The truth is, if you're going to cut infrastructure budgets and if you're not going to allow the NHS to invest in upgrading its IT, then you are going to leave hospitals wide open to this sort of attack."
Britain's National Health Service (NHS) is the world's fifth largest employer after the US and Chinese militaries, Walmart and McDonald's. The government says that under a previous Labour administration the trusts that run local hospitals were given responsibility to manage their own computer systems.
Asked if the government had ignored warnings over the NHS being at risk from cyber attack, Prime Minister Theresa May told Sky News: "No. It was clear warnings were given to hospital trusts."
Russia said its banking system was among the victims of the attacks, along with the railway system, although it added that no problems were detected.
French carmaker Renault was forced to stop production at sites in France, Slovenia and Romania, while FedEx said it was "implementing remediation steps as quickly as possible".
