Cyber attack: Ransomware cases reported in Asia

SPH Brightcove Video
The WannaCry ransomware worm hits governments and businesses across Asia and experts warn of a wider impact to come globally as employees returning from the weekend switch on computers and check e-mails.
A programmer shows a sample of a ransomware cyberattack on a laptop in Taipei, Taiwan. PHOTO: EPA

Asian governments and businesses reported some disruptions from the WannaCry ransomware worm on Monday (May 15) but cyber security experts warned of a wider impact as more employees turned on their computers and checked their e-mails.

In China, the world's second-largest economy, payment systems and government services reported some outages from the ransomware attack, but far less than feared. Disruptions were low in the rest of Asia, including Japan, India, South Korea and Australia.

European governments and companies appeared to have avoided further fallout from a crippling global cyber attack, said the police agency Europol.

The WannaCry worm, which erupted on Friday, locked up hundreds of thousands of computers in more than 150 countries, hitting factories, hospitals, shops and schools worldwide.

Here's what we know about the cases reported in Asia so far:


Chinese local authorities from traffic police to industry regulators were hobbled on Monday by a massive global
ransomware attack, but the spread of the WannaCry worm in the country appeared less aggressive than initially feared.

Dozens of local Chinese authorities said they had suspended some of their services due to the attack that has disrupted operations at car factories, hospitals, shops and schools around the world.

However, officials and security firms said the spread was starting to slow in the country, which has the world's largest number of Internet users. "The growth rate of infected institutions on Monday has slowed significantly compared to the previous two days," said Chinese Internet security company Qihoo 360. "Previous concerns of a wide-scale infection of domestic institutions did not eventuate."

Qihoo has previously said the attack had infected close to 30,000 organisations by Saturday evening. Of that, over 4,000 were educational institutions.

An official from Cybersecurity Administration China (CAC) told local media on Monday that while the ransomware was still spreading and had affected industry and government computer systems, the spread was slowing.

China remained a major source of attack from infected computers, at least during the Asian day, said Michael Gazeley, managing director of Network Box, a Hong Kong-based cybersecurity firm.

At about noon, nearly 47 per cent of attacks on Network Box's clients came from China, Gazeley said, although this could change as Europe and US computers are turned on.

A train arriving at the freight railway station in Yiwu, Zhejiang province. PHOTO: REUTERS

East China's Jiangsu and Zhejiang provinces were the most affected regions in China, according to the Global Times. Affected agencies included train stations and post offices, it said.

A press release by the China National Petroleum Cooperation said the malware affected its petrol stations, preventing customers from using cards to pay.

State-owned oil giant PetroChina also said in a statement that it had to disconnect the networks linking its petrol stations nationwide for 12 hours on Saturday after the company's Internet payment functions were disabled. Customers were forced to use cash during the shutdown. By late Sunday, around 80 per cent of its network was back online, PetroChina said.

Several schools - including Nanchang University, Shandong University and University of Electronic Science and Technology of China - issued alerts over the weekend on their Weibo social-media feeds, warning staff and students to back up important files and not to open suspicious e-mails.

According to Chinese magazine Caijing, some students' graduation theses and projects have reportedly been encrypted.

Beijing authorities said they have also detected a new mutated version of the malicious ransomware WannaCry and have urged all departments to take measures to prevent attacks, reported Global Times.

The authorities jointly issued a notice on Sunday, saying that the mutated version, dubbed WannaCry 2.0, has managed to override its previous kill switch and can no longer be prevented from spreading.


Three cases of ransomware have been reported in Hong Kong as people returned to work on Monday, reported South China Morning Post (SCMP).

The three individuals who were affected did not install the latest security updates on their Windows 7 operating systems and were directly connected to the Internet, according to the Hong Kong Computer Emergency Response Team (HKCERT), which handles cybersecurity incidents in the city.

"This malware is different from previous ones as users would only get hacked if they downloaded a file in an e-mail or clicked on a link. But this malware requires no active action at all, which makes it much more intrusive," HKCERT's Leung Siu-cheong, who specialises in cybersecurity, told SCMP.

Mr Leung explained that the malware actively scans the Internet for users who do not have the latest security updates to block malicious Internet traffic, and even those with antivirus software could still be vulnerable.

Mr Leung and IT sector lawmaker Charles Mok said users should not to pay the ransom as there was no guarantee that access will be granted afterwards.

"It also means you would be supporting and funding these hackers to do their research... so you have to be prepared that you won't be able to get your files back," Mr Mok said.

The two also warned Hongkongers to take preventive measures as the fast-spreading ransomware has already showed signs of evolving and working around quick fixes.

"Hongkongers need to frequently get into the habit of installing the latest security updates and making backups of their files. Just because you were not infected this time, doesn't mean you are safe from the next attack, or other malware," Mr Mok was quoted as saying.


South Korea's presidential Blue House office said on Monday there have been nine cases of ransomware found in the country so far, but did not provide details on where the cyber attacks were discovered.

The authorities have been analysing 48 samples of the cyber worm and the government has warned South Koreans how to protect their computers from being taken hostage, said Blue House Yoon Young Chan in a media briefing.

The country's government computer systems have not been affected, an official at the Interior Ministry's integrated government computer centre was quoted as saying by Yonhap news agency.

"We've taken necessary measures against WannaCry, and no damage has been reported as of Monday morning," the official said.

"All business computers of local governments are also safe from the attack as they are linked to the ministry's computer centre," the official said, adding that the centre completed security patch updates, especially for servers and PCs that use MS Windows.

In the meantime, South Korea's major theater chain CJ CGV said around 50 of its complexes are estimated to have been attacked by the malware.


In Japan, a spokesman for conglomerate Hitachi said on Monday that the company's computer networks were "unstable", crippling its e-mail systems.

"We found the problems this morning. We assume that the problems are due to the weekend's global cyber attacks. We have not received any reports of damage to our production. We don't know when the problem can be solved," said the spokesman, who spoke on condition of anonymity.

A personal computer owned by JR East was also affected but the transport company was quick to stress that the machine was not linked to the internal network and there was no risk of the virus affecting its railway systems.

Two hospital computers were also affected, although these were "general use" computers not connected to any networks. The National Police Agency has not revealed the names of these hospitals, and said there is no impact on inpatient treatments or emergency operations.

Meanwhile, an "information communication room" began operation on Monday within the Prime Minister's Office to deal with the fallout of any potential Ransomware attack.

Top government spokesman Yoshihide Suga also told a daily news conference there are no concerns as yet of any major damage to Japan's networks.


A cyber cafe in Taipei, Taiwan. PHOTO: EPA

Taiwan has been put on high alert after it was reportedly one of the top targets of the cyber attack.

Many individuals reported on Taiwanese social media websites on Saturday that they had been affected by the malware, reported The Telegraph.

"Currently we haven't received any response from the government agencies or our hospital systems. Currently they are not under attack by the virus," Mr Howard Jyan, director-general of the government's cyber security department, said on Saturday.

Mr Jyan issued a warning to the public on Friday night after the department became aware of the global virus, urging the public to be vigilant about installing anti-virus software and to be aware of suspicious emails.

He said Taiwan's institutions were ready for any major attack. "We can control the situation," he said.

Researchers with security software maker Avast said they had observed 57,000 infections in 99 countries, with Taiwan among the top targets


More than two dozen companies in the Philippines were hit in the global ransomware attack, but most have moved quickly to contain the damage.

A cybersecurity expert told The Straits Times he is aware of at least 28 companies here that have been infected by the worm dubbed WannaCry.

He declined to name the companies because he works with some of them, but said the biggest to take a hit was a multinational logistics company.

He described the scale of the damages as "small to medium", explaining that the malware infected only 30 per cent of the affected servers and computers.

The companies contained the damage by just reformatting their servers and restoring their data from backups, he said.

"We took a minor hit, but there's still the risk. There are still many more malwares out there, but companies here are just being reactive. Most of them just ignore the threat," he said.

Police and justice officials said on Sunday they have yet to receive reports of an attack, but that their cybercrime units were already checking for vulnerabilities in the government's internet infrastructure.

"So far, we have yet to receive reports regarding the incident," Superintendent Jay Guillermo, a spokesman for the Anti-Cybercrime Group told reporters.

He added, though, that companies do not usually report data breaches.

But he advised the companies affected to retain information that could lead to the source of the attacks.


A general view of the Dharmais Hospital in Jakarta, Indonesia. PHOTO: REUTERS

One hospital - Dharmais Hospital in the capital, Jakarta, which specialises in cancer treatment - had been afflicted by the malware, but without major effects on patients.

Indonesia's communication and information minister Rudiantara on Sunday advised those hit by the malware against paying ransoms to regain access to encrypted data, as there was no guarantee the virus spreader would decrypt files.

"Through collective efforts by Indonesian cyber security stakeholders, I am optimistic that we will be able to minimise the severity of the threat," he said.

On Saturday, an official at his ministry said that at least two Jakarta hospitals, Dharmais and Harapan Kita, were affected by the attack. Harapan Kita later denied it had been affected.

In Dharmais, a nurse reported at 5am on Saturday that a computer unit was displaying a message demanding US$300 (S$422), according to a hospital staff member, who gave his name only as Willy.

An hour later, many more computers were found to be infected and hospital staff said that data was locked on about 400 units in all at the hospital. The attack has not affected critical health services but has caused bottlenecks in patient admissions process, Willy said.


One large advertising board on Wireless Road in central Bangkok was seen with the ransomware message on Saturday, and some Twitter users have posted photos of the board.

The authorities have checked with hospitals but did not find any reports of attacks. The government has urged users to update their software.

Online gaming server Garena Online (Thailand) said it had to close its MMORPG game Blade & Soul on Saturday after it was hit by the attack.

But in a post on Facebook, it said no player information of the online game developed by South Korean form NCsoft has been lost.

By Sunday, Thai players were able to resume their games where they left off.


The WannaCry ransomware affecting IT users around the world has surfaced in Malaysia, according to a cyber security expert quoted by The Star.

C.F. Fong, founder of the cyber security firm LGMS, said that a director of one of his client companies discovered the ransomware on his personal laptop on Saturday morning.

The malware that infected the laptop was the initial version of WannaCry, said Fong, whose company specialises in IT security services, adding that the laptop was subsequently formatted.

Fong said the victim did not report the ransomware attack to the Malaysian Communications and Multimedia Commission (MCMC) as he was not obligated to do so. "The ransomware attacks occurred on Friday, so you're not really going to hear about it until today. We expect to see more cases, but we are hoping that we won't," he said on Monday.

Fong added that his clients - which include major banks in Malaysia - have not reported any attacks so far.

A livemap tracking the spread of the ransomware also showed that it has appeared in Malaysia. A new variant of the ransomware called WanaCrypt0r 2.0 is also reported to have surfaced in cyberspace.

Earlier, the Malaysian Communications and Multimedia Commission said it had yet to receive any report of WannaCry attacks in the country as of noon on Monday, The Star reported.


India said on Monday its computer systems have largely escaped the ransomware attack, and that state organisations managing government websites and building supercomputers have installed security patches issued by Microsoft Corp.

Aruna Sundararajan, secretary of India's Ministry of Electronics and Information Technology, told Reuters the government was constantly monitoring the situation and that a few stand-alone computers of a police department were "back in action" after being infected over the weekend. It was not immediately clear what the police department did to secure its systems.

India's National Informatics Centre, which builds and manages almost all government websites, and the Centre for Development of Advanced Computing, a premier research institute that has built supercomputers, have actively installed patches to immunise their Windows systems, Sundararajan said.


Vietnam's cyber security centers Bkav and Vncert have issued warnings about a wider impact from the malware in Vietnam on Monday when office workers turn on their computers and check e-mails, reported VnExpress.

Vietnam is among the top 20 hardest hit countries, along with China, India, Ukraine and the US, according to experts.


Steven Path, president of ICT Federation of Cambodia, a telecom industry body, said Cambodia had so far been untouched by the cyber attack.

The Phnom Penh Post quoted him as saying his group had not seen any attacks so far among its members but were still trying to gather more information on the hack.

"It seems to be spreading very fast across Europe and the US," he said. "We have not heard of any attacks in Cambodia."

SOURCES: Reuters, Agence France-Presse, NYTimes, The Star/Asia News Network, South China Morning Post, Global Times, VnExpress, The Phnom Penh Post, Yonhap

Additional reporting by Raul Dancel, Yasmin Lee Arpon, Walter Sim

Join ST's Telegram channel and get the latest breaking news delivered to you.