Cyber attack's impact could worsen in 'second wave' of ransomware

US and European officials scrambled to catch the culprits behind a massive ransomware worm that caused damage across the globe over the weekend, amid fears it could wreck fresh havoc on Monday when employees return to work.
Signage is seen outside The Royal London Hospital in London which was hit by Friday's cyberattack.
Signage is seen outside The Royal London Hospital in London which was hit by Friday's cyberattack.PHOTO: AFP

LONDON - Security experts are warning that the global cyber attack that began on Friday (May 12) is likely to be magnified in the new workweek as users return to their offices and turn on their computers.

Many workers, particularly in Asia, had logged off on Friday before the malicious software, stolen from the US government, began proliferating across computer systems around the world. So the true effect of the attack may emerge Monday (May 15) as employees return and log in.

Moreover, copycat variants of the malicious software behind the attacks have begun to spread, according to experts.

"We are in the second wave," said Matthieu Suiche of Comae Technologies, a cyber security company based in the United Arab Emirates. "As expected, the attackers have released new variants of the malware. We can surely expect more."


Britain's National Cyber Security Centre said Sunday that it had seen "no sustained new attacks" but warned that compromised computers may have not yet been detected and that the malware could further spread within networks.

The cyber attack has hit 200,000 computers in more than 150 countries, according to Rob Wainwright, executive director of Europol, the European Union's police agency.

"At the moment, we are in the face of an escalating threat," he told the British network ITV Sunday. "The numbers are going up. I am worried about how the numbers will continue to grow when people go to work and turn their machines on Monday morning."

Among the organisations hit were FedEx in the United States, the Spanish telecom giant Telefónica, the French automaker Renault, universities in China, Germany's federal railway system and Russia's Interior Ministry. The most disruptive attacks infected Britain's public health system, where surgeries had to be rescheduled and some patients were turned away from emergency rooms.

A 22-year-old British researcher who uses the Twitter name MalwareTech has been credited with inadvertently helping to stanch the spread of the assault by identifying the web domain for the hackers' "kill switch" - a way of disabling the malware. Suiche of Comae Technologies said he did the same for one of the new variants of malware to surface since the initial wave.


On Sunday, MalwareTech was one of many security experts warning that a less-vulnerable version of the malware is likely to be released. On Twitter, he urged users to immediately install a security patch for older versions of Microsoft's Windows, including Windows XP. (The attack did not target Windows 10.)

Robert Pritchard, a former cyber security expert at Britain's defence ministry, said that security specialists might not be able to keep pace with the hackers.

"This vulnerability still exits; other people are bound to exploit it," he said. "The current variant will make its way into anti-virus software. But what about any new variants that will come in the future?"

All it would take is for a new group of hackers to change the original malware code slightly to remove the "kill switch" and send it off into the world, using the same email-based methods to infiltrate computer systems that the original attackers used, experts said. The Microsoft patch will help, but installing it across large organisations will take time.

Governments around the world were bracing themselves for the start of the workweek.


"This is crucial for businesses when reopening on Monday: Please beware and anticipate, and take preventive steps against the WannaCry malware attack," Indonesia's communication and information minister, Rudiantara, who like many Indonesians uses only one name, said at a news conference.

He confirmed that one hospital - Dharmais Hospital in the capital, Jakarta, which specialises in cancer treatment - had been afflicted by the malware, but without major effects on patients.

"Through collective efforts by Indonesian cyber security stakeholders, I am optimistic that we will be able to minimise the severity of the threat," Rudiantara said in a phone interview.

In China, several universities reported malware problems, including Shandong University in the northeast, which urged faculty members and students to update their software as quickly as possible.

"There is often no other way to decrypt the file, except to pay a high ransom to decrypt and recover the documents, learning materials and personal data," the notice warned on Saturday.

Microsoft has complained for years that the large majority of computers running its software were using pirated versions. The spread of hacking attacks has made legal versions of software more popular, as they typically provide automatic updates of security upgrades.

But Edward J Snowden's release in 2013 of extensive information about hacking by the US government, some of it aimed at monitoring China's rapid military buildup, alarmed the Chinese leadership. The leak by Snowden, a former National Security Agency contractor, helped accelerate a broad push to develop Chinese-brand software and hardware that would be hard for Western intelligence agencies to penetrate but that would still allow monitoring of the population by Chinese security agencies.

In Britain, the fallout from the attack continued on Sunday. Two opposition parties, the Labour Party and the Liberal Democrats, asserted that the governing Conservative Party had not done enough to prevent the attack. With a general election scheduled for June 8, officials have been racing to get ahead of the problem.


Britain's defence minister, Michael Fallon, told the BBC on Sunday that the government was spending about 50 million pounds (about US$64 million) to improve cyber security at the National Health Service, where many computers still run the outdated Windows XP software, which Microsoft had stopped supporting.

A government regulator warned the NHS last July that updating antiquated hardware and software was "a matter of urgency," and noted that one hospital had already had to pay 700,000 pounds to repair a breach that began after an employee clicked on a web link in an unsafe email.

"The threat from cyberattacks has not only put patient information at risk of loss or compromise but also jeopardises access to critical patient record systems by clinicians," the regulator, the Care Quality Commission, wrote in its report.

At the National Health Service, employees said they had been cautioned about their computer use.

"We are all being extra careful," said Greg Elston, a paramedic at St. Mary's Hospital in central London. "We've been instructed not to open email attachments on our phones."

Nancy Harper, who accompanied her mother to the hospital on Saturday for an X-ray, said: "It's concerning that the NHS was dependent on these outdated systems. If your average person has access to cheap cloud storage these days, then hospitals should be using similar backup methods. I hope this was a wake-up call."

Others praised the service for maintaining services despite the strain. Himmat Sandut, who took his mother to the emergency room after she collapsed at home, said his experience had been smooth and fast.

"I was worried we would be faced with a huge queue, but we were seen within 10 minutes, and they've now given my mum a bed," he said on Saturday. "I'm surprised and impressed under the current circumstances."

The least functioning part of the hospital appeared to be the elevator, which got stuck on Saturday before resuming operations - in the wrong direction.

"Was the elevator hacked as well?" one man asked jokingly, causing an elevator packed with tense doctors and nurses to erupt in laughter. "Are we going to have to pay a ransom to get out?"