Technical staff scrambled on Sunday to patch computers and restore infected ones, amid fears that the ransomware worm that stopped car factories, hospitals, shops and schools could wreak fresh havoc on Monday when employees log back on.
Cybersecurity experts said the spread of the virus dubbed WannaCry – “ransomware” which locked up more than 100,000 computers – had slowed, but the respite might only be brief.
New versions of the worm are expected, they said, and the extent of the damage from Friday’s attack remains unclear.
Marin Ivezic, cybersecurity partner at PwC, said that some clients had been “working around the clock since the story broke” to restore systems and install software updates, or patches, or restore systems from backups.
Microsoft released patches last month and on Friday to fix a vulnerability that allowed the worm to spread across networks, a rare and powerful feature that caused infections to surge on Friday.
Code for exploiting that bug, which is known as “Eternal Blue,” was released on the internet in March by a hacking group known as the Shadow Brokers. The group claimed it was stolen from a repository of National Security Agency hacking tools. The agency has not responded to requests for comment.
Hong Kong-based Ivezic said that the ransomware was forcing some more “mature” clients affected by the worm to abandon their usual cautious testing of patches “to do unscheduled downtime and urgent patching, which is causing some inconvenience.”
He declined to identify which clients had been affected.
The head of the European Union police agency said on Sunday the cyber assault hit 200,000 victims in at least 150 countries and that number will grow when people return to work on Monday.
“The global reach is unprecedented … and those victims, many of those will be businesses, including large corporations,” Europol Director Rob Wainwright told Britain’s ITV.
“At the moment, we are in the face of an escalating threat. The numbers are going up, I am worried about how the numbers will continue to grow when people go to work and turn (on) their machines on Monday morning.”
MONDAY MORNING RUSH?
Monday was expected to be a busy day, especially in Asia which may not have seen the worst of the impact yet, as companies and organizations turned on their computers.
“Expect to hear a lot more about this tomorrow morning when users are back in their offices and might fall for phishing emails” or other as yet unconfirmed ways the worm may propagate, said Christian Karam, a Singapore-based security researcher.
Targets both large and small have been hit.
Renault said on Saturday it had halted manufacturing at plants in Sandouville, France, and Romania to prevent the spread of ransomware in its systems.
Among the other victims is a Nissan manufacturing plant in Sunderland, northeast England.
Hundreds of hospitals and clinics in the British National Health Service were infected on Friday, forcing them to send patients to other facilities.
German rail operator Deutsche Bahn said some electronic signs at stations announcing arrivals and departures were infected.
In Asia, some hospitals, schools, universities and other institutions were affected. International shipper FedEx Corp said some of its Windows computers were also breached.
Telecommunications company Telefonica was among the targets in Spain. Portugal Telecom and Telefonica Argentina both said they were also targeted.
A Jakarta hospital said on Sunday that the cyber virus had infected 400 computers, disrupting the registration of patients and finding records. The hospital said it expected big queues on Monday when about 500 people were due to register.
In Singapore, a company that supplies digital signage, MediaOnline, was rushing to fix its systems after a technician’s error had led to 12 kiosks being infected in two of the island’s malls. Director Dennis So said the systems were not connected to the malls’ or tenants’ networks.
Symantec, a cybersecurity company, forecast infections so far would cost tens of millions of dollars, mostly from cleaning corporate networks. Ransoms paid amount to tens of thousands of dollars, one analyst said, but he predicted they would rise.
Governments and private security firms said on Saturday that they expected hackers to tweak the malicious code used in Friday’s attack, restoring the ability to self-replicate.
“This particular attack was relatively easy to shut down,” said Bryce Boland, Asia Pacific chief technology officer for FireEye, a cybersecurity company.
But he said it would be straightforward for the existing attackers to launch new releases or for other ransomware authors to start copying the way the malware replicated.
The U.S. government on Saturday issued a technical alert with advice on how to protect against the attacks, asking victims to report any to the Federal Bureau of Investigation or Department of Homeland Security.
(Additional reporting by Neil Jerome Morales, Masayuki Kitano, Kiyoshi Takenaka, Jose Rodriguez, Elizabeth Piper, Emmanuel Jarry, Orathai Sriring, Jemima Kelly, Alistair Smout, Andrea Shalal, Jack Stubbs, Antonella Cinelli, Dustin Volz, Kate Holton, Andy Bruce, Michael Holden, David Milliken, Tim Hepher, Luiza Ilie, Patricia Rua, Axel Bugge, Sabine Siebold and Eric Walsh, Engen Tham, Fransiska Nangoy, Soyoung Kim and Mai Nguyen; Editing by Mike Collett-White/Mark Heinrich)
FBI investigating Chinese businessman who bankrolled media company linked to Steve Bannon
A Wall Street Journal expose revealed that a Chinese businessman is under investigation by the FBI after he used funds to bankroll a media company with ties to a former aide to President Donald Trump, Steve Bannon.
"Federal Bureau of Investigation national security agents in recent months have asked people who know both men for information on Mr. Guo’s activities, including the source of funds of a media company linked to him that hired Mr. Bannon in 2018 as a consultant, the people said," according to the Journal. "As recently as last week, the FBI met with one person familiar with the companies tied to Mr. Guo, the people said. The probe has been underway for more than six months, and prosecutors from the U.S. Attorney’s offices in Manhattan and Brooklyn have been involved.
Mike Pompeo asks Egypt to stop harassing US citizens
US Secretary of State Mike Pompeo on Wednesday welcomed Egypt's release of a US citizen but urged the ally to stop harassment of others.
Mohamed Amashah, 24, was freed Monday, nearly 16 months after he was arrested in Cairo's Tahrir Square for holding up a sign seeking the release of prisoners, according to human rights campaigners.
A dual US-Egyptian citizen who lives in New Jersey, he had gone on a hunger strike this year to protest his conditions.
"We thank Egypt for securing his release and his repatriation," Pompeo told a news conference.
"But at the same time, we urge Egyptian officials to stop unwarranted harassment of US citizens and their families who remain there," he said.
More than 100 Roger Stone accounts, pages removed from Instagram and Facebook
A network of more than 100 social accounts and pages related to former Trump adviser Roger Stone were removed Wednesday. The under the radar raid reportedly consisted of 54 Facebook accounts, 50 Facebook pages and four accounts on Instagram, a photo-sharing platform owned by Facebook.
Approximately 260,000 accounts followed one or more of these Pages and 61,500 people followed one or more of these Instagram accounts. Several of the pages were also linked to the Proud Boys, a far-right group banned from Facebook in 2018.