Asian governments and businesses reported some disruptions from the WannaCry ransomware worm on Monday but cybersecurity experts warned of a wider impact as more employees turned on their computers and checked e-mails.
The ransomware that has locked up more than 200,000 computers in more than 150 countries has been mainly spread by e-mail, hitting factories, hospitals, shops and schools worldwide.
"Most of the attacks are arriving via e-mail, so there are many 'landmines' waiting in people's in-boxes," said Michael Gazeley, managing director of Network Box, a Hong Kong-based cyber security company.
As Monday morning breaks
In China, the world's second-largest economy, energy giant PetroChina said payment systems at some of its petrol stations were hit, although it had been able to restore most of the systems. Several Chinese government bodies, including police and traffic authorities, reported they had been impacted by the hack, according to posts on official microblogs.
The official China Daily newspaper, citing Chinese tech firm Qihoo 360, said that at least 200,000 computers had been affected in China, with schools and colleges particularly hard-hit.
A spokesman for the Hong Kong Exchanges and Clearing, one of the region's biggest bourses, said all systems were so far working normally. "We remain highly vigilant," he said.
Companies have warned users and staff not to click on attachments or links.
Taiwan's government appeared to have escaped major infection, possibly because regulations there require all departments to install software updates as soon as they are available.
One school in South Korea barred its pupils from using the internet.
South Korea's presidential Blue House office said nine cases of ransomware were found in the country, but did not provide details on where the cyber attacks were discovered.
Authorities have been analysing 48 samples of the cyber worm and the government has warned South Koreans how to protect their computers from being taken hostage, Blue House spokesperson Yoon Young-chan in a media briefing.
In Australia, Dan Tehan, the government minister responsible for cyber security, said just three businesses had been hit by the bug, despite worries of widespread infection. There were no reported cases in New Zealand.
The result of an NSA leak
Microsoft on Sunday pinned blame on the US government for not closing more software vulnerabilities amid fears new versions of the worm will strike.
In a blog post on Sunday, Microsoft President Brad Smith appeared to tacitly acknowledge what researchers had already widely concluded: The ransomware attack leveraged a hacking tool built by the US National Security Agency, that leaked online in April.
"This is an emerging pattern in 2017," Smith wrote.
"We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world."
He also poured fuel on a long-running debate over how government intelligence services should balance their desire to keep software flaws secret – in order to conduct espionage and cyber warfare – against sharing those flaws with technology companies to better secure the Internet. "This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem," Smith wrote.
Smith added that governments around the world should "treat this attack as a wake-up call" and "consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits."
The NSA and White House did not immediately respond to requests for comment about the Microsoft statement.
The investigations into the attack were in the early stages, however, and attribution for cyber attacks is notoriously difficult.
Infected computers appear to largely be out-of-date devices that organisations deemed not worth the price of upgrading or, in some cases, machines involved in manufacturing or hospital functions that proved too difficult to patch without possibly disrupting crucial operations, security experts said.
Microsoft released patches last month and on Friday to fix a vulnerability that allowed the worm to spread across networks, a rare and powerful feature that caused infections to surge on Friday.
What's the cost and extent of damage?
Economic experts offered differing views on how much the attack, and associated computer outages, would cost businesses and governments.
The non-profit US Cyber Consequences Unit research institute estimated that total losses would range in the hundreds of millions of dollars, but not exceed $1 billion.
Most victims were quickly able to recover infected systems with backups, said the group's chief economist, Scott Borg.
California-based cyber risk modelling firm Cyence put the total economic damage at $4 billion, citing costs associated with businesses interruption.
The threat receded over the weekend after a British-based researcher, who declined to give his name but tweets under the profile @MalwareTechBlog, said he stumbled on a way to at least temporarily limit the worm's spread by registering a web address to which he noticed the malware was trying to connect.
My blog post is done! Now you can read the full story of yesterday's events here:https://t.co/BLFORfM2ud
— MalwareTech (@MalwareTechBlog) May 13, 2017
Security experts said his move bought precious time for organisations seeking to block the attacks.
Monday morning, @MalwareTechBlog had pinned this post:
Warning for Monday: If you turn on a system without the MS17-010 patch and TCP port 445 open, your system can be ransomwared.
— MalwareTech (@MalwareTechBlog) May 15, 2017
For one thing, the attackers or copycat attackers may have developed new versions of the worm, although a British-based security researcher who thwarted an earlier version of the worm said most of these reports had been proven false.
How much did the attackers rake in?
Account addresses hard-coded into the malicious WannaCry virus appear to show the attackers had received just under $32,500 in anonymous bitcoin currency as of (1100 GMT) 7 am EDT on Sunday, but that amount could rise as more victims rush to pay ransoms of $300 or more.