Governments and companies around the world began to gain theupper hand against the first wave of an unrivaled globalcyberattack, even as the assault was poised to continue claimingvictims this week.

More than 200,000 computers in at least 150 countries have sofar been infected, according to Europol, the European Union's lawenforcement agency. The U.K.'s National Cyber Security Centre saidnew cases of so-called ransomware are possible “at a significantscale.”

“For now, it does not look like the number of infected computersis increasing,” said a Europol spokesman. “We will get a decryptiontool eventually, but for the moment, it's still a live threat andwe're still in disaster recovery mode.”

At Germany's national Deutsche Bahn railroad, workers werelaboring under “high pressure” Monday to repair remaining glitcheswith train stations' electronic departure boards, a spokesmansaid.

French car maker Renault SA, which halted production atsome factories to stop the virus from spreading, said 90% offactories worldwide had now resumed operations, according to aspokesman Monday.

A new version of the ransomware may have also been spreadingover the weekend. Matt Suiche, founder of United ArabEmirates-based cyber security firm Comae Technologies, said around10,000 machines have been infected by the second variation of themalware.

The malware used a technique purportedly stolen from the U.S.National Security Agency. It affected the U.K.'s National HealthService, Russia's Ministry of Interior, China government agencies,Deutsche Bahn, automakers Nissan Motor Co. and Renault, PetroChina,logistics giant FedEx Corp., and other company and hospitalcomputer systems in countries from Eastern Europe to the U.S. andAsia.

The hackers used the tool to encrypt files within affectedcomputers, making them inaccessible, and demanded ransom —typically $300 in bitcoin. Russia and Ukraine had a heavyconcentration of infections, according to Dutch security companyAvast Software BV.

Microsoft Corp. President Brad Smith, in a blog post Sunday,said the attack is a “wake-up call” for governments in the U.S. andelsewhere to stop stockpiling tools to exploit digitalvulnerabilities. “They need to take a different approach and adherein cyberspace to the same rules applied to weapons in the physicalworld,” he said.

Normal Operations

About 97% of U.K. facilities and doctors disabled by the attackwere back to normal operation, Home Secretary Amber Rudd saidSaturday after a government meeting. At the height of the attackFriday and early Saturday, 48 organizations in the NHS wereaffected, and hospitals in London, North West England and CentralEngland urged people with non-emergency conditions to stay away astechnicians tried to stop the spread of the malicious software.

The initial attack was stifled when a security researcherdisabled a key mechanism used by the worm to spread, but expertssaid the hackers were likely to mount a second attack because somany users of personal computers with Microsoft operating systemscouldn't or didn't download a security patch released in March thatMicrosoft had labeled “critical.”

Microsoft said in a blog post Saturday that it was taking the“highly unusual“ step of providing the patch for older versions ofWindows it was otherwise no longer supporting, including Windows XPand Windows Server 2003.

While the scale of the attack shows Microsoft needs tostrengthen its own capabilities, “there is simply no way forcustomers to protect themselves against threats unless they updatetheir system,” Smith said in his blog post. “Otherwise they'reliterally fighting the problems of the present with tools from thepast.

“This attack is a powerful reminder that information technologybasics like keeping computers current and patched are a highresponsibility for everyone, and it's something every top executiveshould support.”

Victims have paid about $50,000 in ransom so far, with the totalexpected to rise, said Tom Robinson, chief operating officer andco-founder of Elliptic Enterprises Ltd., a ransomware consultantthat works with banks and companies in the U.K., U.S. and Europe.Robinson, in an interview by email, said he calculated the totalbased on payments tracked to bitcoin addresses specified in theransom demands.

Last year an acute-care hospital in Hollywood paid $17,000 inbitcoin to an extortionist who hijacked its computer systems andforced doctors and staff to revert to pen and paper forrecord-keeping.

Business Targets

A spokesman for Spain's Telefonica SA said the hackaffected some employees at its headquarters, but the phone companyis attacked frequently and the impact of Friday's incident wasn'tmajor. FedEx said it was “experiencing interference,” theAssociated Press reported.

Renault halted production at some factories to stop the virusfrom spreading, a spokesman said Saturday, while Nissan's car plantin Sunderland, in northeast England, was affected without causingany major impact on business, an official said.

Russia's Interior Ministry, with oversight of the police forces,said about “1,000 computers were infected,” which it described asless than 1 percent of the total, according to its website.

In China, the malware affected computers at “several”unspecified government departments, the country's CyberspaceAdministration said on its WeChat blog Monday. Since that initialattack, agencies and companies from the police to banks andcommunications firms have put preventive measures in place, whileQihoo 360 Technology Co., Tencent Holdings Ltd. and othercybersecurity firms have begun making protection tools available,the internet overseer said.

China National Petroleum Corp., which owns PetroChina, reportedthat some of its 21,000 gas stations had seen their digital paymentsystems disabled by the attack and resorted to accepting cash. Morethan 80% of the stations had been reconnected to the network as ofnoon on May 14, the company said. Several Chinese universities hadalso been hit by the attacks, according to local media reports.

In Japan, Hitachi Ltd. said that some of its computers had beenaffected. In South Korea, CJ CGV Co., the country's largest cinemachain, said advertising servers and displays at film theaters werehit by ransomware. Movie servers weren't affected and are runningas normal, it said in a text message Monday. Indonesia's governmentreported two hospitals in Jakarta were affected.

While any size company could be vulnerable, many largeorganizations with robust security departments would haveprioritized the update that Microsoft released in March andwouldn't be vulnerable to Friday's attack.

Users Tricked

Ransomware is a particularly stubborn problem because victimsare often tricked into allowing the malicious software to run ontheir computers, and the encryption happens too fast for securitysoftware to catch it. Some security experts calculate thatransomware may bring in as much as $1 billion a year in revenue forthe attackers.

The attack was apparently halted in the afternoon in the U.K.when a researcher took control of an Internet domain that acted asa kill switch for the worm's propagation, according to ArsTechnica.

“I will confess that I was unaware registering the domain wouldstop the malware until after I registered it, so initially it wasaccidental,” wrote the researcher, who uses the Twitter name@MalwareTechBlog. “So long as the domain isn't revoked, thisparticular strain will no longer cause harm, but patch your systemsASAP as they will try again.”

A second variant of the domain also became apparent. Suiche,founder of Comae Technologies, said on Sunday he registered anotherkill-switch for a different version of the ransomware. About 50% ofmachines that would have spread the infection by the secondvariation of the malware have Russian I.P. addresses, according toSuiche.

There is a high probability that Russian-language cybercriminalswere behind the attack, said Aleks Gostev, chief cybersecurityexpert for Kaspersky Labs.

“Ransomware is traditionally their topic,” he said. “Thegeography of attacks that hit post-Soviet Union most also suggeststhat.”

Bloomberg News

Copyright 2018 Bloomberg. All rightsreserved. This material may not be published, broadcast, rewritten,or redistributed.