Government offices, organizations, and businesses worldwide are bracing for the start of work on May 15, as fears increase that a massive cyberattack could worsen as employees return to their desks after the weekend.
Experts on May 14 said they will be closely watching activity in Asia, which did not appear to be hit as hard as the rest of the world late last week.
The WannaCry “ransomware” attack, which began on May 12, disrupted hospitals, banks, shops, schools, and government agencies, attacking through vulnerabilities in older versions of Microsoft computer operating systems.
The attack, believed to be the biggest online extortion scheme ever, has already hit some 200,000 victims at 100,000 organizations worldwide, according to Europol, Europe's police agency.
An international manhunt was under way to capture those responsible, the agency said.
Among the big victims were U.S. package delivery company FedEx, car production facilities in Europe, Spanish telecom Telefonica, the U.K.’s National Health Service, and Germany's rail network.
The attacks told computer users to pay $300 to $600 in anonymous bitcoin currency to retrieve files that the virus had decrypted, blocking owners from getting access.
Experts said account addresses linked the WannaCry software code appear to show the attackers received about $32,500 in bitcoin as of 1100 GMT on May 14. That figure is expected to rise, although many experts and government agencies urge victims not to give into to the demands.
Cybersecurity experts said new versions of the ransomware are likely to surface as the business week starts in many parts of the world.
Microsoft President Brad Smith in a blog post on May 14 acknowledged what researchers had concluded: The ransomware attack was developed through a tool built by the U.S. National Security Agency that was leaked online by hackers in April.
Security experts said computers affected by the ransomware appear to be ones that had not been recently updated.
Experts said many organizations do not update their systems because of costs, or others, such as hospitals, find it difficult to upgrade without disrupting operations.
"Expect to hear a lot more about this…when users are back in their offices and might fall for phishing emails" or other as yet unconfirmed ways the ransomware, also called a “worm,” may attack, Christian Karam, a Singapore-based security researcher, told Reuters news agency.
The threat eased after a U.K.-based researcher -- who declined to give his name but issues tweets under the profile @MalwareTechBlog -- said he accidentally came upon a way to at least temporarily limit the ransomware's spread by registering a web address to which he noticed the malware was trying to connect.
Experts said his action helped delay attacks and gave organizations time to explore ways to block future intrusions.