Cyberattack Spreads, Though at Slower Pace

Governments and companies reported more infected computers stemming from Friday's global cyber attack, though fresh fallout appeared limited so far early Monday after IT departments around the world kicked off a fourth day trying to determine the scope of damage and recover from it.

A so-called ransomware attack started ricocheting around the world Friday, scrambling files and seeking payment to decrypt them again. The attack mobilized law enforcement and cybercrime agencies in a global dragnet for the perpetrators.

Late Friday, a British researcher found and activated a "kill switch" embedded in the code of the virus, slowing its spread, though computer experts warned new variants were likely.

Companies worked through the weekend to ensure employees were protected come Monday morning, when officials warned more victims could be vulnerable. The attack took advantage of vulnerabilities in Microsoft Corp. software, and many workers early Monday were asked to reboot their systems to initiate patches.

The attack hit hospitals in Britain, multinationals like FedEx Corp. and shuttered Renault SA car factories. Victims received messages saying their computer files had been encrypted and demanded payment, as little as $300 in online currency bitcoin, to unscramble them. The malware threatened to destroy the files if payment wasn't made.

Proofpoint, a Silicon Valley cybersecurity firm with sensors in major telecom companies and big organizations, said Monday that there was a lot of traffic to the "kill switch" of the original worm, which meant individual computers were being infected but not entire networks. Ryan Kalember, Proofpoint's senior vice president of cybersecurity strategy, said it didn't appear as if a more dangerous strain of the worm, without a kill switch, was making its way around the world.

Tokyo-based conglomerate Hitachi Ltd. reported system failures at locations in Japan and elsewhere that affected employees' ability to send and receive emails. Hitachi said it was working to try to resolve the problems and that it believed they were related to the Wannacry ransomware.

In China, more government agencies said their operations were affected as employees returned to work on Monday.

Traffic police in Mianyang, a city in the Southwestern province of Sichuan, posted a photograph of long queues in its office on its official Twitter-like blog and asked people to avoid seeking non-emergency services as its computer network remained down from the ransomware attack. Other government departments posted apologies about disruptions to services.

Chinese social media was rife with comments from office workers tweeting about how their morning had been interrupted as computer systems had to be upgraded or pulled off the internet first thing in the morning.

China financial regulators -- the China Securities Regulatory Commission and China Banking Regulatory Commission -- sent notices to its subsidiaries for a security upgrade. Search engine giant Baidu Inc. sent out several warnings to its employees over the weekend informing them about the attack and were told a security update would take effect after they restarted their computers.

CJ CGV, one of South Korea's largest movie-theater chains, said it was hit by WannaCry over the weekend. The company's head of communications, Hwang Jae-hyeon, said the malware affected its advertising server, preventing ads from being displayed before the start of films at 30 locations. The attack hadn't affected ticket sales or the company's movie-screening schedule, he said.

The Korea Internet & Security Agency, a government entity, reported 10 cases of affected organizations in the country but declined to identify them.

--Chao Deng, Grace Zhu and Alyssa Abkowitz contributed to this article

Write to Stu Woo at Stu.Woo@wsj.com, Liza Lin at Liza.Lin@wsj.com and Eun-Young Jeong at Eun-Young.Jeong@wsj.com

(END) Dow Jones Newswires

May 15, 2017 04:20 ET (08:20 GMT)