Microsoft criticized governments for stockpiling secret exploits of computer systems, calling the ongoing WannaCry ransomware attack a “wake-up call.”
The ransomware, also called WannaCrypt, was first noticed on Friday, and has affected at least 200,000 computers in more than 150 countries, including some in hospitals, locking them until their owners pay a Bitcoin ransom to the attackers.
Some security experts expect a second wave of the attack to start Monday morning, as employees arrive at work and turn on affected computers.
The WannaCry software is particularly virulent because it doesn’t necessarily require users to take any action, like clicking a link or downloading software, to spread; it can also spread automatically through file-sharing systems on networks.
WannaCry uses a vulnerability in old versions of Windows that was originally discovered and exploited by the U.S. National Security Agency as an offensive cyber-weapon.
“This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem,” wrote Microsoft President Brad Smith in a blog post on Sunday.
“We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage.”
Smith’s post deflects criticism of Microsoft by noting that the company issued a patch for the vulnerability earlier this year, but many organizations didn’t patch older computers. Smith also said that Microsoft has been “working around the clock” to assist affected customers, even those on older operating systems that are no longer supported.
But he also warns that similar attacks will recur unless governments stop stockpiling these kinds of vulnerabilities:
The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.