The massive ransomware attack that caused damage across the globe over the weekend should be a “wake-up call” for governments, the president of Microsoft has said.
Security officials around the world are scrambling to find who was behind the attack which affected 200,000 computer users and closed factories, hospitals and schools by using malicious software that believed to have been stolen from the US National Security Agency.
Europol, the pan-European Union crime-fighting agency, said the threat was escalating and predicted the number of “ransomware” victims was likely to grow across the private and public sectors as people returned to work on Monday.
But Brad Smith, Microsoft president’s and chief legal officer, said on Sunday that it was the latest example of why the stockpiling of vulnerabilities by governments was such a problem.
Smith, whose company’s older system software such as Windows XP was exploited by the ransomware, wrote in a blog post : “The governments of the world should treat this attack as a wake-up call,” Smith wrote. “We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.”
“An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen.”
Cyber security experts said the spread of the virus dubbed WannaCry had slowed but that the respite might only be brief amid fears it could cause new havoc on Monday when employees return to work.
New versions of the worm are expected, they said, and the extent – and economic cost – of the damage from Friday’s attack were unclear.
“It’s going to be big, but it’s too early to say how much it’s going to cost because we still don’t know the magnitude of the attacks,” said Mark Weatherford, an security executive whose previous jobs included a senior cyber post with the US Department of Homeland Security.
The investigations into the attack were in the early stages, and attribution for cyber attacks is notoriously difficult.
US President Donald Trump on Friday night ordered his homeland security adviser, Tom Bossert, to convene an “emergency meeting” to assess the threat posed by the global attack, a senior administration official told Reuters.
Senior US security officials held another meeting in the White House situation room on Saturday, and the FBI and the National Security Agency were working to help mitigate damage and identify the perpetrators of the attack, said the official, who spoke on condition of anonymity to discuss internal deliberations.
The NSA is widely believed to have developed the hacking tool that was leaked online in April and used as a catalyst for the ransomware attack.
The original attack lost momentum late on Friday after a security researcher inadvertently took control of a server connected to the outbreak, which crippled a feature that caused the malware to rapidly spread across infected networks.
Infected computers appear to largely be out-of-date devices that organisations deemed not worth the price of upgrading or, in some cases, machines involved in manufacturing or hospital functions that proved too difficult to patch without possibly disrupting crucial operations, security experts said.
Marin Ivezic, cyber security partner at PwC, said that some clients had been “working around the clock since the story broke” to restore systems and install software updates, or patches, or restore systems from backups.
Microsoft released patches last month and on Friday to fix a vulnerability that allowed the worm to spread across networks, a rare and powerful feature that caused infections to surge on Friday.
Code for exploiting that bug, which is known as “Eternal Blue”, was released on the internet in March by a hacking group known as the Shadow Brokers. The group said it was stolen from a repository of NSA hacking tools. The agency has not responded to requests for comment.
Hong Kong-based Ivezic said that the ransomware was forcing some more “mature” clients affected by the worm to abandon their usual cautious testing of patches “to do unscheduled downtime and urgent patching, which is causing some inconvenience”.
He declined to identify clients that had been affected.
The head of the European Union police agency said on Sunday the cyber assault hit 200,000 victims in at least 150 countries and that number would grow when people return to work on Monday.
“At the moment, we are in the face of an escalating threat. The numbers are going up, I am worried about how the numbers will continue to grow when people go to work and turn (on) their machines on Monday morning,” Europol director Rob Wainwright told Britain’s ITV.
Monday was expected to be a busy day, especially in Asia which may not have seen the worst of the impact yet, as companies and organisations turned on their computers.
“Expect to hear a lot more about this tomorrow morning when users are back in their offices and might fall for phishing emails” or other as yet unconfirmed ways the worm may propagate, said Christian Karam, a Singapore-based security researcher.
Associated Press and Reuters contributed to this story