A cyberattack that has already taken over computers in 150 countries could spread further Monday, as people return for the start of a new work week and use computers that may not have been updated with a security patch.

Europe’s police agency Europol said Sunday the attack had already affected more than 100,000 organizations with so-called ransomware, which locks computer files unless the user pays money.

“I’m worried about how the numbers will continue to grow when people go to work and turn on their machines on Monday,” Europol director Rob Wainwright told Britain’s ITV television.

Computer security experts have assured individual computer users who have kept their operating systems updated that they are relatively safe, but urged companies and governments to make sure they apply security patches or upgrade to newer systems.

They advised those whose networks have been effectively shut down by the ransomware attack not to make the payment demanded — the equivalent of $300, paid in the digital currency bitcoin.  

However, the authors of the “WannaCry” ransomware attack told their victims the amount they must pay will double if they do not comply within three days of the original infection — by Monday, in most cases. And the hackers warned that they will delete all files on infected systems if no payment is received within seven days.

Avast, an international security-software firm that claims it has 400 million users worldwide, said the ransomware attacks rose rapidly Saturday to a peak of 57,000 detected intrusions.

 

Researcher found ‘kill switch’

Computer-security experts said the current attack could have been much worse, but for the quick action of a young researcher in Britain who discovered a vulnerability in the ransomware itself, known as WanaCryptor 2.0.

The researcher, identified only as “MalwareTech,” found a “kill switch” within the ransomware as he studied its structure.

The “kill” function halted WanaCryptor’s ability to copy itself rapidly to all terminals in an infected system — hastening its crippling effect on a large network — once it was in contact with a secret internet address, or URL, consisting of a lengthy alphanumeric string.

The “kill” function had not been activated by whoever unleashed the ransomware, and the researcher found that the secret URL had not been registered to anyone by international internet administrators. He immediately claimed the URL for himself, spending about $11 to secure his access, and that greatly slowed the pace of infections in Britain.

Experts cautioned, however, that the criminals who pushed the ransomware to the world might be able to disable the “kill” switch in future versions of their malware, and that new versions were already emerging.

Hackers’ key tool

WanaCryptor 2.0 is only part of the problem. It spread to so many computers so rapidly by using an exploit — software capable of burrowing unseen into Windows computer operating systems.

The exploit, known as “EternalBlue” or “MS17-010,” took advantage of a vulnerability in the Microsoft software that reportedly had been discovered and developed by the U.S. National Security Agency, which used it for surveillance activities.

NSA does not discuss its capabilities, and some computer experts say the MS17-010 exploit was developed unknown parties using the name Equation Group (which may also be linked to NSA). Whatever its source, it was published on the internet last month by a hacker group called ShadowBrokers.

Microsoft distributed a patch for the software vulnerability two months ago, but not all computer users and networks worldwide had yet made that update, and thus were highly vulnerable. And many computer networks, particularly those in less-developed parts of the world, still use an older version of Microsoft software, Windows XP.  The company did issue a patch for Windows XP, but has otherwise largely stopped issuing updates for the software.

The Finnish computer-security firm F-Secure called the problem spreading around the world “the biggest ransomware outbreak in history.” The firm said ((http://tinyurl.com/my5qurg ))  it has warned about the exponential growth of ransomware, or crimeware, as well as the dangers of sophisticated surveillance tools used by governments.

A lesson to all: update programs

With WanaCryptor and MS17-010 both “unleashed into the wild,” F-Secure said the current problem seems to have combined and magnified the worst of the dangers those programs represent.

The security firm Kaspersky Lab, based in Russia, noted that Microsoft had repaired the software problem that allows back-door entry into its operating systems weeks before hackers published the exploit linked to the NSA, but noted: “Unfortunately it appears that many users have not yet installed the patch.”

Britain’s National Health Services first sounded the ransomware alarm Friday.

The government held an emergency meeting Saturday of its crisis response committee, known as COBRA, to assess the damage. Late in the day, Home Secretary Amber Rudd said the NHS was once again “working as normal,” with 97 percent of the system’s components now fully restored.

Spanish firm Telefonica, French automaker Renault, the U.S.-based delivery service FedEx and the German railways Deutsche Bahn were among those affected.

None of the firms targeted indicated whether they have paid or will pay the hackers ransom.