This story is over 5 years old.

WannaCry cyberattack is only the beginning, experts warn

European law enforcement agencies are seeking to dampen fears of a renewed escalation in the number of systems hit by the WannaCry ransomware, even as experts warn that more sophisticated attacks are highly likely. The appeal for calm was undermined Monday when it emerged that almost 30,000 organizations in China have been hit by the pernicious malware.

As the full impact of the ransomware came to light over the weekend — more than 200,000 computers in over 150 countries have now been infected — experts warned that Monday morning could bring a renewed spike in infections as people returned to work and checked their emails.


Europol senior spokesman Jan Op Gen Oorth told AFP Monday: “The number of victims appears not to have gone up, and so far the situation seems stable in Europe, which is a success.” Oorth said that it was likely that many IT departments updated their systems over the weekend, patching the flaw that allowed this ransomware to spread.

It wasn’t all good news, however. In Asia, hundreds of thousands of new victims of the global cyberattack were announced. Chinese state media reported that educational institutes were hit the hardest, with some 4,300 universities and schools impacted, according to figures released by cybersecurity giant Qihoo 360’s threat intelligence center. The ransomware also impacted 20,000 petrol stations across the country, after systems at the Chinese national petroleum corporation were infected with the WannaCry ransomware.

Russia was among the countries hit hardest by infections of WannaCry, and Russian President Vladimir Putin claimed Monday that the NSA was to blame for the ransomware, but added: “There hasn’t been any significant damage for us and our agencies, banks or healthcare system.”

Microsoft also blamed the U.S. government, calling the attack a “wake-up call,” and pleading with the government to “stop stockpiling tools to exploit digital vulnerabilities.” The company issued a “highly unusual” patch for systems running Windows XP and Windows Server 2003 – software which the company no longer issues regular updates for. You can download the updates here.


WannaCry was able to quickly infect a huge number of systems because it took advantage of a flaw in Microsoft’s Windows software — one initially exploited by the NSA — which let it spread quickly through networked computers. A malware researcher in the U.K. accidentally activated a “kill switch” hardcoded into the malware on Friday, which significantly limited its ability to spread — but criminals are already evolving the WannaCry code.

Even as the initial wave of attacks appears to be calming down, experts are seeing evidence that more sophisticated variants are being deployed. “We have already seen variants of this that address the weakness in the first version,” Rob Holmes, vice president at security company Proofpoint, told VICE News. “The question is how widespread it will be.”

Holmes says that ransomware is nothing new – with his company seeing new variants of this type of malware on an almost daily basis. WannaCry was especially successful because it was able to leverage the spy tools which the NSA developed to monitor the computers of suspected terrorists, an exploit which was leaked last month.

Despite the huge number of systems being infected, to date the three bitcoin wallets linked to the attacks (which you can monitor here, here and here) have received only $50,000 in payments by Monday morning based on the current price of bitcoin. Those infected are asked for a payment of $300 in order to decrypt the files on their PCs.

This is likely based on the fact that most security experts are advising that those hit not pay. “You pay a cybercriminal and that creates an industry which will attract other suppliers of ransomware,” Holmes said. “We need to suck the money out of cybercrime and paying is fuel to the flames.”

However we could be soon seeing a spike in payments, as the deadline for paying the initial $300 figure ends 72 hours after systems are infected, with the ransom then doubling to $600.