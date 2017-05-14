LONDON -- Evidence of the cyberattack that hit up to 100 countries continued to ripple around the world Saturday with reports of Chinese students unable to access their graduation theses, British doctors canceling operations and passengers at train stations in Germany greeted by hacked messages on arrival and departure screens.

People and organizations were scrambling after the international attack, which began Friday and spread rapidly by email, to limit the damage or implement preventive measures.

It was still unclear Saturday who was behind the cyberattack, a form of ransomware that locks up computer systems and prevents access to data or systems until a payment is made.

"We're not able to tell you who is behind that attack. That work is still ongoing," British Home Secretary Amber Rudd told the BBC.

But Darien Huss, a research engineer for the American cybersecurity firm Proofpoint, and an anonymous Britain-based cyberspecialist, a 22-year-old identified online only as MalwareTech, were credited with thwarting it.

Huss on Friday discovered a "kill switch" in the malware that severely hindered its spread. He then shared information with MalwareTech, who registered a domain name that redirected the attacks to MalwareTech's server and activated the kill switch, halting the ransomware's infections -- creating what's called a "sinkhole."

In a post on its website Saturday evening, Britain's National Cyber Security Center said MalwareTech had prevented further infections and "already resulted in preventing over 100,000 potential infections."

The anonymous researcher tweeted Saturday that he initially didn't know that creating the domain name would stop the malware.

Huss, a western Michigan resident and Purdue University graduate, said he is thankful it wasn't someone "with malicious intent" who discovered how to stop the attack but that it wouldn't be difficult for those responsible to re-release it or for others to mimic it.

The attack hit Britain's National Health Service particularly hard, causing widespread disruptions and interrupting medical procedures across hospitals in England and Scotland. The government said 48 of the health system's 248 organizations were affected, but by Saturday evening all but six were back to normal.

When asked if the British government paid any ransom, a government spokesman said "no" and pointed out that Rudd had advised that others don't either.

Rudd said Saturday that the cyberattack had affected "up to 100 countries" and that it wasn't specifically targeted at Britain's health system.

During the attack on Britain's health system, computer screens were locked by the malware that demanded the user pay $300 in bitcoins or risk having files erased.

Similar messages -- written in local languages -- popped up on screens across Europe.

In Germany, people posted pictures on social media of scheduling screens at train stations displaying the ransomware message. Deutsche Bahn, Germany's national railway service, tweeted that its train service had not been compromised and that it was working full speed to solve the problems. According to DPA news agency, Deutsche Bahn's video surveillance technology also was hit.

Other targets in Europe included Telefonica, the Spanish telecom giant; the French carmaker Renault, which halted production at some factories to stop the virus from spreading; and a local authority in Sweden, which said about 70 computers were infected. Odd, a Norwegian soccer club, said its online ticketing system was hit by the bug.

A Nissan Motor Co. plant in northeast England also was affected without causing any major impact on business, an official said.

TMT post, a Chinese online news outlet focusing on the Internet industry, reported that a number of Chinese universities had been affected by the attack.

Several schools -- including Nanchang University, Shandong University and the University of Electronic Science and Technology of China -- issued alerts on their Weibo social-media feeds, warning staff members and students to back up important files and not to open suspicious emails.

According to Chinese magazine Caijing, some students' graduation theses and projects have been encrypted.

In Russia, hacking attacks were confirmed Saturday at the Health Ministry, the state-run Russian Railways and the telecommunications company Megafon, along with the Interior Ministry, which manages the police force. There also were reports that the powerful Investigative Committee, which investigates high-level crime, and several other telecommunications companies had been targeted.

The Interior Ministry said 1,000 of its computers had been blocked by prompts demanding payment. The ministry said the problem had been "localized" with no information compromised. Russia's Health Ministry said its attacks were "effectively repelled."

Jakub Kroustek, a malware researcher with Avast, a security software company in the Czech Republic, said in a blog post that Russia was the most affected country so far.

"We are now seeing more than 75,000 detections of WanaCrypt0r 2.0 in 99 countries," he wrote Friday night, referring to a designator for the ransomware.

Kaspersky Lab, a Moscow-based Internet security firm, also said the attacks were mostly in Russia.

"Russia has a very rickety, out-of-date infrastructure, using not just outdated software but pirated out-of-date software," said Mark Galeotti, a senior researcher at the Institute of International Relations Prague.

According to Galeotti, one Interior Ministry official in 2013 estimated that 40 percent of the ministry's computers could be using pirated Windows software, which is widely available in Russia for download or at computer markets.

In Brazil, the attack struck at the heart of the government -- employee computers at the Justice Ministry and Brazil's social security administration were infected. Media outlets also reported that the attack locked up computers in the country's labor courts and the public prosecutor's office.

In the United States, where FedEx Corp. reported that its Windows computers were "experiencing interference" from malware -- not specifying if it had been hit by the ransomware -- other effects of the ransomware were not readily apparent.

The bug creating the global havoc, called Wanna Decrypt0r 2.0 -- also known by names including WCry, WannaCry and WanaCrypt0r 2.0 -- exploits a flaw that experts say was identified in a stolen National Security Agency document.

Microsoft released a patch to fix the problem in March, but computer systems that did not install the update remain vulnerable.

In Britain, which is in the middle of an election campaign, the cyberattack triggered criticism of the the National Health Service's aging computer systems, particularly the use of Windows XP, an outdated version of the Microsoft operating system that doesn't have the same level of defense against cyberattacks as newer operating systems.

The opposition Labor Party's Jonathan Ashworth tweeted that the government had been complacent over cybersecurity.

"We need answers on whether funding squeeze compromised security," he wrote.

Rudd, the home secretary, stressed Saturday that there was no evidence that patient data had been compromised but said there were lessons to learn.

She told the BBC that Windows XP was "not a good platform for keeping your data as secure as the modern ones because you can't download the effective patches and anti-virus software."

"I would expect [the health system] trusts to learn from this and to make sure that they do upgrade," she said.

All of this may be just a taste of what's coming, Ori Eisen, who founded the Trusona cybersecurity firm in Scottsdale, Ariz., said Saturday in an interview.

Computer users worldwide -- and everyone else who depends on them -- should assume that the next big "ransomware" attack has already been launched, and just hasn't manifested itself yet, Eisen said.

The attack held hospitals and other entities hostage by freezing computers, encrypting data and demanding money through online bitcoin payments. But it appears to be "low-level" stuff, Eisen said Saturday, given the amount of ransom demanded -- $300 at first, rising to $600 before it destroys files hours later.

He said the same thing could be done to crucial infrastructure, such as nuclear power plants, dams or railway systems.

"This is child's play, what happened. This is not the serious stuff yet. What if the same thing happened to 10 nuclear power plants, and they would shut down all the electricity to the grid? What if the same exact thing happened to a water dam or to a bridge?" he asked.

"Today, it happened to 10,000 computers," Eisen said. "There's no barrier to do it tomorrow to 100 million computers."

Information for this article was contributed by Karla Adam, Andrew Roth, Luna Lin, Griff Witte, Stephanie Kirchner, Marina Lopes and Michael Birnbaum of The Washington Post; by Sylvia Hui, Allen G. Breed and Jim Heintz of The Associated Press; and by Jordan Robertson, Stepan Kravchenko, Ksenia Galouchko, Robert Hutton and Jack Sidders of Bloomberg News.

A Section on 05/14/2017