(Recasts with businesses preparing for new attacks, adds cost
* Repairs will cost tens of millions of dollars-Symantec
* Carmaker Renault halts production as defensive move
* Attackers use tools honed by U.S. National Security Agency
By Jim Finkle and Eric Auchard
TORONTO/FRANKFURT, May 13 Businesses around the
world scrambled on Saturday to prepare for a renewed cyber
attack, convinced that a lull in a computer offensive that has
stopped car factories, hospitals, schools and other
organizations in around 100 countries was only temporary.
The pace of the attack by a destructive virus dubbed
WannaCry slowed late on Friday, after the so-called "ransomware"
locked up more than 100,000 computers, demanding owners pay to
$300 to $600 get their data back.
"It's paused but it's going to happen again. We absolutely
anticipate that this will come back," said Patrick McBride, an
executive with cyber-security firm Claroty.
Symantec predicted infections so far would cost tens of
millions of dollars, mostly from cleaning corporate networks.
Ransoms paid so far amount to only tens of thousands of dollars,
one analyst said, but he predicted they would rise.
Companies rushed to protect Windows systems with patches
that Microsoft released last month and on Friday. WannaCry
exploited a vulnerability to spread itself across networks, a
rare and powerful feature that caused infections to surge on
Code for exploiting that bug, which is known as "Eternal
Blue," was released on the internet in March by a hacking group
known as the Shadow Brokers. The group claimed it was stolen
from a repository of National Security Agency hacking tools. The
agency has not responded to requests for comment.
The identity of the Shadow Brokers is not known, though many
security researchers say they believe they are in Russia, which
is a major source of ransomware and was one of the countries hit
first and hardest by WannaCry.
Cyber security experts, who have been on watch for months
for an "Eternal Blue"-based attack, said on Saturday that they
expect the computer code to be used in types of cyber attacks
beyond extortion campaigns, including efforts to seize control
of networks and steal data.
Governments and private security firms on Saturday that they
expect hackers to tweak the malicious code used in Friday's
attack, restoring the ability to self-replicate. Those
expectations prompted businesses to call in technicians to work
over the weekend to make sure networks were protected with
security updates needed to thwart Eternal Blue.
"It's all hands on deck," said Shane Shook, an independent
security consultant whose customers include large corporations
Guillaume Poupard, head of France’s national cyber security
agency, told Reuters he is concerned infections could surge
again on Monday, when workers return to the office and turn on
The U.S. government on Saturday issued a technical alert
with advice on how to protect against the attacks, asking
victims to report attacks to the Federal Bureau of Investigation
or Department of Homeland Security.
RENAULT HALTS PRODUCTION
Security software maker Avast said it had observed 126,534
ransomware infections in 99 countries, with Russia, Ukraine and
Taiwan the top targets.
Security experts said that they were not sure how many
victims would pay the ransoms, or if access to computers was
being restored after such payments.
Elliptic, a private security firm that investigates
ransomware attacks, said that only about $32,000 had been sent
to bitcoin addresses listed by the extortionists in ransom
demands that flashed on screens of infected computers.
"We expect this number to increase significantly over the
course of the weekend," said Tom Robinson, lead investigator at
That is far below what it is likely to cost companies to
recover from such attacks.
Symantec researcher Vikram Thakur said that total repair
costs are likely to be in the tens of millions of dollars.
"The expensive part is the clean up of the machine and
restoring the encrypted data," he said.
Still, such figures do not account for lost production at
firms like Renault, which on Saturday said it had
halted stopped manufacturing at plants in Sandouville, France
and Romania to prevent the spread of ransomware in its systems.
Among the other victims is a Nissan manufacturing
plant in Sunderland, northeast England, though a spokesman said
"there has been no major impact on our business."
Hundreds of hospitals and clinics in the British National
Health Service were infected on Friday, forcing them to send
patients to other facilities. On Saturday, Interior Minister
Amber Rudd said that 97 percent of the nation's health service
trusts were "working as normal."
German rail operator Deutsche Bahn said some
electronic signs at stations announcing arrivals and departures
In Asia, some hospitals, schools, universities and other
institutions were affected, though the full extent of the damage
is not yet known due to the weekend.
International shipper FedEx Corp said some of its
Windows computers were also breached. "We are implementing
remediation steps as quickly as possible," a FedEx statement
Telecommunications company Telefonica was among
many targets in Spain. Portugal Telecom and Telefonica Argentina
both said they were also targeted.
Europol's European Cybercrime Centre said it was working
closely with national law enforcement agencies and private
security firms to combat the threat and help victims.
"The recent attack is at an unprecedented level and will
require a complex international investigation to identify the
culprits," it said in a statement.
Some experts said the threat had receded in part because a
British-based researcher, who declined to give his name,
registered a domain that he noticed the malware was trying to
connect to, and so limited the worm's spread.
Finance chiefs from the Group of Seven rich countries were
to commit on Saturday to joining forces to fight the growing
threat of international cyber attacks, according to a draft
statement of a meeting they are holding in Italy.
"Appropriate economy-wide policy responses are needed," the
ministers said in their draft statement, seen by Reuters.
(Additional reporting by Kiyoshi Takenaka, Jose Rodriguez,
Emmanuel Jarry, Jemima Kelly, Alistair Smout, Andrea Shalal,
Jack Stubbs, Antonella Cinelli, Dustin Volz, Kate Holton, Andy
Bruce, Michael Holden, David Milliken, Tim Hepher, Luiza Ilie,
Patricia Rua, Axel Bugge, Sabine Siebold and Eric Walsh, Engen
Tham, Fransiska Nangoy, Soyoung Kim, Mai Nguyen; editing by
Peter Henderson and Mary Milliken)