TORONTO/FRANKFURT – Japan is among the countries affected by a global cyberattack, according to the cybersecurity firms Trend Micro and Kaspersky Lab, but the extent is not yet known.
The National Police Agency said it was working to assess the damage to Japanese firms.
Kaspersky said the main target of the cyberattack was Russia, and the number of attacks targeting Japan was limited.
But the company’s Suguru Ishimaru warned that hackers were ready to increase attacks on Japan — some of the ransom demands in the malware used in the attacks are in Japanese.
Trend Micro called it “one of the most serious ransomware attacks,” saying it has had a huge impact on Japanese firms. The company based its assessment on the number of attacks that had been prevented by its security software.
Businesses around the world scrambled on Saturday to prepare for a renewed cyberattack, convinced that a lull in a computer offensive that has stopped car factories, hospitals, schools and other organizations in around 100 countries was only temporary.
The pace of the attack by a destructive virus dubbed “WannaCry” slowed late on Friday, after the so-called ransomware locked up more than 100,000 computers, demanding owners pay $300 to $600 get their data back.
“It’s paused but it’s going to happen again. We absolutely anticipate that this will come back,” said Patrick McBride, an executive with cybersecurity firm Claroty.
Symantec predicted infections so far would cost tens of millions of dollars, mostly from cleaning corporate networks. Ransoms paid so far amount to only tens of thousands of dollars, one analyst said, but he predicted they would rise.
Companies rushed to protect Windows systems with patches that Microsoft released last month and Friday.
“I believe many companies have not yet noticed,” said William Saito, a cybersecurity adviser to Japan’s government. “Things could likely emerge on Monday” as staffers return to work.
WannaCry exploited a vulnerability to spread itself across networks, a rare and powerful feature that caused infections to surge Friday.
Code for exploiting that bug, which is known as “Eternal Blue,” was released on the internet in March by a hacking group known as the Shadow Brokers. The group claimed it was stolen from a repository of National Security Agency hacking tools. The agency has not responded to requests for comment.
The identity of the Shadow Brokers is not known, though many security researchers say they believe they are in Russia, which is a major source of ransomware and was one of the countries hit first and hardest by WannaCry.
Cybersecurity experts, who have been on watch for months for an “Eternal Blue”-based attack, said Saturday that they expect the computer code to be used in types of cyberattacks beyond extortion campaigns, including efforts to seize control of networks and steal data.
Governments and private security firms on Saturday that they expect hackers to tweak the malicious code used in Friday’s attack, restoring the ability to self-replicate. Those expectations prompted businesses to call in technicians to work over the weekend to make sure networks were protected with security updates needed to thwart Eternal Blue.
“It’s all hands on deck,” said Shane Shook, an independent security consultant whose customers include large corporations and governments.
Guillaume Poupard, head of France’s national cybersecurity agency, said he is concerned infections could surge again Monday, when workers return to the office and turn on computers.
The U.S. government on Saturday issued a technical alert with advice on how to protect against the attacks, asking victims to report attacks to the Federal Bureau of Investigation or Department of Homeland Security.
Security software maker Avast said it had observed 126,534 ransomware infections in 99 countries, with Russia, Ukraine and Taiwan the top targets.
Security experts said that they were not sure how many victims would pay the ransoms, or if access to computers was being restored after such payments.
Elliptic, a private security firm that investigates ransomware attacks, said that only about $32,000 had been sent to bitcoin addresses listed by the extortionists in ransom demands that flashed on screens of infected computers.
“We expect this number to increase significantly over the course of the weekend,” said Tom Robinson, lead investigator at Elliptic.
That is far below what it is likely to cost companies to recover from such attacks.
Symantec researcher Vikram Thakur said that total repair costs are likely to be in the tens of millions of dollars.
“The expensive part is the clean up of the machine and restoring the encrypted data,” he said.
Still, such figures do not account for lost production at firms like Renault, which on Saturday said it had halted stopped manufacturing at plants in Sandouville, France, and Romania to prevent the spread of ransomware in its systems.
Among the other victims is a Nissan manufacturing plant in Sunderland, northeast England, though a spokesman said “there has been no major impact on our business.”
He said the situation at the plant, which employs 7,000, continued to be monitored.
Hundreds of hospitals and clinics in the British National Health Service were infected Friday, forcing them to send patients to other facilities. On Saturday, Interior Minister Amber Rudd said that 97 percent of the nation’s health service trusts were “working as normal.”
German rail operator Deutsche Bahn said some electronic signs at stations announcing arrivals and departures were infected.
In Asia, some hospitals, schools, universities and other institutions were affected, though the full extent of the damage is not yet known due to the weekend.
International shipper FedEx Corp. said some of its Windows computers were also breached. “We are implementing remediation steps as quickly as possible,” a FedEx statement said.
Telecommunications company Telefonica was among many targets in Spain. Portugal Telecom and Telefonica Argentina both said they were also targeted.
Europol’s European Cybercrime Centre said it was working closely with national law enforcement agencies and private security firms to combat the threat and help victims.
“The recent attack is at an unprecedented level and will require a complex international investigation to identify the culprits,” it said in a statement.
Some experts said the threat had receded in part because a British-based researcher, who declined to give his name, registered a domain that he noticed the malware was trying to connect to, and so limited the worm’s spread.
Finance chiefs from the Group of Seven rich countries were to commit on Saturday to joining forces to fight the growing threat of international cyberattacks, according to a draft statement of a meeting they are holding in Italy.
“Appropriate economywide policy responses are needed,” the ministers said in their draft statement.