A cyber-attack that hit organisations worldwide including the UK’s National Health Service was “unprecedented”, Europe’s police agency says.
Europol also warned a “complex international investigation” was required “to identify the culprits”.
Ransomware encrypted data on at least 75,000 systems in 99 countries on Friday. Payments were demanded for access to be restored.
European countries, including Russia, were among the worst hit.
Although the spread of the malware – known as WannaCry and variants of that name – appears to have slowed, the threat is not yet over.
Europol said its cyber-crime team, EC3, was working closely with affected countries to “mitigate the threat and assist victims”.
In the UK, the head of the cyber security agency said experts were “working around the clock” to restore the systems of some 45 NHS organisations that were hit by the attack.
The attack left hospitals and doctors unable to access patient data, and led to the cancellation of operations and medical appointments.
Who else has been affected by the attack?
Some reports said Russia had seen more infections than any other single country. Domestic banks, the interior and health ministries, the state-owned Russian railway firm and the second-largest mobile phone network were all reported to have been hit.
Russia’s interior ministry said 1,000 of its computers had been infected but the virus was swiftly dealt with and no sensitive data was compromised.
In Spain, a number of large firms – including telecoms giant Telefonica, power firm Iberdrola and utility provider Gas Natural – were also struck, with reports that staff at the firms were told to turn off their computers.
People tweeted photos of affected computers including a local railway ticket machine in Germany and a university computer lab in Italy.
France’s carmaker Renault was forced to stop production at a number of sites. Portugal Telecom, the US delivery company FedEx and a local authority in Sweden were also affected.
China has not officially commented on any attacks it may have suffered, but comments on social media said a university computer lab had been compromised.
Coincidentally, finance ministers from the G7 group of leading industrial countries had been meeting on Friday to discuss the threat of cyber-attacks.
They pledged to work more closely on spotting vulnerabilities and assessing security measures.
Who has been hit by the NHS cyber attack?
Explaining the global ransomware outbreak
A hack born in the USA?
How did it happen and who is behind it?
The malware spread quickly on Friday, with medical staff in the UK reportedly seeing computers go down “one by one”.
NHS staff shared screenshots of the WannaCry programme, which demanded a payment of $300 (£230) in virtual currency Bitcoin to unlock the files for each computer.
The infections seem to be deployed via a worm – a program that spreads by itself between computers.
Most other malicious programs rely on humans to spread by tricking them into clicking on an attachment harbouring the attack code.
By contrast, once WannaCry is inside an organisation it will hunt down vulnerable machines and infect them too.
It is not clear who is behind the attack, but the tools used to carry it out are believed to have been developed by the US National Security Agency (NSA) to exploit a weakness found in Microsoft’s Windows system.
This exploit – known as EternalBlue – was stolen by a group of hackers known as The Shadow Brokers, who made it freely available in April, saying it was a “protest” about US President Donald Trump.
A patch for the vulnerability was released by Microsoft in March, which would have automatically protected those computers with Windows Update enabled.
Microsoft said on Friday it would roll out the update to users of older operating systems “that no longer receive mainstream support”, such Windows XP (which the NHS still largely uses), Windows 8 and Windows Server 2003.
The number of infections seems to be slowing after a “kill switch” appears to have been accidentally triggered by a UK-based cyber-security researcher tweeting as @MalwareTechBlog.
He was quoted as saying he noticed the web address the virus was searching for had not been registered – and when he registered it, the virus appeared to stop spreading.
But he warned this was a temporary fix, and urged computer users to “patch your systems ASAP”.
Why do companies still use Windows XP? By Chris Foxx, technology reporter
Many jobs can be done using software everyone can buy, but some businesses need programs that perform very specific jobs – so they build their own.
For example. a broadcaster might need specialist software to track all the satellite feeds coming into the newsroom, and a hospital might need custom-built tools to analyse X-ray images.
Developing niche but useful software like this can be very expensive – the programming, testing, maintenance and continued development all adds up.
Then along comes a new version of Windows, and the software isn’t compatible. Companies then face the cost of upgrading computers and operating system licences, as well as the cost of rebuilding their software from scratch.
So, some choose to keep running the old version of Windows instead. For some companies, that is not a huge risk. In a hospital, the stakes are higher.
Have you or your company been affected by the cyber-attack? Email us at
You can also contact us in the following ways:
- Tweet: @BBC_HaveYourSay
- WhatsApp: +447555 173285
- Text an SMS or MMS to 61124 (UK) or +44 7624 800 100 (international)