LONDON — The cyberattack that took computer files hostage around the world appeared to slow on Monday as authorities worked to catch the extortionists behind it — a difficult task that involves searching for digital clues and following the money.
Thousands more infections were reported with the start of the workweek, largely in Asia, which had been closed for business when the “ransomware” locked up computers Friday at hospitals, factories, government agencies, banks and other businesses.
But the big second-wave outbreak that many feared they would see when users returned to their offices Monday morning and switched their computers back on failed to materialize.
Lynne Owens, director-general of Britain’s National Crime Agency, said there was no indication of a second surge in the cyberattack but warned, “That doesn’t mean there won’t be one.”
Security researchers in the meantime have been disassembling the malicious software, known as WannaCry, in hopes of uncovering clues to who released it. They are doing the same with the “phishing” emails that helped the ransomware embed itself in computers.
Investigators also hope to learn more by examining ransom payments made by computer users via bitcoin, the hard-to-trace digital currency often used by criminals.
WannaCry paralyzed computers running mostly older versions of Microsoft Windows in some 150 countries. It encrypted users’ computer files and displayed a message demanding anywhere from $300 to $600 to release them; failure to pay would leave the data mangled and likely beyond repair.
A cybersecurity researcher in Britain managed to slow down its spread by activating the software’s “kill switch,” but there were fears that the cybercriminals would release even more malicious versions.
Steve Grobman of the security company McAfee said forensics experts are looking at how the ransomware was written and how it was run. WannaCry is a sophisticated piece of work, he said, which helps rule out the possibility it was released by mere pranksters or lower-level thieves.
As for anonymous bitcoin transactions, he said, it is sometimes possible to follow them until an identifiable person is found.
So far, not many people have paid the ransom, said Jan Op Gen Oorth, a spokesman for Europol, the European police agency.
Eiichi Moriya, a cybersecurity expert and professor at Japan’s Meiji University, warned that paying the ransom would not guarantee a fix.
“You are dealing with a criminal,” he said. “It’s like after a robber enters your home. You can change the locks, but what has happened cannot be undone.”
Meanwhile, automaker Renault decided not to reopen a 3,500-employee plant in France on Monday as a “preventative step.” Lebanon’s central bank temporarily suspended electronic transactions as a precaution.
In Britain, many hospitals and clinics that are part of the country’s national health service were still having computer problems. Patients have had to be turned away because their records were inaccessible.
In the U.S., where the effects haven’t appeared to be widespread, investigators believe additional companies have been attacked but have not yet come forward to report it, a law enforcement official told The Associated Press. The official was not authorized to speak publicly about the investigation.
In China, state media said more than 29,000 institutions there had been infected along with hundreds of thousands of devices. Universities and other schools were among the hardest hit. Railway stations, mail delivery, gas stations, hospitals, office buildings, shopping malls and government services were also said to be affected.
In Japan, companies such as Hitachi and Nissan reported problems but said their operations had not been seriously affected. In Indonesia, the ransomware locked patient files on computers in two hospitals in the capital, Jakarta, causing delays.
Experts urged organizations and companies to immediately update older Microsoft operating systems, such as Windows XP, with a patch released by the company.