By Friday afternoon, though, it was clear that this was not a limited attack. Businesses in at least 11 other countries reported similar cyberattacks. Many were paralyzed.
There's still a lot we don't know. (We'll be updating this post!) But here's what we do know, so far:
How, exactly, does this ransomware work?
Once your computer is infected, the attack can do a couple of things. One common approach: Your files will be encrypted or converted into a different language for which only the hacker has the cipher. Often, you won't even know you've been targeted until you try to open a file.
Another, more damaging version is what happened Friday: The ransomware locks you out of your entire system. During the attack in England, computer screens showed a message demanding $300 in bitcoin in exchange for the decryption key that would unlock the files. Victims had three days to pay before the fee was doubled. (Something very similar happened to a hospital system in Los Angeles a couple of months ago. The hospital ended up paying about $17,000. The hackers even set up a help line to answer questions about paying the ransom.)
Here's the screen that comes up on hacked computers.
This attack relies on something called the Wanna Decryptor, also known as WannaCry or WCRY. These kinds of attacks are particularly hard to spot, especially because hackers are always tweaking them. The Wanna Decryptor being used is just weeks old, and it was just updated.
How do computers get infected?
Hackers can get ransomware on your system if you download an infected piece of software or a PDF. They can also use a phishing email to direct you to an infected website. Here is a closer look on how it's done:
In this case, hackers sent a zip file attachment in an email. When victims clicked on it, their computers were infected. But the attack didn't stop there. The ransomware spread through the hospitals' and businesses' computer networks. “Once you get a foothold in the system, other users will start to run those pieces of software,” explained Clifford Neuman, who directs the University of Southern California's Center for Computer Systems Security.
What's the NSA got to do with it?
Though we don't know for sure, it looks like the hackers exploited a vulnerability in the Windows operating system. Microsoft knew about this many months ago and put together a patch, but many businesses are slow to update their operating systems because they have to evaluate the updates' impact on other software. (Or, like most of us, they just keep running old versions of software forever.)
Microsoft knew about this vulnerability because it was exposed as a technique used by the National Security Agency by hackers.
Investigators are pursuing a lot of leads, but so far they have very little concrete evidence. They do think it's the work of criminals, not a foreign power. They know the original hacking tool was leaked by a group called the Shadow Brokers, which dumps stolen NSA tools online. But they don't know who the Shadow Brokers hackers are or whether they perpetrated the attack.
Britain's National Health Service (NHS) was a major victim. More than 40 hospitals and health facilities across England were affected, and many staff members were locked out of their computers, unable to access patient medical records, appointment schedules and internal emails. It was so bad that officials warned people to stay home unless they were having a medical emergency. Hospitals in Scotland and Wales were affected, too.
But investigators quickly discovered that the NHS was not the only, or even the intended, victim. The attack was wide-ranging and affected organizations across the country.
Meanwhile, Spain's National Cryptologic Center, part of that country's intelligence agency, reported a “massive ransomware attack” against Spanish organizations. At Telefonica, in Madrid, security department officials ordered employees to switch off their computers and disconnect from WiFi.
This is much bigger than that, though. According to Britain's Independent newspaper, these attacks may stretch around the globe, from Portugal to Turkey, Indonesia, Vietnam, Japan, Germany and Russia. It “is much larger than just the NHS,” Travis Farral, director of security strategy for cybersecurity firm Anomali Labs, told the Independent. “It appears to be a giant campaign that has hit Spain and Russia the hardest.” (Here's a live map tracking the malware.)
What are investigators trying to do to catch the attackers?
It can be hard to track down the perpetrators in attacks like this, but it's not impossible.
One method: follow the money. It's possible to trace where a bitcoin payment ends up. “Despite what people tend to think, it's highly traceable,” said Neuman, of USC. “You can see the flow of funds through the bitcoin system.” That doesn't mean, however, that you'll know who actually ends up with the money, especially once it's pulled out of the system. Hackers are able to hide that in lots of different ways.
Experts will also be searching the code itself for clues. Hackers each write codes in different ways, leaving identifiable traces of their work, like a signature.
What can I do to stay safe?
First, back up your hard drive. You should be keeping frequent backups anyway, in case your computer dies on its own. But if your computer gets hacked, you'll be able to retrieve your data without paying a ransom.
If you run a business, back up every computer in your office and have a plan for what to do if your system goes down for a while. Be smart about setting up your network, so that most users don't have complete access to the system. This makes it harder for a ransomware attack to infect everything. And make sure your users are educated about the common kinds of attacks.
Avi Rubin, a Johns Hopkins professor who studies computer hacking, has one other piece of advice: If you or your business get attacked, don't pay. “You're funding the bad guys and giving more incentive,” he said. You also don't know whether your files will really be restored.
Update: An earlier version of this post suggested that Edward Snowden's leak was the source of the information that led to the hack. This is inaccurate.