A programmer in Taipei shows a sample of a ransomware attack. (Ritchie B. Tongo/EPA)

Evidence of the cyberattack that hit up to 100 countries continued to ripple around the world Saturday with reports of Chinese students unable to access their graduation theses, British doctors canceling operations and passengers at train stations in Germany greeted by hacked messages on arrival and departure screens.

Individuals and organizations around the world were scrambling after the international attack, which began Friday and spread rapidly via email, to limit the damage or implement preventive measures.

The attack — thought to be one of the largest ever of its kind — was a form of ransomware that locks up computer systems and prevents access to data or systems until a payment is made.

It hit Britain’s beloved but creaky National Health Service particularly hard, causing widespread disruptions and interrupting medical procedures across hospitals in England and Scotland. The government said that 48 of the NHS’s 248 organizations were affected, but by Saturday evening all but six were back to normal. When asked if the British government paid any ransom in this situation, a Downing Street spokesman said “no,” and pointed out that Home Secretary Amber Rudd has advised that others don’t either.

(Sarah Parnass/The Washington Post)

During the attack on Britain’s NHS system, computer screens were locked by the malware that prompted the user to pay $300 in bitcoins or risk having their files erased.

Similar messages — written in local languages — popped up on screens across Europe.

In Germany, people posted pictures on social media of scheduling screens at train stations displaying the ransomware message. Deutsche Bahn, Germany’s national railway service, tweeted that its train service had not been compromised and that it was working full speed to solve the problems. According to DPA news agency, Deutsche Bahn's video surveillance technology was also hit.

Other targets in Europe included Telefónica, the Spanish telecom giant; the French carmaker Renault; and a local authority in Sweden, which said about 70 computers were infected. Odd, a Norwegian football club, said that its online ticketing system was hit by the bug.

On Saturday, it was still unclear who was behind the sophisticated attack.

“We’re not able to tell you who is behind that attack. That work is still ongoing,” Amber Rudd, Britain’s home secretary told the BBC. She said that it has affected “up to 100 countries” and that it wasn’t specifically targeted at Britain’s NHS.

TMT post, a Chinese online news outlet focusing on the Internet industry, reported that a number of Chinese universities had been affected by the attack.


Several schools — including Nanchang University, Shandong University and University of Electronic Science and Technology of China — issued alerts on their Weibo social-media feeds, warning staff and students to back up important files and not to open suspicious emails.

According to Chinese magazine Caijing, some students’ graduation theses and projects have reportedly been encrypted.

In Russia, hacking attacks had been confirmed Saturday at the Health Ministry, the state-run Russian Railways and the telecommunications company Megafon, along with the Interior Ministry, which manages the police force. There were also reports that the powerful Investigative Committee, which investigates high-level crime, and several other telecommunications companies had been targeted.

The Interior Ministry said that 1,000 of its computers had been blocked by prompts demanding payment. By Friday evening, the ministry said it had “contained” the attack and denied that any of its information had been stolen.

Jakub Kroustek, a malware researcher with Avast, a security software company in the Czech Republic, said in a blog post that Russia was the most affected country so far. “We are now seeing more than 75,000 detections of WanaCrypt0r 2.0 in 99 countries,” he wrote Friday night, referring to a designator for the ransomware.

Kaspersky Lab, a Moscow-based Internet security firm, also said that the attacks were mostly in Russia.

One reason Russia may have been hit so hard is the use of outdated software by government agencies.

“Russia has a very rickety, out-of-date infrastructure, using not just outdated software but pirated out-of-date software,” said Mark Galeotti, a senior researcher at the Institute of International Relations Prague. According to Galeotti, one Interior Ministry official in 2013 estimated that 40 percent of the ministry’s computers could be using pirated Windows software, which is widely available in Russia for download or at local computer markets.

In Brazil, the attack struck at the heart of the government — employee computers at the Justice Ministry and Brazil’s social-security administration were infected. The local media also reported that the attack locked up computers in the country's labor courts and the public prosecutor's office.

In the United States, package delivery giant FedEx also fell victim to the malware.

The bug creating the global havoc, called Wanna Decrypt0r 2.0 — also known by names including WCry, WannaCry and WanaCrypt0r 2.0 — exploits a flaw that experts say was identified in a stolen National Security Agency document.

Microsoft released a patch to fix the problem in March, but computer systems that did not install the update remain vulnerable.

It’s possible that the malware didn’t spread further because of the enterprising work of a 22-year-old British cybersecurity researcher. The researcher, who has remained anonymous but goes by the Twitter handle @malwaretechblog, appeared to have activated a kill switch by registering a domain name that the malware was attempting to connect with. The move didn’t help organizations that were already impacted by the attack, but experts said that it limited the spread of the current virus. The researcher, however, warned in a blogpost [ncsc.gov.uk]that the hackers could alter the code and try again.

In Britain, which is in the middle of an election campaign, the cyberattack triggered criticism of the NHS’s aging computer systems, particularly the use of Windows XP, an outdated version of the Microsoft operating system that doesn’t have the same level of defense against cyberattacks as newer operating systems.

The opposition Labour Party’s Jonathan Ashworth tweeted that the government had been complacent over cybersecurity. “We need answers on whether funding squeeze compromised security,” he wrote.

Rudd, the home secretary, stressed that there was no evidence that patient data had been compromised but said that there were lessons to learn.

She told the BBC that Windows XP was “not a good platform for keeping your data as secure as the modern ones because you can’t download the effective patches and anti-virus software.”

“I would expect NHS trusts to learn from this and to make sure that they do upgrade,” she said.

Andrew Roth in Moscow, Luna Lin in Beijing, Griff Witte and Stephanie Kirchner in Berlin, Marina Lopes in São Paulo, and Michael Birnbaum in Tallinn, Estonia, contributed to this report.