Information for this article was contributed by Sylvia Hui, Christopher S. Rugaber, Brian Melley, Allen G. Breed and Anick Jesdanun of The Associated Press; by Jordan Robertson, Rebecca Penty, Stepan Kravchenko, Ksenia Galouchko, Robert Hutton, Jack Sidders, Adam Satariano, Nour Al Ali and Margaret Talev of Bloomberg News; and by David E. Sanger, Sewell Chan, Mark Scott, Motoko Rich, Keith Bradsher, Joe Cochrane, Steve Lohr, Austin Ramzy, Paul Mozur, Richard C. Paddock and Ceylan Yeginsu of The New York Times.
A young cybersecurity researcher has been credited with helping to halt the spread of the global ransomware attack by accidentally activating a so-called "kill switch" in the malicious software. The malicious software was identified in more than 70 experts, though Russian Federation was hit the hardest.
The tech whiz - known by his Twitter handle, MalwareTech - tweeted that "version 2.0" of the ransom software "will likely remove the flaw" that allowed him to disable the wave of infections that began Friday. The NSA tools were stolen by hackers and dumped on the internet.
Government investigators, while not publicly acknowledging that the computer code was developed by USA intelligence agencies as part of the country's growing arsenal of cyberweapons, say they are still investigating how the code got out. If it connects to the domain, though, "the malware exits" and the system is not compromised.
The ongoing situation is getting the "full attention" of the Government's National Cyber Security Centre (NCSC), Prime Minister Theresa May said, amid suggestions outdated software left some health service systems vulnerable.
Home Secretary Amber Rudd said 48 NHS trusts were affected and all but six were now back to normal.
The attack held hospitals and other entities hostage by freezing computers, encrypting data and demanding money through online bitcoin payments. But it appears to be "low-level" stuff, Eisen said Saturday, given the amount of ransom demanded - $300 at first, rising to $600 before it destroys files hours later. This is already believed to be the biggest online extortion attack ever recorded, disrupting services in nations as diverse as the U.S., Russia, Ukraine, Brazil, Spain and India. Radio Slovenia said Saturday the Revoz factory in the southeastern town of Novo Mesto stopped working Friday evening to stop the malware from spreading.
"The recent attack is at an unprecedented level and will require a complex worldwide investigation to identify the culprits", Europol said.
"I think the security industry as a whole should be considered heroes", he said.
That's good news for those unfortunate enough to encounter WannaCry, but MalwareTech warns that his sinkhole "only stops this sample and there is nothing stopping them removing the domain check and trying again, so it's incredibly importiant [sic] that any unpatched systems are patched as quickly as possible". Short of paying, options for these individuals and companies are usually limited to recovering data files from a backup, if available, or living without them.
Although the ransomware stopped spreading, the kill switch can not help those whose computer have been infected by the ransomware.
Security experts said it appeared to be caused by a self-replicating piece of software that enters companies when employees click on email attachments, then spreads quickly as employees share documents. Hackers in the group Shadow Brokers later leaked the exploit online.
Shortly after that disclosure, Microsoft announced that it had already issued software "patches", or fixes, for those holes " but many users haven't yet installed the fixes or are using older versions of Windows.