Cyberattack hits schools, hospital in Taiwan


NEW YORK (AP) Developments on Monday, May 15, about the global extortion cyberattack that hit dozens of countries (all times Eastern Daylight Time).

  • 10:40 p.m.

Taiwanese state media reported the WannaCry cyberattack infected computers in 10 schools, the national power company, a hospital, and at least one private business.

However, the Central News Agency report indicates the ransomware program caused no damage to the schools’ core database systems. Taiwan’s education ministry warned institutions to protect their information and not to download software from unknown sources. It advised that schools should disconnect computers from the internet and reformat them in the event that malware is detected.

The news agency reported WannaCry also infected computers at an office of the Taiwan Power Company, a hospital, and a business in the central city of Taichung. The unnamed business reported paying $1,000 in bitcoin to unlock files held hostage by the program. It wasn’t clear whether its files were recovered.

The news agency reported there had not been any incidents of the ransomware affecting government agencies.

  • 6:25 p.m.

The IT expert who helped stop the spread of the WannaCry cyberattack said he believes the fight against the infection is “done and dusted.”

Marcus Hutchis, 22, who works for Los Angeles-based cybersecurity firm Kryptos Logic, said although he was the person who registered a domain name that took down the virus, hundreds of others helped in the effort.

In his first face-to-face interview, Hutchis said hundreds of computer experts worked throughout the weekend to fight the virus, which paralyzed computers in some 150 countries.

Hutchis told The Associated Press he doesn’t consider himself a hero but fights malware because “it’s the right thing to do.”

  • 6:00 p.m.

Security researchers were looking at possible connections between the global “ransomware” attack and North Korea, though one firm cautioned the connection was “weak.”

The security company Kaspersky Lab said portions of the WannaCry ransomware used the same code as malware previously distributed by Lazarus, a group behind the 2014 Sony hack blamed on North Korea.

But it was possible the code was simply copied from the Lazarus malware without any other direct connection.

Another security company, Symantec, has also found similarities between WannaCry and Lazarus tools, but said “they so far only represent weak connections. We are continuing to investigate for stronger connections.”

WannaCry paralyzed computers running factories, banks, government agencies, and transport systems in some 150 countries.

  • 3:25 p.m.

A law enforcement official said investigators believe additional companies in the United States were affected by the global ransomware software cyberattack but had not yet come forward to report the attacks.

The official spoke to The Associated Press on condition of anonymity because the official was not authorized to speak publicly about an ongoing investigation.

The official said investigators obtained some of the phishing emails connected to the attack and were analyzing them for “bread crumbs” that may lead them to the attackers.

Authorities were encouraging affected companies to contact law enforcement and not pay the ransom.

While the attack that emerged Friday hitting companies and governments around the world ebbed in intensity Monday, experts warned that new versions of the virus could emerge.

Investigators fear the ransomware can be re-released without a kill switch that allowed researchers to interrupt the malware’s initial spread.

  • 3:00 p.m.

President Donald Trump’s homeland security adviser said so far, no U.S. federal systems had been affected by the global cyberattack.

Tom Bossert said the U.S. government was closely monitoring the attack, which affected an estimated 300,000 machines in 150 countries. He noted a few U.S. businesses, including Fed Ex, were affected.

Computers across the world were locked up Friday and users’ files held for ransom when dozens of countries were hit in a cyber-extortion attack that targeted hospitals, companies, and government agencies. Cybersecurity experts said the unknown hackers who launched the ransomware attacks used a hole in Microsoft software that was discovered by the National Security Agency and exposed when NSA documents were leaked online.

Neither the FBI or NSA would comment.

  • 2:30 p.m.

Investigators looking to catch the perpetrators of the global cyberattack were looking for digital clues, including monitoring the bitcoin accounts used to collect ransom payments.

It could be tough, but not impossible.

Security experts said bitcoin is often believed to be anonymous, but the transactions are highly traceable. What’s not known is who’s behind a particular account. But the bitcoin money often has to be converted into real-world currency at some point.

Steve Grobman of the security company McAfee said forensics experts would also be looking for clues in the structure of the malware, including how it was written and how it was run. He said the malware was sophisticated, helping to rule out pranksters and lower-level thieves.

  • 2:25 p.m.

Interpol’s cybercrime unit, based in Singapore, said it was working on information provided by the private Kaspersky Lab to assist investigations in the countries affected. Europol has said the same. But neither agency has actual enforcement capabilities, instead acting more as information clearinghouses and organizers in the complex world of international law enforcement, where police from different countries rarely have a language in common — and few speak the languages of computer programming.

Costin Raiu, head of Kaspersky’s global research and analysis, whose group has two analysts directly embedded with Interpol, said a main pitfall would be sharing intelligence in real time, and then being able to follow the accumulated evidence to a suspect. Raiu said investigators were scouring the Tor darknet to trace the command and control servers. The attackers were believed to be relatively new at the ransomware business, he said.

“The attack appears to be slowing down anyway. What we are afraid of are copycats,” he said.

  • 1:50 p.m.

Germany’s interior ministry said software companies need to do their own homework, rather than blame governments for security breaches.

Microsoft’s top lawyer, Brad Smith, had criticized governments Sunday for “hoarding” vulnerabilities and urged authorities to report security problems to IT firms “rather than stockpile, sell, or exploit them.”

“Someone who doesn’t do their homework trying to make others responsible for not pointing out this homework needs to be done seems to me to mix up cause and effect,” Interior ministry spokesman Tobias Plate said.

Plate told reporters in Berlin that the German government had published a new cybersecurity strategy last year that included a proposal to hold IT companies liable for security flaws.

German rail company Deutsche Bahn’s platform displays were hit by the global ransomware cyberattack.

  • 12:40 p.m.

U.S. homeland security adviser Bossert said the recent global cyberattack was something that “for right now, we’ve got under control” in America.

Bossert told ABC’s Good Morning America the malware was an “extremely serious threat” that could inspire copycat attacks. But Microsoft’s security patch released in March should protect U.S. networks for those who install it.

Micrsoft’s top lawyer criticized U.S. intelligence for “stockpiling” software code that could aid hackers. Cybersecurity experts said the unknown hackers behind the latest attacks used a vulnerability exposed in U.S. government documents leaked online.

Bossert said “criminals” were responsible, not the U.S. government. Bossert said the U.S. hasn’t ruled out involvement by a foreign government, but the recent ransom demands suggest a criminal network.

  • 10:55 a.m.

Indian authorities were on high alert for news of malfunctioning computers, after experts estimated 5 percent of affected computers were in the country.

The Computer Emergency Response Team of India issued a red-colored “critical alert” — its highest alarm level — and urged computer users to update their systems and use protective software.

But few major problems were reported. The head of the government response team told Press Trust of India news agency that “everything seems to be normal, so far. No reports have come in” detailing cyberattacks in the country.

The Kaspersky Lab, a security solutions firm, estimated that up to 5 percent of computers affected globally could be in India. The country is considered vulnerable thanks to a large number of computers running on older Microsoft operating systems.

  • 10:20 a.m.

Britain’s health service said most hospitals hit by the global attack were back up and running, but seven were still experiencing IT disruption and canceling appointments.

About a fifth of NHS trusts — the regional bodies that run hospitals and clinics — were hit by the attack on Friday, leading to thousands of canceled appointments and operations.

Health officials said seven of the 47 affected were still having IT problems and asked for “extra support” from the National Health Service.

Barts Health, which runs five London hospitals, said it was still sending some ambulances to other hospitals, and canceled some surgeries and outpatient appointments.

Ciaran Martin, chief executive of the U.K.’s National Cyber Security Centre, warned that more computers could be infected Monday when doctors’ practices re-opened after the weekend.

  • 9:50 a.m.

In France, auto manufacturer Renault said one of its plants, which employs 3,500 people in Douai, northern France, wasn’t reopening Monday while technicians continued to deal with the aftermath of the global cyberattack.

The company described the temporary halt in production as a “preventative step.” The company did not give details about the degree to which the plant was affected by the malware. Renault said all of its other plants in France were open Monday.

  • 8:45 a.m.

The problem with its home page wasn’t ransomware after all, Osaka city hall said. The site was back up but the real cause of the problem was not yet clear, said spokesman Hajime Nishikawa.

Kyodo News said one personal computer was affected at one office at East Japan Railway Co., but train services were not affected.

  • 6:15 a.m.

A Japanese nonprofit said computers at 600 locations had been hit in the global cyberattack.

Nissan Motor Co. confirmed some units had been targeted, but there was no major impact on its business.

Hitachi spokeswoman Yuko Tainiuchi said emails were slow or not getting delivered, and files could not be opened. The company believed the problems were related to the ransomware attack, although no ransom was being demanded. They were installing software to fix the problems.

The Japan Computer Emergency Response Team Coordination Center said 2,000 computers in Japan were reported affected so far, citing an affiliate foreign security organization that it did not identify.

At least one hospital was affected, according to police.

  • 6:10 a.m.

South Korea was mostly spared from the global cyber chaos that crippled scores of governments and companies in 150 countries.

Director Shin Dae Kyu at the state-run Korea Internet & Security Agency who monitors the private sector said five companies reported they were targeted by the global attack. While some companies did not report damages to the government, South Korea did not see crippling damages, he said.

The most public damage was on the country’s largest movie chain. CJ CGV Co. was restoring its advertising servers at dozens of its movie theaters after the attack left the company unable to display trailers of upcoming movies. Its movie ticket systems were unaffected.

Another government security official said no government systems were affected.

  • 6:00 a.m.

Global cyber chaos was spreading with companies booting up computers at work following the weekend’s worldwide ransomware cyberattack.

The extortion scheme created chaos in 150 countries and could wreak even greater havoc if more malicious variations appear. The initial attack, known as WannaCry, paralyzed computers running Britain’s hospital network, Germany’s national railway, and scores of other companies and government agencies around the world.

As a loose global network of cybersecurity experts fought the ransomware hackers, in China, state media said more than 29,000 institutions had been infected along with hundreds of thousands of devices.

The Japan Computer Emergency Response Team Coordination Center, a nonprofit providing support for computer attacks, said 2,000 computers at 600 locations in Japan were reported affected.