BEIJING/LONDON - The WannaCry ransomware attack hobbled Chinese traffic police and schools as it rolled into Asia, while authorities in Europe worked to prevent hackers from spreading new versions of the internet worm.
The WannaCry cyber attack spread more slowly on Monday with no major new infections reported, as attention shifted to investment and government policy implications of lax cyber security.
Earlier on Monday, Chinese traffic police and schools reported they had been targeted as it rolled into Asia for the new work week.
Authorities in Europe and the United States said they were trying to prevent hackers from spreading new versions of the virus.
Shares in firms that provide cyber security services jumped on the prospect of companies and governments spending more money on defences, led by Israel's Cyren Ltd and US firm FireEye Inc.
In Thailand, the junta's National Reform Steering Assembly (NRSA) saw huge opportunity to advance cyber and other network control - and not just of the internet.
The panel urged Prime Minister Prayut Chan-o-cha to use his special Section 44 powers carried over from the interim charter to set up a national cybersecurity committee.
Despite the name, the new Thai body would have permanent access to every network, activated only by a supposed threat to national security. In addition to internet-linked networks, the proposed Section 44 powers would allow government and military interference in a wide definition of "cyber" networks, including personal and business computers, all communications, telecommunications and the internet, as well as satellite, utility and public services including transport systems.
Tom Bossert, US President Donald Trump's homeland security adviser, said people "should be thinking about this as an attack that for right now we have under control, but as an attack that represents an extremely serious threat," speaking on ABC's Good Morning America show.
The US Senate Intelligence Committee is monitoring the attack and expects to receive a briefing in the coming days from the Trump administration, a panel aide said.
The perpetrators of the attack are still not known. Bossert said that while US officials had not ruled out the possibility that it was a "state action," he said it appeared to be criminal in nature, given the ransom requests.
Some victims were ignoring official advice and paying the $300 (10,350 baht) ransom demanded by the cyber criminals to unlock their computers, which was due to double to $600 on Monday for computers hit by Friday's first wave.
So far only a tiny number of the more than 200,000 estimated victims of the attack appeared to have paid, based on publicly available bitcoin accounts on the web, where victims have been instructed to pay.
The worm hit computers running older versions of Microsoft Windows) software that had not been recently updated. Microsoft released patches last month and on Friday to fix a vulnerability that allowed the worm to spread across networks. The company's shares were down about 1% on Monday, in a slightly higher broad market.
Infected computers appear to be largely out-of-date devices. Some have also been machines involved in manufacturing or hospital functions, difficult to patch without disrupting operations.
The initial ransom demand was $300 per machine. Three days after becoming infected the demand doubles. Starting on Monday, the first victims began facing demands of $600 to unlock their machines.
This coming Friday, victims face being locked out of their computers permanently if they fail to pay the $600 ransom, said Tom Robinson, co-founder of Elliptic, a London-based private security company that investigates ransomware attacks.
As of 9pm Monday Thailand time (1400 GMT) the total value of funds paid into anonymous bitcoin wallets the hackers are using stood at just $55,169, or less than 2 million baht from 209 payments, according to calculations made by Reuters using publicly available data.
Brian Lord, managing director of cyber and technology at cyber security firm PGI, said victims had told him "the customer service provided by the criminals is second-to-none", with helpful advice on how to pay: "One customer said they actually forgot they were being robbed."
Companies and governments spent the weekend upgrading software to limit the spread of the virus. Monday was the first big test for Asia, where offices had already mostly been closed for the weekend before the attack first arrived.
Renault-Nissan said output had returned to normal at nearly all its plants. PSA Group, Fiat Chrysler, Volkswagen, Daimler), Toyota and Honda said their plants were unaffected.
In a blog post on Sunday, Microsoft President Brad Smith confirmed what researchers had already widely concluded: the attack made use of a hacking tool built by the US National Security Agency that had leaked online in April.
He poured fuel on a long-running debate over how government intelligence services should balance their desire to keep software flaws secret - in order to conduct espionage and cyber warfare - against sharing those flaws with technology companies to better secure the internet.
Russian President Vladimir Putin, noting the technology's link to the US spy service, said it should be "discussed immediately on a serious political level."
"Once they're let out of the lamp, genies of this kind, especially those created by intelligence services, can later do damage to their authors and creators," he said.
In Britain, where the cyber attack first raised global alarm when it caused hospitals to divert ambulances on Friday, it gained traction as a political issue just weeks before a general election. The opposition Labour Party accused the Conservative government of leaving the National Health Service (NHS) vulnerable.
"The government's response has been chaotic," the British Labour Party's health spokesman Jon Ashworth said. "If you're not going to allow the NHS to invest in upgrading its IT, then you are going to leave hospitals wide open to this sort of attack."