The severity of the attacks in developing countries like China also highlighted the problem of illegally copied software, which tends to be more vulnerable to malware.
HONG KONG — Computer security experts struggled on Saturday to contain the fallout from audacious cyberattacks that rippled across the globe, demanding ransom from users with the threat that their data would be destroyed.
The malicious software, transmitted via email and stolen from the National Security Agency, exposed the vulnerability of computer systems at government agencies, universities, health care systems and other institutions in scores of countries hit by what was described as the largest ransomware attack on record.
In Asia, there were widespread reports on Saturday of attacks at universities, with students locked out of their theses and final papers as graduation loomed. One tech media site posted an image of a college computer lab that showed several screens displaying the red-and-white ransom note associated with the virus.
The Chinese online security company Qihoo 360 issued a warning about the virus, saying that many networks there had been hit and that some computers used to mine Bitcoin in China were among those infected. Qihoo also warned that education networks were particularly vulnerable because they were set up to more openly share data and resources like printers, leaving them relatively unprotected.
Malware problems were reported at several universities in Asia, including at Shandong University, a top school in northeast China. The university issued an online notice urging faculty and students to update their software as quickly as possible against the malware to prevent it from encrypting files and demanding a ransom payment.
“There is often no other way to decrypt the file, except to pay a high ransom to decrypt and recover the documents, learning materials and personal data, ” the notice said.
The university advised faculty members and students to install authentic Microsoft software and to contact a school office for help in doing so.
The attacks began with a simple phishing email, similar to the one Russian hackers used in the attacks on the Democratic National Committee and other targets last year. They then quickly spread through victims’ systems using a hacking method that the N. S. A. is believed to have developed as part of its arsenal of cyberweapons. Finally, the attacks encrypt the computer systems of the victims, locking them out of critical data, including patient records in Britain.
“Something like this was always inevitable, ” said Brian Lord, a former deputy director for intelligence and cyber operations at Government Communications Headquarters, Britain’s equivalent to the N. S. A.
“It was well thought-out, well timed and well coordinated, ” he added. “But, fundamentally, there is nothing unusual about its delivery. It is still fundamentally robbery and extortion.”
While American companies like FedEx said they had been hit by the attack, experts said that people in the United States had so far been less affected than others worldwide after a British cybersecurity researcher accidentally stopped the current ransomware attack from spreading more widely.
The attackers, who have yet to be identified, had included a so-called kill switch in their attack, which stops the malware from spreading if the virus makes an online request to a specific website. If the site is online, then the immediate attack stop spreading, experts said.
Yet, when the 22-year-old British researcher, who confirmed his involvement but insisted on anonymity because he did not want the public scrutiny, saw that the kill switch’s domain name — a long and complicated set of letters — had yet to be registered, he bought it himself, accidentally shutting down the hacking attack before it could fully spread to the United States.
“The kill switch is why the U. S. hasn’ t been touched so far, ” said Matthieu Suiche, founder of Comae Technologies, a cybersecurity company in the United Arab Emirates. “But it’s only temporary. All the attackers would have to do is create a variant of the hack with a different domain name. I would expect them to do that.”
The severity of the attacks in developing countries like Russia, China and India also highlighted the problem of illegally copied software, which tends to be more vulnerable to malware like the one that spread globally on Friday and Saturday.
Yet even users of authentic software who had not installed a recent security update would have been vulnerable, underscoring the susceptibility of networks around the world to hackers and opportunists.
Illegal copying of software has long been rampant in China. Microsoft and other Western companies have complained for years that the large majority of computers running their software were using pirated versions. After this attack, Microsoft issued a new patch for all Windows.
The spread of hacking attacks in recent years has made original versions of software more popular, as they typically provide automatic updates of security upgrades. But Edward Snowden’s release of extensive information about hacking by the United States government — much of which was aimed at monitoring China’s rapid military buildup — has alarmed the Chinese leadership.
It also accelerated a broad push to develop Chinese-brand software and hardware that is difficult for Western intelligence agencies to penetrate but still allows comprehensive monitoring of the population by Chinese security agencies.
With a large number of computers running old versions of Windows and a tendency to avoid paying for security software, China has become one of the world’s hotbeds of malware and hackers for hire. News of the virus was trending on Weibo, the country’s Twitter-like service, though reports of the impact were largely isolated to universities. China may have been spared a worse outbreak partly because the virus spread via email; many in China prefer to use messaging services instead.
A study last year by the Software Alliance, a trade association of vendors, found that a third of the software running on computers worldwide in 2015 was not properly licensed and had apparently been pirated.
