The massive malware cyberattack that has struck an estimated 300,000 computers worldwide showed signs of slowing down Monday.
But cybersecurity experts cautioned that new versions of the virus could still emerge.
Thousands more were impacted by the virus on Monday, many in Asia, where businesses were originally closed when the ransomware first began to spread like wildfire across 150 countries on Friday.
John Miller, a manager of threat intelligence cybersecurity company FireEye, told NBC News the company was detecting new versions.
“We have seen a couple new variants come out and it has actually been unclear if those are by the original authors,” he said, adding that some appeared to be by third parties.
The malware, called “WannaCry,” swept computers worldwide, locking up most of the files on infected machines and demanding ransom payments of $300 to $600 in exchange for unlocking them.
The cyberattack impacted a slew of businesses as governments around the world, from hospital systems in the United Kingdom, Russia’s interior ministry, FedEx in the U.S., Germany’s rail network, a Spanish telecommunications operator and major companies in Asia.
Tom Bossert, homeland security adviser to President Donald Trump, said infection rates slowed over the weekend. He added that no U.S. federal systems have been affected.
On Monday, the United Kingdom’s National Crime Agency Director General Lynne Owens said, “As things stand, there is no indication of a second surge of cases here in the UK.
“But that doesn’t mean there won’t be one,” she said, adding, “We’re trawling through huge amounts of data associated with the attack and identifying patterns."
In Asia, the virus spread to large companies in Japan and institutions across China, but its impact was not as wide as some experts previously feared.
Chinese state media, citing internet security services company Qihoo 360, reported on Monday that more than 29,000 institutions including universities, railway stations, hospitals and gas stations were affected.
A representative from Qihoo 360 told NBC News that 2 million of its 500 million users in China were affected by the malware, and that they released a special patch for people to download for their own protection.
The malware’s spread had been somewhat contained after a British researcher, identified as Marcus Hutchins, found a way to temporarily halt it on Saturday.
Hutchins has been hailed as an “accidental hero” for stopping the spread of the bug, after identifying the domain name in the malware virus and purchasing the site, which acted as a “kill switch,” according to ITV News.
Hutchins told NBC News that he purchased the site to track the malware virus — not realizing it would stop it from spreading further.
Miller said one new version of the malware used a slightly different domain from the original virus, but that the new domain was registered as well, acting as the kill switch.
Miller said the ebbing of the virus’ spread on Monday was largely due to the registering of those kill switch domains, and companies having time to assess and respond to the cyber threat.
Miller warned that companies should still be vigilant and that new versions of the virus are lurking.
“I think it’s something that people definitely need to be paying close attention to at the moment, it would be really disruptive and kind of resume the large scale damage if a version was released that circumvented the kill switch functionality entirely and was entirely functional,” he said.
The malware acts like a worm, finding security holes in a computer to spread throughout a network and exploiting a vulnerability in Microsoft operating systems, especially those with outdated software. Microsoft said it has been pushing out special automatic updates to those older systems in order to block the virus.
Adam Meyers, the vice president of intelligence at cybersecurity firm Crowdstrike, told MSNBC on Monday that what made the virus “so dangerous” was its ability to spread by itself.
“In most previous cases you would actually get an email. You would have to click on that email or click on a link and you'd become infected,” Meyers said. “In this case, it can actually spread from computer-to-computer by itself.”
Miller said that while Europe appeared to be "ground zero" for the malware, they still had no clear indication of who was behind the attack.
"There’s just been so much re-propagation," he said, adding, "It appears to pretty much be a global problem at this point."
Microsoft President Brad Smith said Sunday that the attack used exploits stolen from the National Security Agency earlier this year.
"This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem," Smith wrote on the Microsoft blog.
A former senior NSA official who still consults with the agency told NBC News on Monday that the ransomware epidemic was the result of a vulnerability identified and stockpiled by the NSA and that became public when it leaked.
The NSA releases about 90 to 95 percent of the software vulnerabilities it discovers, he said, but it sits on the rest for use in its hacking and spying activities. In other words, it doesn't tell the public about software holes that make them vulnerable to hackers — so it can exploit those weaknesses to spy on foreigners for the United States.
In this case, after it learned of the leak, the NSA warned Microsoft and other companies, the official said. Microsoft released a patch in March.
The problem is that not everybody patches, and those running outdated systems may not even be able to.