The global WannaCry ransomware attack spread more slowly on Monday with no major infections reported, as attention shifted to investment and government policy implications of lax cyber security.
There were 213,000 infected machines in 112 countries as of 1000 GMT on Monday, according to Czech security firm Avast, making it one of the largest coordinated attacks to hit computers across the world.
The countries most affected by WannaCry were the same as Friday: Russia, Taiwan, Ukraine and India, Avast's data showed.
The number of infections has fallen dramatically since Friday’s peak when more than 9000 computers were being hit per hour. By afternoon on the US East Coast, new infections had fallen to the low hundreds of machines and continue to decline, Avast said.
Earlier on Monday, Chinese traffic police and schools reported they had been targeted as the attack rolled into Asia for the new work week, but no there were no major disruptions.
Authorities in Europe and the United States turned their attention to preventing hackers from spreading new versions of the virus.
Tom Bossert, US President Donald Trump's homeland security adviser, said people "should be thinking about this as an attack that for right now we have under control, but as an attack that represents an extremely serious threat".
Shares in firms that provide cyber security services jumped on the prospect of companies and governments spending more money on defenses, led by Israel's Cyren and US firm FireEye.
Cisco Systems rose 2.8 percent, making it the leading gainer in the Dow Jones Industrial Average, which was up more than 100 points in afternoon trading, as investors focused more on opportunities the attack presented rather than the risk it posed to corporations.
The perpetrators of the attack are still not known. Bossert said that while US officials had not ruled out the possibility that it was a "state action," he said it appeared to be criminal, given the ransom requests.
Some victims were ignoring official advice and paying the US$300 ransom demanded by the cyber criminals to unlock their computers, which doubles to US$600 after three days.
So far only a few victims of the attack appeared to have paid, based on publicly available bitcoin accounts on the web, where victims have been instructed to pay.
As of 1400 GMT, the total value of funds paid into anonymous bitcoin wallets the hackers are using stood at just US$55,169 from 209 payments.
Brian Lord, managing director of cyber and technology at cyber security firm PGI, said victims had told him "the customer service provided by the criminals is second-to-none," with helpful advice on how to pay: "One customer said they actually forgot they were being robbed."
Companies and governments spent the weekend upgrading software to limit the spread of the virus. Monday was the first big test for Asia, where offices had already mostly been closed for the weekend before the attack first arrived.
Renault-Nissan said output had returned to normal at nearly all its plants. PSA Group, Fiat Chrysler, Volkswagen, Daimler, Toyota and Honda said their plants were unaffected.
British media were hailing as a hero a 22-year-old computer security whiz who appeared to have helped stop the attack from spreading by discovering a "kill switch" - a domain which halted the virus when activated.
The US senate intelligence committee is monitoring the attack and expects to receive a briefing in the coming days from the Trump administration, a panel aide said.
In a blog post on Sunday, Microsoft president Brad Smith surfaced a long-running debate over how government intelligence services should balance their desire to keep software flaws secret - in order to conduct espionage and cyber warfare - against sharing those flaws with technology companies to better secure the internet.
Russian President Vladimir Putin, noting the technology's link to the US NSA, said it should be "discussed immediately on a serious political level."
"Once they're let out of the lamp, genies of this kind, especially those created by intelligence services, can later do damage to their authors and creators," he said.
In Britain, where the virus first raised global alarm when it caused hospitals to divert ambulances on Friday, it gained traction as a political issue just weeks before a general election. The opposition Labour Party accused the Conservative government of leaving the National Health Service (NHS) vulnerable.
"The government's response has been chaotic," the British Labour Party's health spokesman Jon Ashworth said. "If you're not going to allow the NHS to invest in upgrading its IT, then you are going to leave hospitals wide open to this sort of attack."
Britain's NHS is the world's fifth-largest employer after the US and Chinese militaries, Wal-Mart Stores and McDonald's. The government says that under a previous Labour administration the trusts that run local hospitals were given responsibility to manage their own computer systems.
British health minister Jeremy Hunt said on Monday it was "encouraging" that a predicted second spike of attacks had not occurred, but the ransomware was a warning to public and private organisations.
China appeared over the weekend to have been particularly vulnerable, raising worries about how well the world's second-largest economy would cope. However, officials and security firms said the spread was starting to slow.
"The growth rate of infected institutions on Monday has slowed significantly compared to the previous two days," said Chinese security company Qihoo 360.
An official from Cybersecurity Administration China (CAC) said the ransomware had affected industry and government computer systems but the spread was slowing.
Energy giant PetroChina said payment systems at some petrol stations were hit although it had restored most of the systems.
Elsewhere in Asia, Hitachi said the attack had affected its systems over the weekend, leaving them unable to receive and send emails or open attachments in some cases.
At Indonesia’s biggest cancer hospital, Dharmais Hospital in Jakarta, attacks affected scores of computers. By late morning, some people were still manually filling out forms, but 70 percent of systems were online.
The Indian government said it received only a few reports of attacks and urged those hit not to pay any ransom. No major Indian corporations reported disrupted operations.