Two days after a National Security Agency-derived ransomware worm infected 200,000 computers in 150 countries, Microsoft on Sunday criticized the stockpiling of exploits by government spies, warning it results in damage to civilians.

The unusually blunt message from Microsoft President and Chief Legal Officer Brad Smith came after a weekend of tense calm, as security professionals assessed damage from Friday's outbreak and braced themselves for the possibility of follow-on attacks that might be harder to stop. It also came 24 hours after Microsoft took the highly unusual step of issuing patches that immunize Windows XP, 8, and Server 2003 , operating systems the company stopped supporting as many as three years ago.

Sunday's salvo tacitly noted the NSA's key role in Friday's attack, which copied almost verbatim large sections of two highly advanced hacking tools that were stolen from the NSA and leaked to the world at large last month by a mysterious group calling itself Shadow Brokers. In the post, Smith wrote:

Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action. The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new "Digital Geneva Convention" to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them. And it’s why we’ve pledged our support for defending every customer everywhere in the face of cyberattacks, regardless of their nationality. This weekend, whether it’s in London, New York, Moscow, Delhi, Sao Paulo, or Beijing, we’re putting this principle into action and working with customers around the world. We should take from this recent attack a renewed determination for more urgent collective action. We need the tech sector, customers, and governments to work together to protect against cybersecurity attacks. More action is needed, and it’s needed now. In this sense, the WannaCrypt attack is a wake-up call for all of us. We recognize our responsibility to help answer this call, and Microsoft is committed to doing its part.

Follow-on attacks

As Ars reported on Friday , the outbreak borrowed heavily from an NSA exploit codenamed EternalBlue, which targeted a vulnerability found in Server Message Block code built into all modern versions of Windows except for Windows 10. In a matter of hours, infected hospitals started turning away patients, compromised video displays in train stations and apartment buildings locked up, and banks, delivery companies, and manufacturers disconnected computers, either because they no longer had access to crucial data or out of fear they might become infected.

The worm was effectively contained when a researcher, largely on a whim, registered a domain name he found included in the self-replicating Windows exploit that delivered ransomware known as WCry. It turned out that registration of the domain activated a killswitch that was built in to the worm. Smith's criticism came as security professionals around the world prepared for a possible new round of attacks on Monday that some said might be fiercer. What if new attacks, they worried, were launched that exploited the same vulnerabilities but couldn't be stopped as easily as Friday's version?

In the 48 hours since, there have been several follow-on attacks. One was quickly neutralized because it too had a domain-name-activated killswitch hardcoded into it. In the day since Matt Suiche, a researcher and founder of Comae Technologies, registered the address, he has stopped about 10,000 infected computers, mostly from Russia, from spreading the attack.

Another follow-on found on VirusTotal was potentially more of a threat because it contained no killswitch. Fortunately, it has not yet been seen infecting people in the wild. Interestingly, the variant also has a corrupted payload file. As a result, the self-replicating delivery mechanism works, but the attached ransomware doesn't successfully install. Suiche of Comae has more blow-by-blow over the 24 hours here.

For the foreseeable future, much of the world will be watching uncomfortably to see what happens in the coming days and weeks. Friday's events made clear that there are enough unpatched machines in the world to trigger melt downs in critical industries such as health and finance. As long as computers remain vulnerable, the very real risk of copycat attacks isn't going away.