A hooded man holds a laptop computer as blue screen with an exclamation mark is projected on him in this illustration picture taken on May 13, 2017. REUTERS/Kacper Pempel/Illustration

By Guy Faulconbridge and Dustin Volz

LONDON/WASHINGTON (Reuters) - The global WannaCry "ransomware" cyber attack spread more slowly on Monday with no major infections reported, as attention shifted to investment and government policy implications of lax cyber security.

There were 213,000 infected machines in 112 countries as of 1000 GMT on Monday, according to Czech security firm Avast, making it one of the largest coordinated attacks to hit computers across the world.

The countries most affected by WannaCry were the same as Friday: Russia, Taiwan, Ukraine and India, Avast's data showed.

The number of infections has fallen dramatically since Friday’s peak when more than 9,000 computers were being hit per hour. By afternoon on the U.S East Coast, new infections had fallen to the low hundreds of machines and continue to decline, Avast said.

Earlier on Monday, Chinese traffic police and schools reported they had been targeted as the attack rolled into Asia for the new work week, but no there were no major disruptions.

Authorities in Europe and the United States turned their attention to preventing hackers from spreading new versions of the virus.

Tom Bossert, U.S. President Donald Trump's homeland security adviser, said people "should be thinking about this as an attack that for right now we have under control, but as an attack that represents an extremely serious threat," speaking on ABC's "Good Morning America" show.

Shares in firms that provide cyber security services jumped on the prospect of companies and governments spending more money on defenses, led by Israel's Cyren Ltd and U.S. firm FireEye Inc..

Cisco Systems rose 2.8 percent, making it the leading gainer in the Dow Jones Industrial Average, which was up more than 100 points in afternoon trading, as investors focused more on opportunities the attack presented rather than the risk it posed to corporations.

The perpetrators of the attack are still not known. Bossert said that while U.S. officials had not ruled out the possibility that it was a "state action," he said it appeared to be criminal, given the ransom requests.

Some victims were ignoring official advice and paying the $300 ransom demanded by the cyber criminals to unlock their computers, which was due to double to $600 on Monday for computers hit by Friday's first wave.

So far only a few victims of the attack appeared to have paid, based on publicly available bitcoin accounts on the web, where victims have been instructed to pay.

The initial ransom demand was $300 per machine. Three days after becoming infected the demand doubles. Starting on Monday, the first victims began facing demands of $600 to unlock their machines.

This coming Friday, victims face being locked out of their computers permanently if they fail to pay the $600 ransom, said Tom Robinson, co-founder of Elliptic, a London-based private security company that investigates ransomware attacks.

As of 1400 GMT, the total value of funds paid into anonymous bitcoin wallets the hackers are using stood at just $55,169, from 209 payments, according to calculations made by Reuters using publicly available data.

Brian Lord, managing director of cyber and technology at cyber security firm PGI, said victims had told him "the customer service provided by the criminals is second-to-none," with helpful advice on how to pay: "One customer said they actually forgot they were being robbed."

Companies and governments spent the weekend upgrading software to limit the spread of the virus. Monday was the first big test for Asia, where offices had already mostly been closed for the weekend before the attack first arrived.

Renault-Nissan said output had returned to normal at nearly all its plants. PSA Group, Fiat Chrysler, Volkswagen, Daimler, Toyota and Honda said their plants were unaffected.

British media were hailing as a hero a 22-year-old computer security whiz who appeared to have helped stop the attack from spreading by discovering a "kill switch" - an internet address which halted the virus when activated.

Individual European countries and the United States saw infections at a rate of only 10 percent to 20 percent of the most affected countries, according to the researcher who stumbled on the “kill switch.”

The virus hit computers running older versions of Microsoft Corp software that had not been recently updated. Microsoft released patches last month and on Friday to fix a vulnerability that allowed the worm to spread across networks. The company's shares were down about 1 percent on Monday, in a slightly higher broad market.

Story continues