WannaCry paralysed computers running mostly older versions of Microsoft Windows in some 150 countries. It encrypted users' computer files and displayed a message demanding anywhere from US$300 to US$600 to release them; failure to pay would leave the data mangled and likely beyond repair.
A cybersecurity researcher in Britain managed to slow down its spread by activating the software's "kill switch," but there were fears that the cybercriminals would release even more malicious versions.
Steve Grobman of the security company McAfee said forensics experts are looking at how the ransomware was written and how it was run. WannaCry is a sophisticated piece of work, he said, which helps rule out the possibility it was released by mere pranksters or lower-level thieves.
As for anonymous bitcoin transactions, he said, it is sometimes possible to follow them until an identifiable person is found.
So far, not many people have paid the ransom, said Jan Op Gen Oorth, a spokesman for Europol, the European police agency.
Eiichi Moriya, a cybersecurity expert and professor at Japan's Meiji University, warned that paying the ransom would not guarantee a fix.
"You are dealing with a criminal," he said. "It's like after a robber enters your home. You can change the locks, but what has happened cannot be undone."
Meanwhile, automaker Renault decided not to reopen a 3,500-employee plant in France on Monday as a "preventative step." Lebanon's central bank temporarily suspended electronic transactions as a precaution.
In Britain, many hospitals and clinics that are part of the country's national health service were still having computer problems. Patients have had to be turned away because their records were inaccessible.
In the U.S., where the effects haven't appeared to be widespread, investigators believe additional companies have been attacked but have not yet come forward to report it, a law enforcement official told The Associated Press. The official was not authorized to speak publicly about the investigation.
In China, state media said more than 29,000 institutions there had been infected along with hundreds of thousands of devices. Universities and other schools were among the hardest hit. Railway stations, mail delivery, gas stations, hospitals, office buildings, shopping malls and government services were also said to be affected.
In Japan, companies such as Hitachi and Nissan reported problems but said their operations had not been seriously affected. In Indonesia, the ransomware locked patient files on computers in two hospitals in the capital, Jakarta, causing delays.
Experts urged organisations and companies to immediately update older Microsoft operating systems, such as Windows XP, with a patch released by the company.