The initial attack, known as "WannaCry", paralyzed computers running Britain's hospital network, Germany's national railway and scores of other companies and government agencies around the world.
Following the theft of the exploit, Microsoft released a security update to patch the vulnerability, however many computers remained unpatched and were hit as a result.
Companies and institutions are often slow to update their computers because it can screw up internal software that is built to work with a certain version of Windows. It has attacked hundreds of thousands of computers, security experts say, from hospital systems in the United Kingdom and a telecom company in Spain to universities and large companies in Asia.
"You are dealing with a criminal", he said. You can change the locks but what has happened cannot be undone.
Organisations were discouraged from paying the ransom, as it was not guaranteed that access would be restored.
Ryan Kalember, senior vice president at Proofpoint Inc. which helped stop its spread, said the version without a kill switch was able to spread but was benign because it contained a flaw that wouldn't allow it to take over a computer and demand ransom to unlock files.
"I still expect another to pop up and be fully operational", Kalember said.
The attack held users hostage by freezing their computers, popping up a red screen with the words, "Oops, your files have been encrypted!" and demanding money through online bitcoin payment - $300 at first, rising to $600 before it destroys files hours later.
The infected computers are largely out-of-date devices that organisations deemed not worth the price of upgrading or, in some cases, machines involved in manufacturing or hospital functions that proved too hard to patch without disrupting crucial operations.
The NSA is widely believed to have developed the hacking tool that was leaked and used for the ransomware attack.
May 15 British technology experts worked through the night to patch the computer systems of the health service after the ransomware worm forced dozens of hospitals to cancel some operations and appointments, Security Minister Ben Wallace said on Monday.
"The numbers are still going up", Wainwright said.
"We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the USA military intelligence organisation National Security Agency (NSA) has affected customers around the world", Smith wrote. The cyber sleuths agency advised users to apply patches to their Windows systems in order to prevent its infection and spread.
"Right now, just about every IT department has been working all weekend rolling this out", said Dan Wire, spokesman at Fireeye Security.