The WannaCry ransomware worm that hobbled big institutions and businesses at the weekend, including FedEx (FDX.N) and Britain's National Health Service, also indiscriminately caught many smaller victims across Asia, from hoteliers to Chinese students.

When MediaOnline, a firm that operates digital displays in Singapore shopping malls, noticed its displays were showing the ransomware's pop-up window on Saturday, it sent engineers to two malls, director Dennis So told Reuters.

The company's experience shows how the ransomware can sometimes be beaten without victims having to pay the $300 or so in bitcoin that hackers demand for a decryption key to unfreeze their computers.

MediaOnline's So said only 12 computers were affected as the network was isolated from both the firm's office network and those of the company running the malls, and its tenants. By replacing all the hard drives, reinstalling the operating system and downloading all Microsoft Windows (MSFT.O) updates, the computers were back up and running by early Monday, with So saying "no money or bitcoin was paid to the hackers."

At some larger organizations, it took longer.

At Jakarta's Dharmais Hospital, Indonesia's biggest cancer center, up to 200 people packed waiting rooms after cyber attacks hit scores of computers. By late Monday morning, some visitors were still filling out forms manually, though the hospital said 70 percent of its systems were back online.

The unknown hackers behind WannaCry don't appear so far to have been well rewarded for their global blitz, with about $50,000 worth of bitcoin transferred to the online wallets listed in the recent and earlier versions of the malware, according to bitcoin transaction tracker Elliptic Labs.

This may be partly because many of those infected, like MediaOnline, chose to restore their computer data from back-ups or by reinstalling the operating system. Others just held their breath.

LOST WORK

Yang Lin, a journalism student at China's Zhejiang University of Media and Communications, told Reuters she had just finished revising her thesis late on Friday and was closing Word on her desktop when all the Word icons blanked out, her screen went black and the hackers' message appeared.

"I was connected to the university network. I didn't open any link," she said. "I just cried. I was afraid to believe it, but had to accept it."

Yang said she thought about paying the ransom to unfreeze her computer, but gave up when she found out how much this would cost. Via a chat platform she discovered many of her friends faced the same problem.

She said she lost her literature review, foreign translations and thesis proposal, as well as films she had made over four years at college.

In Vietnam, hotel and restaurant manager Ngo Viet Yen said he was given 24 hours to pay 5 bitcoins (worth around $9,000) to save his files after his systems were infected on Friday. He didn't pay, and reckons he's lost around $2,000, and possibly more, as his staff revert to taking bookings, writing receipts and managing stock manually.

He noted that copyright infringement is widespread in Vietnam, and little is spent on system security.

"The number of computers updated to the latest version is very low," he said. "And the server is rarely updated because there will be more issues and it often slows the system. It's like: you only build a cage after losing your cows."

Others found that even paying the ransom didn't guarantee they'd get their data decrypted.

"We've seen some of our customers from the energy and health services who made the payment did not receive the decryption key in return," said Budiman Tsjin, senior technical consultant at RSA, the security division of EMC Corp.

(Reporting and writing by Jeremy Wagstaff, with additional reporting by Agustinus Da Costa in JAKARTA, Eric Auchard in FRANKFURT, Masuyuki Kitano in SINGAPORE, Engen Tham and SHANGHAI Newsroom, Jemima Kelly in LONDON and Mai Nguyen in HANOI; Editing by Ian Geoghegan)

The WannaCry malware that spread to more than 100 countries in a few hours is throwing up several surprises for cybersecurity researchers, including how it gained its initial foothold, how it spread so fast and why the hackers are not making much money from it.

Some researchers have found evidence they say could link North Korea with the attack, but others are more cautious, saying that the first step is shedding light on even the most basic questions about the malware itself.

For one thing, said IBM Security's Caleb Barlow, researchers are still unsure exactly how the malware spread in the first place. Most cybersecurity companies have blamed phishing e-mails - e-mails containing malicious attachments or links to files - that download the ransomware. 

That's how most ransomware finds its way onto victims' computers. 

The problem in the WannaCry case is that despite digging through the company's database of more than 1 billion e-mails dating back to March 1, Barlow's team could find none linked to the attack. 

"Once one victim inside a network is infected it propagates," Boston-based Barlow said in a phone interview, describing a vulnerability in Microsoft Windows that allows the worm to move from one computer to another.

The NSA used the Microsoft flaw to build a hacking tool codenamed EternalBlue that ended up in the hands of a mysterious group called the Shadow Brokers, which then published that and other such tools online. 

But the puzzle is how the first person in each network was infected with the worm. "It's statistically very unusual that we'd scan and find no indicators," Barlow said.  

Other researchers agree. "Right now there is no clear indication of the first compromise for WannaCry," said Budiman Tsjin of RSA Security, a part of Dell. 

Knowing how malware infects and spreads is key to being able to stop existing attacks and anticipate new ones. "How the hell did this get on there, and could this be repeatedly used again?" said Barlow.

PALTRY RANSOM

Some cybersecurity companies, however, say they've found a few samples of the phishing e-mails. FireEye said it was aware customers had used its reports to successfully identify some associated with the attack. 

But the company agrees that the malware relied less on phishing e-mails than other attacks. Once a certain number of infections was established, it was able to use the Microsoft vulnerability to propagate without their help. 

There are other surprises, that suggest this is not an ordinary ransomware attack.

Only paltry sums were collected by the hackers, according to available evidence, mostly in the bitcoin cryptocurrency.

There were only three bitcoin wallets and the campaign has far earned only $50,000 or so, despite the widespread infections. Barlow said that single payments in some other ransomware cases were more than that, depending on the victim. 

Jonathan Levin of Chainalysis, which monitors bitcoin payments, said there were other differences compared to most ransomware campaigns: for instance the lack of sophisticated methods used in previous cases to convince victims to pay up. In the past, this has included hot lines in various languages.

And so far, Levin said, the bitcoin that had been paid into the attackers' wallets remained there - compared to another campaign, known as Locky, which made $15 million while regularly emptying the bitcoin wallets. 

"They really aren't set up well to handle their bitcoin payments," Levin said.

The lack of sophistication may bolster those cybersecurity researchers who say they have found evidence that could link North Korea to the attack.

A senior researcher from South Korea's Hauri Labs, Simon Choi, said on Tuesday the reclusive state had been developing and testing ransomware programs only since August. In one case, the hackers demanded bitcoin in exchange for client information they had stolen from a South Korean shopping mall.

Choi, who has done extensive research into North Korea's hacking capabilities, said his findings matched those of Symantec and Kaspersky Lab, who say some code in an earlier version of the WannaCry software had also appeared in programs used by the Lazarus Group, identified by some researchers as a North Korea-run hacking operation.

The Lazarus hackers have however been more brazen in their pursuit of financial gain than others, and have been blamed for the theft of $81 million from the Bangladesh central bank, according to some cybersecurity firms. The United States accused it of being behind a cyber attack on Sony Pictures in 2014.

Whoever is found to be behind the attack, said Marin Ivezic, a cybersecurity partner at PwC in Hong Kong, the way the hackers used freely available tools so effectively may be what makes this campaign more worrying. 

By bundling a tool farmed from the leaked NSA files with their own ransomware, "they achieved better distribution than anything they could have achieved in a traditional way" he said.

"EternalBlue (the hacking tool) has now demonstrated the ROI (return on investment) of the right sort of worm and this will become the focus of research for cybercriminals," Ivezic said. 

(Additional reporting Ju-Min Park in Seoul, Editing by Raju Gopalakrishnan)