The messages include the ransom demand, $300 in bitcoin, and instructions for recovering files.
F-Secure on Friday says it's gotten reports from more than 60 countries.
The program is called "Wanna Decrypt0r 2.0" and appears to support 28 languages, underscoring the global ambitions of its creators, said cybersecurity experts.
The exploit initially hit Russia, Taiwan and Spain the hardest, according to security companies.
A researcher who identified himself as MalwareTech and works for Kryptos logic stopped the attack. "It's one of the first times we've seen a large worldwide global campaign", said Chris Camacho, chief strategy officer for Flashpoint, a cyber-intelligence company. She said the ministry's servers haven't been affected.
It said those organizations who have not yet applied the security update should immediately deploy Microsoft Security Bulletin MS17-010.
Avast was cited by the BBC as saying that it had seen 75,000 cases of the ransomware around the world, and the tools of the cyberattack are believed to have been stolen from the U.S. National Security Agency (NSA).
Microsoft has released fixes for vulnerabilities and related tools disclosed by TheShadowBrokers, a mysterious group that has repeatedly published alleged NSA software code.
Users of old Windows systems can now download a patch to protect them from this week's massive ransomware attack.
Here are things to know about the ransomware attack.
Nachreiner also recommended organizations invest in advanced malware protection, and build up a multi-layered defense to cyber attacks.
NEW YORK The cyberextortion attack hitting dozens of countries spread quickly and widely thanks to an unusual confluence of factors: a known and highly unsafe security hole in Microsoft Windows, tardy users who didn't apply Microsoft's March software fix, and a software design that allowed the malware to spread quickly once inside university, business and government networks.
SYRIA: De-escalation zones chance for rebels to reconcile, says Assad
Over the past six years, Moscow and Washington have sparred multiple times over the conflict in Syria, especially concerning Assad's fate.
"There's nothing you can do but pay once you're hit", Camacho said.
The National Cyber Security Center said it is "aware of a cyberincident".
Jan Op Gen Oorth, spokesman for the Netherlands-based Europol, said the number of individuals who have fallen victim to the cyberextortion attack could be much higher.
How does the ransomware attack happen?
Romania's intelligence service says it has intercepted an attempted cyberattack on a government institution which it said likely came from cybercriminal group APT28 also known as Fancy Bear. The only way to prevent this attack was to have already installed the update.
The statement said there were thousands of cyberattacks daily "and Romania is no exception". But there's no evidence so far that patient data has been accessed, NHS Digital said. The attack was first reported in Sweden, Britain and France. The vulnerability gave the hackers what amounted to a lock pick to the Microsoft software on computers that did not receive the update from the company or that used outdated operating systems.
The WannaCry ransomware is spread through hidden viruses linked in word documents and PDF files sent over email.
Microsoft usually charges a hefty fee to provide custom support for older versions of Windows - something that the United Kingdom government thought it could do without.
Late Friday, emergency security updates were released for Windows XP, Windows 8, and Windows Server 2003.
"This attack was not specifically targeted at the NHS and is affecting organisations from across a range of sectors".
The attack is causing canceled procedures and appointments at hospitals across England.