(Bloomberg) --An unrivaled global cyber-attack is poised to continue claiming victims, even as U.K. health facilities whose systems were crippled early in the assault are returning to normal operation.

Additional disruptions are possible as people return to work Monday and turn on their desktop systems, Europol Executive Director Rob Wainwright said on ITV’s “Peston on Sunday” broadcast. More than 200,000 computers in more than 150 countries have so far been infected, according to the European Union’s law enforcement agency.

“At the moment, we’re in the face of an escalating threat,” Wainwright said.

The malware, using a technique purportedly stolen from the U.S. National Security Agency, affected the U.K.’s National Health Service, Russia’s Ministry of Interior, Germany’s Deutsche Bahn rail system, automakers Nissan Motor Co. and Renault SA, logistics giant FedEx Corp., and other company and hospital computer systems in countries from Eastern Europe to the U.S. and Asia.

The hackers used the tool to encrypt files within affected computers, making them inaccessible, and demanded ransom -- typically $300 in bitcoin. Russia and Ukraine had a heavy concentration of infections, according to Dutch security company Avast Software BV.

“We’ve seen the rise of ransomware becoming the principal threat, I think, but this is something we haven’t seen before -- the global reach is unprecedented,” Wainwright said.

The impact may spread, the U.K.’s National Cyber Security Centre said in a statement on Sunday: “As a new working week begins it is likely, in the U.K. and elsewhere, that further cases of ransomware may come to light, possibly at a significant scale.”

Normal Operations About 97 percent of U.K. facilities and doctors disabled by the attack were back to normal operation, Home Secretary Amber Rudd said Saturday after a government meeting. At the height of the attack Friday and early Saturday, 48 organizations in the NHS were affected, and hospitals in London, North West England and Central England urged people with non-emergency conditions to stay away as technicians tried to stop the spread of the malicious software.

“There will be lessons to learn from what appears to be the biggest criminal cyber-attack in history,” Rudd said in response to a letter from Jonathan Ashworth, the shadow secretary of state for health.

The initial attack was stifled when a security researcher disabled a key mechanism used by the worm to spread, but experts said the hackers were likely to mount a second attack because so many users of personal computers with Microsoft Corp. operating systems couldn’t or didn’t download a security patch released in March that Microsoft had labeled “critical.”

Microsoft said in a blog post Saturday that it was taking the “highly unusual“ step of providing the patch for older versions of Windows it was otherwise no longer supporting, including Windows XP and Windows Server 2003.

Matt Suiche, founder of United Arab Emirates-based cyber security firm Comae Technologies, said he’s seen a variant on the original malware that still contains a kill-switch mechanism -- though future versions could find a way to overcome it. “We are lucky that this logic bug is still present,” Suiche said.

The Good Guys Can Have the Upper Hand on Cybersecurity

Victims have paid about $30,000 in ransom so far, with the total expected to rise substantially next week, said Tom Robinson, chief operating officer and co-founder of Elliptic Enterprises Ltd., a ransomware consultant that works with banks and companies in the U.K., U.S. and Europe. Robinson, in an interview by email, said he calculated the total based on payments tracked to Bitcoin addresses specified in the ransom demands.

Last year an acute-care hospital in Hollywood paid $17,000 in bitcoin to an extortionist who hijacked its computer systems and forced doctors and staff to revert to pen and paper for record-keeping.

Hospitals are also fertile ground for identity thieves because of their often-lax security policies. Bloomberg Businessweek wrote in 2015 about a spate of malware infections at hospitals where radiological machines, blood-gas analyzers and other devices were compromised and used to siphon off the personal data of patients.

Business Targets A spokesman for Spain’s Telefonica SA said the hack affected some employees at its headquarters, but the phone company is attacked frequently and the impact of Friday’s incident wasn’t major. FedEx said it was “experiencing interference,” the Associated Press reported.

Renault halted production at some factories to stop the virus from spreading, a spokesman said Saturday, while Nissan’s U.K. car plant in Sunderland, in northeast England, was affected without causing any major impact on business, an official said.

In Germany, Deutsche Bahn faced “technical disruptions” on electronic displays at train stations, but travel was unaffected, the company said in a statement on its website. Newspaper reports showed images of a ransomware message on display screens blocking train information.

Russia’s Interior Ministry, with oversight of the police forces, said about “1,000 computers were infected,” which it described as less than 1 percent of the total, according to its website.

Indonesia’s government reported two hospitals in Jakarta were affected.

While any sized company could be vulnerable, many large organizations with robust security departments would have prioritized the update that Microsoft released in March and wouldn’t be vulnerable to Friday’s attack.

Users Tricked Ransomware is a particularly stubborn problem because victims are often tricked into allowing the malicious software to run on their computers, and the encryption happens too fast for security software to catch it. Some security expects calculate that ransomware may bring in as much as $1 billion a year in revenue for the attackers.

The attack was apparently halted in the afternoon in the U.K. when a researcher took control of an Internet domain that acted as a kill switch for the worm’s propagation, according to Ars Technica.

“I will confess that I was unaware registering the domain would stop the malware until after I registered it, so initially it was accidental,” wrote the researcher, who uses the Twitter name @MalwareTechBlog. “So long as the domain isn’t revoked, this particular strain will no longer cause harm, but patch your systems ASAP as they will try again.”

There is a high probability that Russian-language cybercriminals were behind the attack, said Aleks Gostev, chief cybersecurity expert for Kaspersky Labs.

“Ransomware is traditionally their topic,” he said. “The geography of attacks that hit post-Soviet Union most also suggests that."

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access