An unrivalled global cyberattack is poised to continue claiming victims, even as UK health facilities whose systems were crippled early in the assault are returning to normal operation.

Additional disruptions are possible as people return to work Monday and turn on their desktop systems, Europol executive director Rob Wainwright said on ITV’s Peston on Sunday broadcast. More than 200 000 computers in more than 150 countries have so far been infected, according to the European Union’s law enforcement agency.

“At the moment, we’re in the face of an escalating threat,” Wainwright said.

The malware, using a technique purportedly stolen from the US National Security Agency, affected the UK’s National Health Service, Russia’s ministry of interior, Germany’s Deutsche Bahn rail system, car makers Nissan and Renault, logistics giant FedEx, and other company and hospital computer systems in countries from Eastern Europe to the US and Asia.

The hackers used the tool to encrypt files within affected computers, making them inaccessible, and demanded ransom — typically US$300 in bitcoin. Russia and Ukraine had a heavy concentration of infections, according to Dutch security company Avast Software.

“We’ve seen the rise of ransomware becoming the principal threat, I think, but this is something we haven’t seen before — the global reach is unprecedented,” Wainwright said.

About 97% of UK facilities and doctors disabled by the attack were back to normal operation, home secretary Amber Rudd said on Saturday after a government meeting. At the height of the attack on Friday and early Saturday, 48 organisations in the NHS were affected, and hospitals in London, north west England and central England urged people with non-emergency conditions to stay away as technicians tried to stop the spread of the malicious software.

“There will be lessons to learn from what appears to be the biggest criminal cyberattack in history,” Rudd said in response to a letter from Jonathan Ashworth, the shadow secretary of state for health.

The initial attack was stifled when a security researcher disabled a key mechanism used by the worm to spread, but experts said the hackers were likely to mount a second attack because so many users of personal computers with Microsoft operating systems couldn’t or didn’t download a security patch released in March that Microsoft had labelled “critical”.

Microsoft said in a blog post on Saturday that it was taking the “highly unusual” step of providing the patch for older versions of Windows it was otherwise no longer supporting, including Windows XP and Windows Server 2003.

Victims have paid about $30 000 in ransom so far, with the total expected to rise substantially next week, said Tom Robinson, chief operating officer and co-founder of Elliptic Enterprises, a ransomware consultant that works with banks and companies in the UK, the US and Europe. Robinson, in an interview by e-mail, said he calculated the total based on payments tracked to bitcoin addresses specified in the ransom demands. — (c) 2017 Bloomberg LP