The single biggest ransomware attack yet continued to bite Monday as more details emerged on how a Russia-linked gang breached the exploited software company. The criminals essentially used a tool that helps protect against malware to spread it globally.

Thousands of organizations — largely firms that remotely manage the IT infrastructure of others — were infected in at least 17 countries in Friday’s assault. Kaseya, whose product was exploited, said Monday that they include several just returning to work.

Because the attack by the notorious REvil gang came just as a long Fourth of July weekend began, many more victims were expected to learn their fate when they return to the office Tuesday.

REvil is best known for extorting $11 million from the meat processor JBS last month. Security researchers said its ability to evade anti-malware safeguards in this attack and its apparent exploitation of a previous unknown vulnerability on Kaseya servers reflect the growing financial muscle of REvil and a few dozen other top ransomware gangs whose success helps them afford the best digital burglary wares. Such criminals infiltrate networks and paralyze them by scrambling data, extorting their victims.

REvil was seeking $5 million payouts from the so-called managed service providers that were its principal downstream targets in this attack, apparently demanding much less — just $45,000 — from their afflicted customers.

But late Sunday, it offered on its dark web site to make available a universal decryptor that would unscramble all affected machines if it’s paid $70 million in cryptocurrency. Some researchers considered the offer a PR stunt, while others thought it indicates the criminals have more victims than they can manage.

Sweden may be hardest hit — or at least most transparent about the damage. Its defense minister, Peter Hultqvist, bemoaned in a TV interview “how fragile the system is when it comes to IT security.” Most of the Swedish grocery chain Coop’s 800 stores were closed for a third day, their cash registers crippled. A Swedish pharmacy chain, gas station chain, the state railway and public broadcaster SVT also were hit.

A wide array of businesses and public agencies were affected, including in financial services and travel, but few large companies were hit, the cybersecurity firm Sophos said. The United Kingdom, South Africa, Canada, Argentina, Mexico, Indonesia, New Zealand and Kenya were among countries affected, researchers said.