The EU’s cyber security agency says criminals are using ransomware to cause chaos in airports around the world.

Several of Europe’s busiest airports have spent the past few days trying to restore normal operations, after a cyber-attack on Friday disrupted their automatic check-in and boarding software.

The European Union Agency for Cybersecurity, ENISA, told the BBC on Monday that the malicious software was used to scramble automatic check-in systems.

“The type of ransomware has been identified. Law enforcement is involved to investigate,” the agency said in a statement to news agency Reuters.

It’s not known who is behind the attack, but criminal gangs often use ransomware to seriously disrupt their victims’ systems and demand a ransom in bitcoin to reverse the damage.

The BBC has seen internal crisis communications from staff inside Heathrow Airport which urges airlines to continue to use manual workarounds to board and check in passengers as the recovery is ongoing.

Heathrow said on Sunday it was still working to resolve the issue, and apologised to customers who had faced delayed travel.

It stressed “the vast majority of flights have continued to operate” and urged passengers to check their flight status before travelling to the airport.

The BBC understands about half of the airlines flying from Heathrow were back online in some form by Sunday – including British Airways, which has been using a back-up system since Saturday.

The attack against US software maker Collins Aerospace was discovered on Friday night and resulted in disruption across several airports on Saturday.

While this had eased significantly in Berlin and London Heathrow by Sunday, delays and flight cancellations remained.

Brussels Airport, also affected, said the “service provider is actively working on the issue” but it was still “unclear” when the issue would be resolved.

They have asked airlines to cancel nearly 140 of their 276 scheduled outbound flights for Monday, according to the AP news agency.

Meanwhile, a Berlin Airport spokesperson told the BBC some airlines were still boarding passengers manually and it had no indication on how long the electronic outage would last.

It is understood that hackers behind the attack targeted a popular checking software called Muse.

Collins Aerospace has not explained what happened or told the public how long things will take to be resolved. The company is still referring to it as a ‘cyber incident’.

In a statement on Monday morning, the software provider said it was in the final stages of completing necessary software updates.

The internal memo sent to Heathrow staff, seen by the BBC, says more than a thousand computers may have been “corrupted” and most of the work to bring them back online is having to be done in person and not remotely.

The note also says that Collins rebuilt its systems and relaunched them only to realise the hackers were still inside the system.

In separate advice to airlines, Collins told staff not to turn off computers or log out of the Muse software if they were logged in.

The company declined to comment on the memo and its contents.

Ransomware attacks are a prolific problem for organisations around the country, with organised cyber crime gangs earning hundreds of millions of dollars from ransoms every year.

In April, UK retailer Marks and Spencer was hit by ransomware that cost it at least £400m to recover from and months of disruption. The company has declined to say if it paid attackers a ransom.

A spokesperson for the UK’s National Cyber Security Centre said on Saturday it was working with Collins Aerospace, affected UK airports, the Department for Transport and law enforcement to fully understand the impact of the incident.

Cyberattacks in the aviation sector have increased by 600% over the past year, according to a recent report by French aerospace company Thales.