Security software company Kaspersky Lab has suggested that the WannaCry ransomware has now snared more than 200,000 victims since it was unleashed on Friday morning.
Costin Raiu, the company's director of research and analysis, said that an accurate picture can be seen by examining the 'sinkhole' created by MalwareTech, which is collecting redirections from the ‘kill switch' code, and has registered about 200,000 hits.
"This number does not include infections inside corporate networks where a proxy server is required for connecting to the internet, meaning that the real number of victims might easily be larger," he said.
According to the Raiu, the slowdown of attacks since Friday "suggests the infection may be coming under control", although new variants had surfaced over the weekend.
Raiu said that the company does not believe any of the new WannaCry variants were created by the original authors. Instead, it said that they were most likely thrown together other actors who were keen to exploit the attack for their own ends.
The first new variant started spreading on Sunday morning at around 02.00 GMT, and was patched to connect to a different domain - Kaspersky has noted three victims of this variant who are located in Russia and Brazil.
The second variation has been patched to remove the so-called 'kill switch', but Kaspersky believes it isn't spreading because it could have a bug.
Raiu also suggested that the attackers made about $20,000 during the first 24 hours of the attack, and that most of the money through bitcoin that the attackers would make would be within the first two days of the first attack.
After day three, the sum demanded by the original WannaCry 2.0 unleashed on Friday doubles from $300 in bitcoin to $600.
According to Kaspersky, there were around 500 new attempted WannaCry attacks sighted across Kaspersky Labs' customer base on Monday morning when organisations in Europe opened for business. However, this is far lower than the number of attempted attacks it saw last Friday.
The organisation said that between 06.00 GMT and lunchtime today, the company had noted 500 attempts on its customers, but by comparison, on Friday 12, there were six times as many attempts - or more than 3,000 - during the first hour alone.
In total, the company said that more than 45,000 users had been attacked, but that this represented only a fraction of the total number of attacks because it only had data on its own customer base.
It added that it was difficult to accurately estimate the total number of infections.
Computing's Big Data and IoT Summit 2017 and the Big Data and IoT Summit Awards are coming on 17 May 2017.
Find out what construction giant Amey, Lloyds Banking Group, Financial Times and other big names are doing in big data and the Internet of Things.
Attendance to the Summit is free to qualifying senior IT professionals and IT leaders, but places are strictly limited, so apply now.
AND on the same day, Computing is also proud to present the Big Data and IoT Summit Awards, too. See the finalists - and secure a table for your team at the Awards - now
Only 35 per cent of IT decision makers regularly review their data formats
One-third of CIOs admit that their organisation has fallen victim to a security breach in the last two years
CIOs warn that companies are losing battle against cyber crime
Government hasn't revealed number of SMBs that have signed up to G-Cloud 9
More fingers of blame pointed at gangs linked to North Korean government