Petya ransomware attack: How many victims are there really?

A day on from from the initial reports of the ransomware attack, there are a number of different estimates of how many organisations have been infected.
Written by Danny Palmer, Senior Writer

Petya ransom note - just how many have had to see this?

Image: Symantec

The Petyr ransomware outbreak has certainly caused problems for some high profile organsations including an airport and a major oil company, but estimating how wide its impact has actually been is harder.

The ransomware infections started with reports of some organisations in Ukraine falling victim to an "unknown virus", with the country's government, banks and more confirming they'd fallen victim to attack in what the Ukranian Interior Ministry dubbed the biggest cyberattack in Ukraine's history.

Infections were quickly reported elsewhere including some in Russia, across Europe, North America, Australia as authorities confirmed they were investigating a widespread ransomware attack.

The ransomware was able to bring whole organisations crashing to a halt because it uses the same EternalBlue NSA exploit for Windows, leaked onto the open internet by the Shadow Brokers hacking group.

A day on from the initial Petya ransomware infections, it appears that Ukraine has seen the majority of infections, accounting for three quarters of known detections, according to researchers at security company ESET.

A number of attack vectors were used to distribute the ransomware throughout Ukraine, including one newly uncovered by Kaspersky Lab which saw users infected with a malicious file disguised as a Windows update.

Researchers suggest that a Ukrainian regional website was hacked and used to distribute the ransomware to visitors via a drive-by-download of the malicious file, which then presented itself as the Windows update.

Meanwhile, nine percent of known Petya detections are in Germany, six percent in Poland and three percent in Serbia, according to ESET. Despite high profile incidents all around the world, incidents in around 60 other countries account for under one percent of detections, each it said.

See also: Create a single file to protect yourself from the latest ransomware attack|Ransomware: An executive guide to one of the biggest menaces on the web

Separate figures from Microsoft's Malware Protection Center suggest that 12,500 machines in Ukraine have encountered the threat. If we assume that this accounts for three quarters of infected computers, then the total global known global figure currently stands at around 16,500.

While a large number of machines, that figure is lower than the the number infected by WannaCry in the first 24 hours of its outbreak, which stood at 45,000 attacks in 74 countries.
WannaCry eventually ended up infecting 300,000 computers around the world.

Symantec threat intelligence suggesting about 150 organisations Ukraine became infected, with under 50 in the US falling victim, while Kaspersky's research suggests that around 2,000 attacked users so far. Organizations in Russia and the Ukraine are the most affected, and it has also seen hits in Poland, Italy, the UK, Germany, France, the US and several other countries.

While Petya currently lags far behind WannaCry, the nature of its worm like capabilities means that the number of infections could rise yet.


Editorial standards