Ransomware Statistics 2025: Latest Trends Methods

Ransomware Statistics for 2023 Latest Trends and Attack Methods

If you follow the latest cyber security headlines, you’ll have noticed that reports of high-profile ransomware attacks appear all-too-frequently. But just how likely is it that you or the organizations you work for will be hit by a ransomware attempt? 

Our 2024 ransomware statistics roundup will give you a better understanding of how this type of malicious software is put to work. Take a look through these ransomware stats to discover the latest attack rates, methods, targets, financial impacts, and more… 

Ransomware Attack Trends 

Peak Covid was a boom time for ransomware. After several years during which the attack rate remained stable, the global volume of ransomware attacks spiked suddenly in 2020 and went up even further in 2021. Numbers decreased in 2022 and early 2023 but now appear to be on the rise again. 

Recent Attack Trends and Predictions 

1. 2022 saw over 493 million ransomware attack attempts:

YearRansomware Attack Attempts (in millions )
2017183.6
2018206.4
2019187.91
2020304.64
2021623.25
2022493.33

2. Between 2021 and 2022, the global volume of ransomware attacks decreased by 23%.

3. The IBM Security X-Force Threat Intelligence Index indicates that ransomware represented 17% of all cyber attacks in 2022

4. SonicWall Capture Labs Threat Researchers recorded 51.2 million attacks in Q1 2023, the smallest quarterly total since Q4 2019

5. However, ransomware attacks resurged during Q2 2023, with 88.9 million attacks observed: a quarterly rise of 74%.

6. In H1 2023, Chainalysis calculated that ransomware attackers successfully extorted at least $449 million - $176 million more than the same period in 2022. 

7. If the current pace of attacks continues, ransomware attackers are predicted to extort $899 million from victims in 2023. This will be the second most successful year for ransomware attackers, trailing only 2021’s haul of $940 million. 

8. In 2021, it was estimated that someone falls victim to a ransomware attack every 11 seconds.  

9. Experts predict that by 2031, ransomware will attack an organization, consumer, or device every 2 seconds.   

Ransom Demand Trends 

10. In 2021, average ransomware demands were estimated at $220,298 - a 43% increase on 2020. 

11. In its April 2022 State of Ransomware report, Sophos identified an almost threefold increase in the proportion of victims paying ransoms of $1 million or more: up from 4% in 2020 to 11% in 2021. Over the same period, the percentage paying less than $10,000 dropped from 34% to 21%. 

12. Bitcoin accounts for approximately 98% of ransomware payments. It is, however, becoming easier to detect the flow and sources of Bitcoin. There are early indications that more privacy-focused digital currencies (e.g. Monero) will grow in popularity as the payment method of choice for cyber criminals. 

Ransomware Target Statistics 

The United States remains the most frequently attacked country. However, attacks are not limited to any particular region or industry. 

Countries Most Targeted by Ransomware Attacks  

13. Top 10 countries attacked using ransomware:

CountryNumber of Ransomware Attacks (in millions)
United States 217.49
United Kingdom 71.35
Spain52.68
Brazil21.81
Germany20.17
Colombia15.52
Netherlands13.64
Italy12.47
Norway8.36
Australia7.62

14. The United States was the most frequently attacked country in 2022, experiencing 38.8% of all attacks

Rate of Ransomware Attacks by Industry 

15. 66% of organizations were targeted by ransomware attempts in 2022. The sector breakdown is as follows: 

SectorOrgs. Hit by Ransomware in 2022
Lower education80%
Higher education79%
Construction and property 71%
Central government 70%
Media, leisure and entertainment 70%
Local government 69%
Retail69%
Energy and utilities 67%
Distribution and transport 67%
Financial services 64%
Business and professional services60%
Healthcare60%
Other 58%
Manufacturing and production 56%
IT and telecoms50%

Ransomware Attacks by Organization Size 

16. Between January 2022 and January 2023, small and medium-sized companies between 11 and 50 employees, as well as companies with 51-200 employees, suffered the most attacks, based on an attacks-per-employee ratio.  

Ransomware Attacks by Organization Size

How Often Do Targets Pay Ransoms? 

17. An estimated 41% of ransomware victims in 2022 paid a ransom. This compares with 50% in 2021, 70% in 2020, and 76% in 2019. 

18. Organizations that paid ransoms in 2022 only got, on average, 61% of their data back. Only 4% got all their data back. 

19. 80% of companies that paid a ransom were hit a second time, with 40% paying again. 70% of those repeat victims had to pay a higher amount the second time around. 

Statistics on Ransomware Methods 

Ransomware gangs continue to rely heavily on human weakness - i.e., unsuspecting victims clicking on malicious links - to get their attacks off the ground. 

Attack Entry Points 

20. In 2022, 69% of ransomware attacks on businesses were started with an email

21. For organizations with more than 250 employees, 75% of ransomware attacks were started via email

22. Nearly 1% of all emails contain a link or file related to ransomware. 

23. In consumer services, 70% of ransomware attacks originated from web traffic and web applications

Ransomware Tools 

24. The most popular tools used by ransomware groups to manage their attacks have remained consistent over several years. These are PowerShell to collect data, Mimikatz to escalate privileges, and PsExec to execute commands remotely. 

Recent Developments in Ransomware 

Self-propagation 

25. The WannaCry and the NotPetya family of ransomware which emerged in 2017 were early trailblazers in self-propagation. This is where malware has the ability to spread laterally and autonomously across a network, encrypting more data, more easily. 

26. Many of the most prominent recent ransomware families - e.g. BlackBasta, LockBit, and Play - all boast self-spreading mechanisms: evidence that this capability is becoming pretty-much standard. 

Code adoption 

27. Kaspersky estimates that at least 25% of leaked code from the now-defunct Conti group's ransomware was used in LockBit’s latest variant. 

28. This is part of a trend of major ransomware gangs borrowing from each other - and in many cases collaborating strategically - to build higher-quality tools that are more likely to circumvent security measures. 

Statistics on the Impact of Ransomware Attacks

The ransomware statistics show that when it comes to the total cost of a successful attack, the ransom is often just the tip of the iceberg. 

29. The total global cost of ransomware is expected to exceed $30 billion in 2023. 

30. For large enterprises in 2022, the average total cost of a ransomware breach was $4.54 million

31. For companies with annual revenue of less than $10 million, the average cost of recovery in 2023 is $205,400

32. In 2023, 84% of private sector organizations hit by ransomware reported that the attack caused them to lose revenue

33. Lower education (94%) and construction (93%) were the sectors most likely to report some loss of business/revenue.  

Loss of Business Revenue Globally by Industry

34. 64% of businesses now have some form of cyber insurance

35. Barracuda Networks found that 77% of organizations with cyber insurance were hit at least once, compared to 65% of organizations without insurance. It is speculated that attackers might use social engineering to deliberately hone in on targets that are known to be insured, on the assumption that a payout from these companies is more likely. 

36. Where a business decides to pay up, the ransom payment is roughly 15% of the total cost of the attack. The rest comprises the incident report effort, system restoration, legal fees, monitoring costs, and the overall impact of business disruption. 

37. In 40% of cases, companies who suffer a ransomware attack will lay off employees as a result. 

38. 39% of companies take up to a week to recover from a ransomware attack. 

Recovery Time 2023

39. Research from Sophos suggests that organizations that use backups to recover their data recover from the attack more quickly than those that pay the ransom. 

Recovery Time by Data Recovery Method

Who Are Committing Ransomware Attacks? 

The main incentive for ransomware attacks has always been financial gain. Unsurprisingly, the most prolific ransomware groups tend to be based in those territories where little or nothing is done to curb their activities (Russia being the prime example).  

Location of Attackers 

40. In 2021, an estimated 74% of all money made through ransomware attacks went to Russia-linked hackers

41. In H2 2021, The US Treasury’s Financial Crimes Enforcement Network found that 75% of ransomware-related incidents were linked to Russia, its proxies, or persons acting on its behalf. 

Motivations of Attackers 

42. Rising international tensions have led to more politically-motivated attacks. While ransomware attacks overall rose significantly (151%) in 2021, attacks on government targets increased by 917%. Attacks on sensitive infrastructure - education and health care - increased by 615% and 594% respectively.  

43. Russia has a reputation as a safe harbor for ransomware attackers: i.e., hackers are left to operate so long as they leave domestic targets alone. There is some evidence of a loose alignment between Russian government priorities and ransomware activity

44. Stanford Internet Observatory and the Center for International Security and Cooperation found a significant increase in attacks from Russia-based gangs against organizations in the United States, Canada, the United Kingdom, Germany, Italy, and France in the lead-up to those countries’ national elections.   

Ransomware Groups

45. Top 10 Ransomware Groups July 2022 - June 2023: 

RankGroupNumber of Victim-Reported Cases
1LockBit1,046
2BlackCat389
3BlackBasta239
4Royal 215
5Clop205
6BianLian203
7Play156
8Akira107
9Karakurt 102
10Vice Society99

Most Active Ransomware Groups in Focus 

LockBit

46. Active since 2019, LockBit is currently the world’s most prolific ransomware group. The group operates a ransomware-as-a-service (RaaS) model, selling its services to cyber criminals. It is active across multiple hacking forums, including Exploit and RAMP, and manages a ransomware leak information service where victim data is published. 

47. The exact location of the LockBit group is uncertain, although key members appear to be Russian-speaking

48. LockBit has developed several ransomware variants since its inception (abcd, LockBit 1.0, LockBit 2.0, LockBit 3.0, and LockBit Green). 

49. In a LockBit attack, initial access is often achieved through phishing. The LockBit script then typically allows attackers to expand their reach throughout the target system, elevate access right,s and deactivate security measures. 

50. LockBit enables attackers to manually target a single system unit, which in turn can infect other linked units to encrypt files. 

51. LockBit has targeted victims across multiple sectors internationally, including education, finance, healthcare, software providers, and professional services: 

Ransomware Victims by Country

BlackCat 

52. BlackCat - also known as AlphaVM, AlphaV, or ALPHV - was first identified in late 2021. It is a successor to REvil, which was linked to Russian hackers. It is also thought that some key BlackCat operators are linked to the now-defunct ransomware gangs, DarkSide and BlackMatter. 

53. BlackCat has executed a string of successful attacks using triple extortion tactics, comprising a combination of ransom demands, DDoS attacks, and threats to expose exfiltrated data. 

54. BlackCat is written in the cross-platform language Rust, so it is easily configurable to attack a wide range of operating systems and environments. 

55. Unusual for ransomware groups, BlackCat set up a data leaks website on the public internet rather than the dark web. 

56. BlackCat exploits have spanned all sectors. In a blitz of activity between November 2021 and September 2022, the gang managed to compromise 200 enterprises. This included the financial, manufacturing, legal, and professional services sectors. 

BlackBasta

57. The BlackBasta gang first appeared in early 2022 and quickly became one of the most active ransomware groups in the world

58. It is suspected that BlackBasta is a rebrand of the now-defunct Russia-linked RaaS group, Conti

59. BlackBasta seems to favor quality over quantity, focusing on highly-targeted attacks against large enterprises and organizations, with initial access generally obtained through phishing emails. 

60. BlackBasta’s activities seemed to be limited to targets in the United States when the group first appeared. However, through 2023, its target range seems to have extended worldwide

61. Victims of BlackBasta have included the American Dental Association, the Canadian Yellow Pages, and the German multinational materials producer, Knauf.

Notable Recent Attacks 

These recent examples of ransomware incidents illustrate real-life implications of this type of cyber attack. 

Medibank 

What’s the worst that could happen if you refuse to meet a cyber gang’s ransom demands? Australian health insurer, Medibank, was issued with a demand for $9.7 million, which equated to a dollar for each of the 9.7 million customers whose personal data had been stolen. Here’s what happened when the company refused to pay… 

Capita

When the UK outsourcing giant, Capita was hit by the BlackBasta group in March 2023, it resulted in recovery costs of $25 million and a 12% drop in the company’s share price. 

Toronto Hospital for Sick Children 

When customers of its RaaS offering hit a kids’ hospital, LockBit realized that things had gotten out of hand. The gang realized this wasn’t a good look, apologized, and tried to put things right… 

Conclusion 

Don’t pay up. That’s generally the advice given by law enforcement agencies when it comes to ransomware demands. The statistics show that the proportion of people who pay ransoms is decreasing; a sign, perhaps, that more organizations take cyber hygiene, backup, and recovery seriously and are better able to rely on these procedures rather than handing over cash. 

Nevertheless, after a relatively quiet 2022, it’s also clear that ransomware attack rates are heading upward again. Ongoing advances in the development of self-propagating scripts makes it easier than ever for criminals to access and exfiltrate sensitive data from across networks, offering multiple and potentially lucrative options for extortion. 

In short, ransomware attacks look set to be a significant part of the threat landscape for the foreseeable future.

Frequently Asked Questions

Level Up in Cyber Security: Join Our Membership Today!

vip cta image
vip cta details
  • Gary spends much of his working day thinking and writing about professional and personal development, as well as trends and best practice in IT recruitment from both an organizational and employee perspective. With a background in regulatory risk, he has a special interest in cyber threats, data protection, and strategies for reducing the global cyber skills gap.

>

StationX Accelerator Pro

Enter your name and email below, and we’ll swiftly get you all the exciting details about our exclusive StationX Accelerator Pro Program. Stay tuned for more!

StationX Accelerator Premium

Enter your name and email below, and we’ll swiftly get you all the exciting details about our exclusive StationX Accelerator Premium Program. Stay tuned for more!

StationX Master's Program

Enter your name and email below, and we’ll swiftly get you all the exciting details about our exclusive StationX Master’s Program. Stay tuned for more!