If you follow the latest cyber security headlines, you’ll have noticed that reports of high-profile ransomware attacks appear all-too-frequently. But just how likely is it that you or the organizations you work for will be hit by a ransomware attempt?
Our 2024 ransomware statistics roundup will give you a better understanding of how this type of malicious software is put to work. Take a look through these ransomware stats to discover the latest attack rates, methods, targets, financial impacts, and more…
Ransomware Attack Trends
Peak Covid was a boom time for ransomware. After several years during which the attack rate remained stable, the global volume of ransomware attacks spiked suddenly in 2020 and went up even further in 2021. Numbers decreased in 2022 and early 2023 but now appear to be on the rise again.
Recent Attack Trends and Predictions
1. 2022 saw over 493 million ransomware attack attempts:
Year | Ransomware Attack Attempts (in millions ) |
---|---|
2017 | 183.6 |
2018 | 206.4 |
2019 | 187.91 |
2020 | 304.64 |
2021 | 623.25 |
2022 | 493.33 |
2. Between 2021 and 2022, the global volume of ransomware attacks decreased by 23%.
3. The IBM Security X-Force Threat Intelligence Index indicates that ransomware represented 17% of all cyber attacks in 2022.
4. SonicWall Capture Labs Threat Researchers recorded 51.2 million attacks in Q1 2023, the smallest quarterly total since Q4 2019.
5. However, ransomware attacks resurged during Q2 2023, with 88.9 million attacks observed: a quarterly rise of 74%.
6. In H1 2023, Chainalysis calculated that ransomware attackers successfully extorted at least $449 million - $176 million more than the same period in 2022.
7. If the current pace of attacks continues, ransomware attackers are predicted to extort $899 million from victims in 2023. This will be the second most successful year for ransomware attackers, trailing only 2021’s haul of $940 million.
8. In 2021, it was estimated that someone falls victim to a ransomware attack every 11 seconds.
9. Experts predict that by 2031, ransomware will attack an organization, consumer, or device every 2 seconds.
Ransom Demand Trends
10. In 2021, average ransomware demands were estimated at $220,298 - a 43% increase on 2020.
11. In its April 2022 State of Ransomware report, Sophos identified an almost threefold increase in the proportion of victims paying ransoms of $1 million or more: up from 4% in 2020 to 11% in 2021. Over the same period, the percentage paying less than $10,000 dropped from 34% to 21%.
12. Bitcoin accounts for approximately 98% of ransomware payments. It is, however, becoming easier to detect the flow and sources of Bitcoin. There are early indications that more privacy-focused digital currencies (e.g. Monero) will grow in popularity as the payment method of choice for cyber criminals.
Ransomware Target Statistics
The United States remains the most frequently attacked country. However, attacks are not limited to any particular region or industry.
Countries Most Targeted by Ransomware Attacks
13. Top 10 countries attacked using ransomware:
Country | Number of Ransomware Attacks (in millions) |
---|---|
United States | 217.49 |
United Kingdom | 71.35 |
Spain | 52.68 |
Brazil | 21.81 |
Germany | 20.17 |
Colombia | 15.52 |
Netherlands | 13.64 |
Italy | 12.47 |
Norway | 8.36 |
Australia | 7.62 |
14. The United States was the most frequently attacked country in 2022, experiencing 38.8% of all attacks.
Rate of Ransomware Attacks by Industry
15. 66% of organizations were targeted by ransomware attempts in 2022. The sector breakdown is as follows:
Sector | Orgs. Hit by Ransomware in 2022 |
---|---|
Lower education | 80% |
Higher education | 79% |
Construction and property | 71% |
Central government | 70% |
Media, leisure and entertainment | 70% |
Local government | 69% |
Retail | 69% |
Energy and utilities | 67% |
Distribution and transport | 67% |
Financial services | 64% |
Business and professional services | 60% |
Healthcare | 60% |
Other | 58% |
Manufacturing and production | 56% |
IT and telecoms | 50% |
Ransomware Attacks by Organization Size
16. Between January 2022 and January 2023, small and medium-sized companies between 11 and 50 employees, as well as companies with 51-200 employees, suffered the most attacks, based on an attacks-per-employee ratio.
How Often Do Targets Pay Ransoms?
17. An estimated 41% of ransomware victims in 2022 paid a ransom. This compares with 50% in 2021, 70% in 2020, and 76% in 2019.
18. Organizations that paid ransoms in 2022 only got, on average, 61% of their data back. Only 4% got all their data back.
19. 80% of companies that paid a ransom were hit a second time, with 40% paying again. 70% of those repeat victims had to pay a higher amount the second time around.
Statistics on Ransomware Methods
Ransomware gangs continue to rely heavily on human weakness - i.e., unsuspecting victims clicking on malicious links - to get their attacks off the ground.
Attack Entry Points
20. In 2022, 69% of ransomware attacks on businesses were started with an email.
21. For organizations with more than 250 employees, 75% of ransomware attacks were started via email.
22. Nearly 1% of all emails contain a link or file related to ransomware.
23. In consumer services, 70% of ransomware attacks originated from web traffic and web applications.
Ransomware Tools
24. The most popular tools used by ransomware groups to manage their attacks have remained consistent over several years. These are PowerShell to collect data, Mimikatz to escalate privileges, and PsExec to execute commands remotely.
Recent Developments in Ransomware
Self-propagation
25. The WannaCry and the NotPetya family of ransomware which emerged in 2017 were early trailblazers in self-propagation. This is where malware has the ability to spread laterally and autonomously across a network, encrypting more data, more easily.
26. Many of the most prominent recent ransomware families - e.g. BlackBasta, LockBit, and Play - all boast self-spreading mechanisms: evidence that this capability is becoming pretty-much standard.
Code adoption
27. Kaspersky estimates that at least 25% of leaked code from the now-defunct Conti group's ransomware was used in LockBit’s latest variant.
28. This is part of a trend of major ransomware gangs borrowing from each other - and in many cases collaborating strategically - to build higher-quality tools that are more likely to circumvent security measures.
Statistics on the Impact of Ransomware Attacks
The ransomware statistics show that when it comes to the total cost of a successful attack, the ransom is often just the tip of the iceberg.
29. The total global cost of ransomware is expected to exceed $30 billion in 2023.
30. For large enterprises in 2022, the average total cost of a ransomware breach was $4.54 million.
31. For companies with annual revenue of less than $10 million, the average cost of recovery in 2023 is $205,400.
32. In 2023, 84% of private sector organizations hit by ransomware reported that the attack caused them to lose revenue.
33. Lower education (94%) and construction (93%) were the sectors most likely to report some loss of business/revenue.
34. 64% of businesses now have some form of cyber insurance.
35. Barracuda Networks found that 77% of organizations with cyber insurance were hit at least once, compared to 65% of organizations without insurance. It is speculated that attackers might use social engineering to deliberately hone in on targets that are known to be insured, on the assumption that a payout from these companies is more likely.
36. Where a business decides to pay up, the ransom payment is roughly 15% of the total cost of the attack. The rest comprises the incident report effort, system restoration, legal fees, monitoring costs, and the overall impact of business disruption.
37. In 40% of cases, companies who suffer a ransomware attack will lay off employees as a result.
38. 39% of companies take up to a week to recover from a ransomware attack.
39. Research from Sophos suggests that organizations that use backups to recover their data recover from the attack more quickly than those that pay the ransom.
Who Are Committing Ransomware Attacks?
The main incentive for ransomware attacks has always been financial gain. Unsurprisingly, the most prolific ransomware groups tend to be based in those territories where little or nothing is done to curb their activities (Russia being the prime example).
Location of Attackers
40. In 2021, an estimated 74% of all money made through ransomware attacks went to Russia-linked hackers.
41. In H2 2021, The US Treasury’s Financial Crimes Enforcement Network found that 75% of ransomware-related incidents were linked to Russia, its proxies, or persons acting on its behalf.
Motivations of Attackers
42. Rising international tensions have led to more politically-motivated attacks. While ransomware attacks overall rose significantly (151%) in 2021, attacks on government targets increased by 917%. Attacks on sensitive infrastructure - education and health care - increased by 615% and 594% respectively.
43. Russia has a reputation as a safe harbor for ransomware attackers: i.e., hackers are left to operate so long as they leave domestic targets alone. There is some evidence of a loose alignment between Russian government priorities and ransomware activity.
44. Stanford Internet Observatory and the Center for International Security and Cooperation found a significant increase in attacks from Russia-based gangs against organizations in the United States, Canada, the United Kingdom, Germany, Italy, and France in the lead-up to those countries’ national elections.
Ransomware Groups
45. Top 10 Ransomware Groups July 2022 - June 2023:
Rank | Group | Number of Victim-Reported Cases |
---|---|---|
1 | LockBit | 1,046 |
2 | BlackCat | 389 |
3 | BlackBasta | 239 |
4 | Royal | 215 |
5 | Clop | 205 |
6 | BianLian | 203 |
7 | Play | 156 |
8 | Akira | 107 |
9 | Karakurt | 102 |
10 | Vice Society | 99 |
Most Active Ransomware Groups in Focus
LockBit
46. Active since 2019, LockBit is currently the world’s most prolific ransomware group. The group operates a ransomware-as-a-service (RaaS) model, selling its services to cyber criminals. It is active across multiple hacking forums, including Exploit and RAMP, and manages a ransomware leak information service where victim data is published.
47. The exact location of the LockBit group is uncertain, although key members appear to be Russian-speaking.
48. LockBit has developed several ransomware variants since its inception (abcd, LockBit 1.0, LockBit 2.0, LockBit 3.0, and LockBit Green).
49. In a LockBit attack, initial access is often achieved through phishing. The LockBit script then typically allows attackers to expand their reach throughout the target system, elevate access right,s and deactivate security measures.
50. LockBit enables attackers to manually target a single system unit, which in turn can infect other linked units to encrypt files.
51. LockBit has targeted victims across multiple sectors internationally, including education, finance, healthcare, software providers, and professional services:
BlackCat
52. BlackCat - also known as AlphaVM, AlphaV, or ALPHV - was first identified in late 2021. It is a successor to REvil, which was linked to Russian hackers. It is also thought that some key BlackCat operators are linked to the now-defunct ransomware gangs, DarkSide and BlackMatter.
53. BlackCat has executed a string of successful attacks using triple extortion tactics, comprising a combination of ransom demands, DDoS attacks, and threats to expose exfiltrated data.
54. BlackCat is written in the cross-platform language Rust, so it is easily configurable to attack a wide range of operating systems and environments.
55. Unusual for ransomware groups, BlackCat set up a data leaks website on the public internet rather than the dark web.
56. BlackCat exploits have spanned all sectors. In a blitz of activity between November 2021 and September 2022, the gang managed to compromise 200 enterprises. This included the financial, manufacturing, legal, and professional services sectors.
BlackBasta
57. The BlackBasta gang first appeared in early 2022 and quickly became one of the most active ransomware groups in the world.
58. It is suspected that BlackBasta is a rebrand of the now-defunct Russia-linked RaaS group, Conti.
59. BlackBasta seems to favor quality over quantity, focusing on highly-targeted attacks against large enterprises and organizations, with initial access generally obtained through phishing emails.
60. BlackBasta’s activities seemed to be limited to targets in the United States when the group first appeared. However, through 2023, its target range seems to have extended worldwide.
61. Victims of BlackBasta have included the American Dental Association, the Canadian Yellow Pages, and the German multinational materials producer, Knauf.
Notable Recent Attacks
These recent examples of ransomware incidents illustrate real-life implications of this type of cyber attack.
Medibank
What’s the worst that could happen if you refuse to meet a cyber gang’s ransom demands? Australian health insurer, Medibank, was issued with a demand for $9.7 million, which equated to a dollar for each of the 9.7 million customers whose personal data had been stolen. Here’s what happened when the company refused to pay…
Capita
When the UK outsourcing giant, Capita was hit by the BlackBasta group in March 2023, it resulted in recovery costs of $25 million and a 12% drop in the company’s share price.
Toronto Hospital for Sick Children
When customers of its RaaS offering hit a kids’ hospital, LockBit realized that things had gotten out of hand. The gang realized this wasn’t a good look, apologized, and tried to put things right…
Conclusion
Don’t pay up. That’s generally the advice given by law enforcement agencies when it comes to ransomware demands. The statistics show that the proportion of people who pay ransoms is decreasing; a sign, perhaps, that more organizations take cyber hygiene, backup, and recovery seriously and are better able to rely on these procedures rather than handing over cash.
Nevertheless, after a relatively quiet 2022, it’s also clear that ransomware attack rates are heading upward again. Ongoing advances in the development of self-propagating scripts makes it easier than ever for criminals to access and exfiltrate sensitive data from across networks, offering multiple and potentially lucrative options for extortion.
In short, ransomware attacks look set to be a significant part of the threat landscape for the foreseeable future.
Frequently Asked Questions
Sources
- Barracuda Ransomware Insights Report, 2023
- BBC, ‘74% of ransomware revenue goes to Russia-linked hackers’, Article, 2023
- BCS, ‘The biggest cyber attacks of 2023’, Article
- Bleeping Computer, ‘Ransom payment is roughly 15% of the total cost of ransomware attacks’, Article, 2023
- Chainalysis Crypto Crime Report, 2023
- Comparitech, Malware Statistics and Facts for 2023
- Conceal, Who’s Who In Ransomware Report, 2023
- CSO Online, ‘Insured companies more likely to be ransomware victims’, Article, 2023
- Dark Reading, ‘25% of phishing emails sneak into Office 365’, Article, 2019
- Dark Reading, ‘Ransomware profits decline’, Article, 2023
- FlashPoint, LockBit Ransomware: Inside the world’s most active ransomware group’, Article, 2023
- IBM Cost of a Data Breach Report, 2023
- IBM Security X-Force Threat Intelligence Index, 2023
- Kasperksy, New Ransomware Trends in 2023, Article
- Marsh, Ransomware: Paying Cyber Extortion Demands in Cryptocurrency, Article, 2023
- NordLocker Ransomware Report, 2023
- Security Week, ‘It doesn’t pay to pay’, Article, 2023
- Security Week: ‘Self-Propagating, Fast-Encrypting Rorsach Ransomware Emerges’, Article, 2023
- SonicWall Cyber Threat Report, 2023
- Sophos, State of Ransomware Report, 2023
- Statista, Countries most targeted by ransomware, Chart, 2023
- Tech.co, Ransomware Statistics, 2023
- Wired, ‘Russia’s sway over criminal ransomware gangs is coming into focus’, Article, 2022