Ransomware is malicious software that locks files and operating systems until victims pay a ransom. However, only one out of every seven victims that pay successfully retrieves their data.

Ransomware has become increasingly prevalent and damaging in recent years. In 2022, there were an estimated 493 million attacks worldwide, targeting 71% of all businesses. The United States, as one of the world’s largest economies, has consistently been the target of choice for cybercriminals.

In light of these trends, this article aims to provide essential insights into ransomware statistics, enabling readers to grasp the scale, impact, and emerging patterns of these malicious attacks.

What Are the Statistics of Ransomware?

Ransomware attacks sharply increased in 2020 and 2021 but have since stabilized. While statistical estimates offer valuable insights into the scale and impact of ransomware, we should acknowledge that the actual number of incidents is likely much higher due to underreporting.

Many organizations choose not to report attacks to protect their reputation and credibility or due to regulatory compliance concerns. Consequently, obtaining precise and comprehensive statistics on ransomware attacks remains challenging. The available numbers are approximations derived from reported incidents, industry surveys, cybersecurity research, and collaborations with law enforcement agencies.

Here are the key statistics and trends regarding ransomware:

  • In 2022, the global count of ransomware attacks detected by organizations was 493.33 million, a 23% decline from the peak of 623.25 million in 2021.
  • Ransomware gangs collected approximately $456.8 million from victims in 2022, roughly a 40% decrease compared to the previous two years.
  • The percentage of organizations hit by ransomware attacks worldwide has been steadily increasing since 2018, reaching a peak of 71% in 2022.
  • Among organizations in the United States, 68% reported falling victim to a ransomware attack and paying the ransom. Additionally, 10% were infected but chose not to pay, while 22% remained unaffected.
  • The number of ransomware-as-a-service extortion groups increased from 19 in 2021 to 31 in 2022.
  • The ransomware landscape continues to expand rapidly, with 327 new families in 2017 and 127 more in 2020.
  • A business takes approximately 22 days to recover and resume operations after an attack. The costs associated with downtime can exceed the ransom demand by a factor of 50.
Annual number of ransomware attacks worldwide

What Industries Are Most Targeted by Ransomware?

Ransomware attacks opportunistically focus on organizations with vulnerable systems, aiming to strike during crucial periods when these entities are under pressure to maintain operations and online presence. Ransomware attacks can occur in any industry, but some are more vulnerable.

Manufacturing remained the primary target for ransomware and the most extorted industry for the second consecutive year. Along with critical infrastructure providers, they are attractive targets for cybercriminals and highly susceptible to extortion due to their minimal tolerance for downtime.

Financial institutions, including banks, insurance companies, and others, are also particularly vulnerable to various types of cyber-attacks due to their reliance on continuous availability and the large amounts of sensitive information they possess.

Healthcare organizations rely heavily on timely and reliable access to sensitive data for seamless operation, which is why ransomware in healthcare is a burning issue. Additionally, regulatory compliance pressures put these organizations at a higher risk of double extortion. For example, HIPAA mandates strict patient privacy, and any data breach can result in significant fines and penalties. This vulnerability incentivizes criminals to threaten public exposure of sensitive information.

A graph of cyber attacks by industry in 2022

Fortify your organization’s defenses with our Data Security Cloud, an exceptionally stable cloud infrastructure platform purpose-built for malware protection. Developed in partnership with Intel and VMware, this robust solution implements multiple layers of security, making it an excellent choice for healthcare providers seeking HIPAA-compliant servers.

What Are the Costs of Ransomware?

According to Verizon, approximately 95% of ransomware incidents incurred losses within the range of $1 million to $2.25 million. Moreover, IBM’s 2022 Cost of a Data Breach report reveals that the average cost of a ransomware attack is $4.54 million, while the median cost has more than doubled over the past two years, reaching $26,000.

Unfortunately, ransoms are only a small part of the losses organizations incur. The average total cost of a ransomware attack surpassed the average ransom by over seven times. The cost equation includes the following:

A ransomware attack also shifts an organization’s focus to recovery instead of development or growth. The IT department prioritizes restoring operational functionality, while marketing and public relations are preoccupied with crisis communication. Ransomware attacks also commonly require hiring expensive contractors and consultants. By exposing weaknesses, they compel organizations to beef up cybersecurity and adopt more advanced technology.

A graph of estimate cost from cybersecurity worldwide in U.S. dollars

Our Veeam Backups are a powerful defense against ransomware, assuring the integrity of your data and removing the need for ransom payments. They facilitate rapid data restoration and seamless operations in the face of data loss or system failure, significantly reducing downtime in your IT environment.

The Main Causes of Ransomware Attacks

Human error remains the dominant factor in most incidents, accounting for 74% of total breaches. Exploiting human nature, particularly through tactics like social engineering and phishing, is the prevailing method hackers use to deceive people into clicking on malicious links or attachments.

Senior leadership is particularly at risk due to their access to highly sensitive information and the comparatively less stringent protection they receive, often due to security protocol exceptions.

As cyber-attacks become increasingly sophisticated and targeted, organizations must implement robust cyber security awareness training programs for all employees, including management.

On the other hand, Remote Desktop Protocol (RDP) is the most prominent non-human cause of ransomware attacks. Originally designed for secure remote access by IT administrators, it provides the prime penetration avenue for criminals. Hackers use search engines like Shodan.io to identify vulnerable devices and gain access by brute-force password cracking. Strong passwords remain essential to thwarting such attacks.

Once they gain administrative privileges, hackers assume full control over the compromised machine and initiate encryption. In some cases, hackers may inflict further damage by disabling endpoint security software or deleting backups to more effectively coerce victims into paying the ransom.

A graph of most common causes for ransomware infections

Read our article on the best practices for securing remote access for employees to protect sensitive data and mitigate risks in the era of remote work.

Most Recent Ransomware Attacks

In 2023, ransomware attacks have disrupted organizations of all sizes, including educational and financial institutions, healthcare facilities, and transportation networks. Below are some prominent ransomware attacks that have occurred in the past month.

Taiwan Semiconductor Manufacturing Company

On June 29, the LockBit ransomware group claimed to have hacked Taiwan Semiconductor Manufacturing Company (TSMC). TSMC later confirmed that one of its IT hardware suppliers, Kinmax Technology, had experienced a breach. LockBit threatened to leak sensitive data unless TSMC paid a ransom of $70 million by August 6.

TSMC denied that its network was breached but immediately ceased data sharing with Kinmax and initiated an investigation. TSMC assured that business and customer information remained uncompromised. Kinmax acknowledged the breach, stating that only its internal testing environment was affected, leading to the exposure of default setup instructions and customer names.

Schneider Electric and Siemens Energy

On June 28, 2023, industry giants Schneider Electric and Siemens Energy confirmed they had been targeted by the Cl0p ransomware group. The group exploited a vulnerability in Progress Software’s MOVEit managed file transfer (MFT) software.

The hackers claimed to have accessed files from numerous organizations using the MFT product and began naming victims who refused to pay. Siemens Energy stated that no critical data was compromised, and operations remained unaffected. Schneider Electric promptly deployed mitigation measures upon discovering the vulnerability and is currently investigating the cyberattack claim.

Managed Care of North America

Dental insurer Managed Care of North America (MCNA) confirms that an intruder accessed and copied patient information, including addresses, Social Security numbers, driver’s licenses, and the insurance data of over 8.9 million individuals.

The Russia-based LockBit ransomware group has claimed responsibility for the attack, stating that they published the files after MCNA refused to pay a $10 million ransom. MCNA is offering one year of free identity theft protection to affected customers and is advising them to monitor their accounts for any suspicious activity. This incident marks the largest health data breach in 2023 so far. Despite recent crackdowns and arrests, LockBit continues its activities, targeting various organizations worldwide.

A graph displaying percentage of organizations hit by ransomware attacks

Learn about the most famous examples of ransomware.

What Is the Trend in Ransomware in 2023?

Last year there were promising signs of progress in the battle against ransomware, with decreased attacks and a 40% drop in ransom payments. However, cybercriminals have regrouped and unleashed a fresh wave of mass-ransomware attacks on major businesses in the new year.

In March 2023, the number of reported ransomware victims nearly doubled compared to April 2022 and was 1.6 times higher than the previous peak month in 2022. While it's too early to reach conclusions for 2023, here are notable macro trends that will undoubtedly shape the ransomware landscape in the coming year.

The Rise of China

One factor contributing to the recent lull in ransomware attacks is the ongoing war in Ukraine, which has preoccupied Russian hackers. In the past, a significant portion of ransomware incidents were linked to state-sponsored Russian actors. However, the landscape has shifted in 2023, as tensions between the U.S. and China escalate on multiple fronts. Consequently, China is emerging as a dominant player in the ransomware arena, and U.S. officials have already sounded the alarm regarding escalating cyber threats coming from that country.

The 2023 Annual Threat Assessment of the U.S. intelligence community highlights China as the most extensive and persistent cyber threat to both the U.S. government and the private sector. Their active cyber pursuits and the export of related technologies raise the risk of aggressive operations targeting critical infrastructure within the United States. The report notes that China’s capabilities extend to potentially disrupting services such as oil and gas pipelines and rail systems on American soil, making it a formidable force in the cyber realm.

Triple Extortion

Ransomware attacks have evolved far beyond encrypting data and demanding a ransom. A staggering 70% of attacks in 2021 employed the tactic of double extortion, whereby cybercriminals coerce victims into paying by threatening to expose or trade their sensitive information on the dark web.

A concerning trend has emerged in the form of triple extortion attacks. In these attacks, cybercriminals demand ransom from the main target and use the threat of exposing the organization's data to extract money from other affected parties.

Furthermore, if the primary target refuses to comply with the ransom demands, the attackers may resort to additional measures. For instance, in cases where a business has managed to restore its data from backups and shows no inclination to negotiate, the cybercriminals might initiate a distributed denial-of-service (DDoS) attack to intensify the pressure and coerce the victim into paying.

Ransomware as a Service

Ransomware as a service refers to a business model where cybercriminals rent out or sell ransomware tools and infrastructure to other individuals or groups, enabling them to execute attacks without extensive technical knowledge or resources.

Locky, Goliath, Shark, Stampado, Encryptor, and Jokeroo are just a few notable examples of ransomware-as-a-service (RaaS) kits, with numerous others in existence. However, RaaS operators frequently transform and resurface with updated and more advanced ransomware variants. This business model has seen a notable increase, with the number of RaaS extortion groups nearly doubling from 19 in 2021 to 31 in 2022.

Ransomware attacks by country

Predictions for the Future of Ransomware Attacks

The expansion of the digital economy goes hand in hand with the escalation of digital crime. Leading researchers project that by 2031, ransomware attacks will occur at a rate of one every two seconds, with global costs surpassing $265 billion.

This rising threat has prompted organizations to allocate larger budgets to bolster cybersecurity. The latest data suggests that global expenditure on cybersecurity solutions and services will reach $219 billion in 2023, growing  12.1% compared to 2022.

However, despite increased financial investment, there is a persistent shortage of cybersecurity experts. This shortage is impeding efforts to effectively address and mitigate ransomware risks. Simply put, pouring more money into cybersecurity may not be sufficient to address this issue comprehensively.

Amidst the prevailing challenges, there is a glimmer of hope. Governments worldwide are ramping up their efforts to combat ransomware groups and may yet stem the tide. CISA and the FBI recently established the Joint Ransomware Task Force, aiming to confront the ransomware gangs.

Additionally, the U.S. Department of Justice unveiled two significant international initiatives: the National Cryptocurrency Enforcement Team, aimed at dismantling virtual currency exchanges used for money laundering in ransomware attacks, and the Civil Cyber Fraud Initiative, which pursues organizations suspected of involvement in cybersecurity fraud.

A graph displaying share of organizations in the US that experienced a ransomware attack and paid the ransom

Read our article How Is Ransomware Delivered to learn about the most common techniques hackers use to deliver ransomware.


Over the past two decades, ransomware has evolved from a nuisance to a serious and widespread threat. While financial gains drive many of these cyberattacks, nation-states also employ ransomware to exploit vulnerabilities in their adversaries’ critical infrastructure, turning ransomware into a powerful instrument of geopolitical influence.

Amidst the increasing competence and professionalism of ransomware gangs, there is a growing recognition that proactive measures are essential in combating these criminals. It is crucial to adopt innovative strategies and prioritize security from the outset.

A pivotal aspect of this approach is the ability to attract and retain cybersecurity talent, as the battle against hackers ultimately relies on the strength of your team. Furthermore, organizations should increasingly consider integrating automated intrusion detection systems that can effectively identify and mitigate potential attacks in real time. 

Investing in advanced security systems enables you to stay one step ahead of evolving ransomware while alleviating the burden on limited cybersecurity personnel. As a result, the team can focus on more strategic initiatives and conduct in-depth threat intelligence analysis, enhancing overall defense.