ransomware Statistics

Ransomware Statistics, Facts & Trends in 2024: How an Attack Works & How It Can Happen to You

sam chapman headshot
Last update: April 10, 2023

Ransomware attacks, in which hackers force you to pay to get your files back, are constantly evolving — protect yourself by backing up your files, using strong passwords and encrypting your credentials with a VPN. Try the best option, ExpressVPN, for free with a 30-day money-back guarantee.

Of all the cyber threats lurking out there in the dark, ransomware may be the scariest. Hackers attack a system, lock it down and demand an enormous sum to return the stolen data. They normally attack large enterprises, but individuals can get hit too. This article covers ransomware statistics, facts and trends — but I’d like to start with an example that affected many people directly.

In May 2021, the Colonial Pipeline shut down for the first time in 57 years. The pipeline delivered gasoline to much of the eastern United States, so when it shut off, gas stations in over a dozen states ran dry. 

The culprit was entirely digital. A ransomware attack forced Colonial’s own CEO to shut down the 5,500 miles of pipeline after nearly six decades of continuous operation.

  1. Best VPN to prevent ransomware attacks
    Overall Rating 9.5 / 10
    Get 49% Off ExpressVPN
  2. Overall Rating 9.2 / 10
    Visit NordVPN
  3. Overall Rating 8.9 / 10
    Visit Surfshark

Allegedly, the hackers got into Colonial’s system with a reused password that had been compromised in a data breach and never changed. The company lost millions of dollars, and the Eastern Seaboard lost most of its day’s gasoline in a ransomware attack that teetered on the most basic of security failures.

In this article, I’d like to offer statistics to help you understand ransomware as a real, dangerous, but solvable problem. I’ll discuss who launches ransomware attacks, who gets hit, how a ransomware attack happens and the actual cost of ransomware. I’ll list a few of the biggest attacks in history (so far). Finally, I’ll share some tips on how you can save yourself from being the next target.

Ransomware Statistics: What Is a Ransomware Attack & How Does It Work?

Ransomware is a type of malware (malicious software). First, hackers sneak ransomware trojans onto an unsecured system. Simple ransomware infections put up a fake lock screen, often disguised as an official warning from the government that forces the victim to pay a fee to regain access to their system. 

These “locker ransomware” attacks are on the wane, as anti-malware programs can eliminate them without harming the user’s system.

The more dangerous type of ransomware, known as crypto-ransomware, goes much farther by encrypting the victim’s files and demanding a fee in exchange for the decryption key. If the victim doesn’t pay a ransom, usually in an untraceable cryptocurrency, they’ll never be able to read their key files again.

One of the reasons ransomware feels like a scary new frontier is that it’s not an internet scam at all. A ransomware attack lacks even the basic elegance of a social engineering grift. Phishing is like being suckered by a master con artist; ransomware is like being dragged into an alley and beaten up.

With that said, ransomware stats show that attacks aren’t always as scary as they sound. In a survey of over 1,000 companies that had data encrypted by ransomware gangs in 2021, 96% eventually got their data back. Simple measures like backing up your files and using strong passwords can make you a much harder target for ransomware attacks.

Of course, I’ve always believed that the most important thing you can do to stay safe in cyberspace is to learn. The ransomware statistics in the rest of this article will help you get your head around this frightening new trend.

Cybersecurity experts over the last year have pointed at a few new trends currently shaping the ransomware landscape. The latest ransomware statistics show that new forms of extortion, new sources of malware and new targets are all on the rise.

Double Extortion

In the past, most ransomware attacks followed the “single extortion” model. We have your data; pay up, or we’ll throw away the key.

However, as attacks rose, many targets adopted the stance that they wouldn’t negotiate with terrorists. Paying the ransom would only embolden the hackers further, and if ransomware victims had backup files, there was no reason to pay.

In the past year, many ransomware gangs have adapted to the “double extortion” ransomware attack model, adding a second threat: if the victim doesn’t pay the ransomware demands, the hacker will leak the data they stole.1

The threat of a catastrophic breach twists the victim’s arm a lot harder than ransomware alone. The U.K. currency exchange company Travelex is one of the highest-profile victims of double extortion so far, losing so much money it went bankrupt.

Ransomware as a Service

It used to be that any hackers who wanted to launch a ransomware attack had to build the malware themselves from scratch. Thanks to ransomware as a service (RaaS),2 you no longer need technical skills to start taking files hostage.

RaaS programs are traded on the dark web. Sometimes, they come in exchange for a cut of the ransom for the program’s authors. Other ransomware tools are available by subscription, like any software as a service (SaaS). They include desktop and mobile malware variants. They may even have customer support staff and other features you’d find on above-board SaaS.

The rise of ransomware as a service means the origins of ransomware attempts will undoubtedly grow more diverse.

Supply Chain Attacks

IT giant Kaseya was hit by a ransomware attack in 2021. While fairly standard in its origins — the hackers, Russia-based REvil, exploited a flaw in remote access software for employees — the Kaseya attack exemplified the power of ransomware to cause consequences far beyond its direct targets.

At the time of the attack, Kaseya provided IT services for about 1,500 clients. Out of caution, it shut down services to all of them during the attack, leaving well over a thousand organizations without the IT they needed to do their jobs. Like the Colonial Pipeline attack, one entity was attacked, but the effects rippled outward.

Biggest Ransomware Attacks of All Time

These five ransomware targets paid out the largest ransoms ever recorded as of mid-2021.3

1. CWT Global, 2020

CWT Global, an American company that manages business travel, paid out $4.5 million to ransomware ring Ragnar Locker in 2020. The largest ransom payment ever could have been higher still — the ransomware attackers asked for $10 million, but CWT’s negotiators managed to bargain them down, pleading losses from the Covid-19 pandemic.

2. Colonial Pipeline, 2021

I started this article by describing the May 2021 ransomware attack that forced Colonial Pipeline to shut down all operations, triggering a gasoline shortage. The company ultimately paid $4.4 million to get its systems back. 

The gang responsible, DarkSide, had its servers and cryptocurrency funds seized soon after receiving the ransom payment. The U.S. Department of Justice was able to recover $2.3 million in cryptocurrency.

3. Brenntag, 2021

DarkSide had a busy May in 2021. While shutting down the Eastern Seaboard, the hacker ring also stole key files from chemical supply company Brenntag, ransoming them back for $4.4 million — money DarkSide lost after an unknown country seized its assets.

4. Travelex, 2020

In another attack we’ve already mentioned, Travelex became a victim of double extortion in 2020, paying $2.3 million to prevent hackers from leaking its customers’ credit card numbers. The exchange company was forced into administration, a charming British term for bankruptcy.

5. The University of California at San Francisco, 2020

Education is increasingly seen as a prime target for ransomware incidents, as proven by the June 2020 attack on the University of California system. UCSF was able to contain the attack and bargain the hackers down to $1.14 million from their initial $3 million demand.

Ransomware Frequency Statistics

With ransomware constantly in the news, it can be easy to get a distorted sense of how many attacks actually occur. Use these recent ransomware statistics to get your perceptions straight.

Ransomware Attacks Rose Sharply in 2021

Between January and July 2021, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) received 2,084 complaints of ransomware. As CISA notes,4 this number — already a 62% increase over the same seven months in 2020 — is likely lower than the actual number of attacks.

Over the entire year, the world saw attacks more than double.5 The exact reasons for the massive jump are still being debated, but it’s believed that many companies left themselves vulnerable by hastily adopting systems for remote work.

The United States Suffers a Quarter of All Ransomware Attacks

In 2021, 25% of all attacks targeted organizations in the United States.6 Brazil came in second, facing 17% of all attacks worldwide, with India in third place at 12%.

Iran came in fourth at 11% — which is interesting because many ransomware attacks are believed to originate from Iran with government backing. I have no proof of this, but I suspect much of that 11% comes from retaliatory or pre-emptive strikes in the U.S.-Iran cyber war.

Banking, Utilities and Retail Are the Most Targeted Sectors

Attacks on the healthcare industry surged 755% in 2021, and the ransomware attack rate against federal and local governments jumped 1,885%.5 You don’t see four-digit percentages very often, and it’s usually bad news when you do. 

Both of these sectors were perceived as being especially vulnerable due to Covid-19: Governments because they were distracted and hospitals because they had to pay so they could keep treating patients.

Despite the massive jumps, healthcare and government weren’t even in the top three industries for ransomware overall. The three most targeted industries in 2021 were banking and financial institutions (22% of all attacks), utilities (20%) and retail (16%).7

Businesses Are Attacked Four Times More Often Than Individuals

In case you’re worried you’ll open your personal laptop to a ransomware message, I’ve got some slight reassurance. Of every ransomware attack between July 2020 and June 2021, 79% hit public and private organizations, compared to just 21% against individuals.8

Launching a ransomware attack costs time and energy. Hackers tend to focus on organizations; not only do they have more money, but they also have more weak points to compromise, especially if they outsource functions to low-cost, low-trust managed service providers.

That said, individuals aren’t completely free from potential ransomware attack. Hackers are nothing if not opportunistic.

Cost of Ransomware and Demand Statistics

Any news story about ransomware is likely to throw around a lot of big numbers. But there’s often a large difference between the ransom demands made by hackers, the actual ransoms paid and the total costs of recovering from the ransomware attack.

Ransomware Demands Are Skyrocketing

In the first half of 2021, ransomware attacks grew more brazen, emboldened by the ransomware payments from Travelex, UCSF and CWT Global. Security consulting firm Unit 42 found that ransomware hackers demanded average ransom payments of about $5.3 million,9 up 518% from the 2020 average of $847,000.10

It’s a good argument for why you should never pay the ransom. Three high-profile victims caved, and the hackers multiplied their demands more than six-fold within months.

The Highest Ransomware Demand Asked For $70 Million

The record for the highest ransomware demand was shattered in March 2021, when REvil hackers encrypted files belonging to Taiwanese tech company Acer.11 The hackers demanded $50 million from Acer, threatening to double the price if they weren’t paid by the end of the month.

That record only stood for four months. In July 2021, the same hackers demanded $70 million from Kaseya, the victim of the wide-ranging assault on IT supply chains.

Demands Don’t Reflect the Actual Cost of Ransomware

Ransom payments are only half the story. Not all ransomware victims pays the full amount demanded. 

On the other hand, those who’ve suffered ransomware attacks incur significant costs beyond the ransom payments themselves. Downtime costs money, and the business must shore up its security against copycat attacks.

A survey of 357 organizations that paid the ransom found that actual payments averaged $170,404.12 That number reflects the fact that most ransomware attacks aren’t like the high-profile demands that make the headlines. In fact, 20 of the respondents reported paying ransoms at or around $10,000.

The same survey found that the average remediation cost was $1.85 million,12 more than twice the 2020 figure of $760,000.

Ransomware Origin Statistics

Who exactly are the shadowy hackers behind the surge in ransomware attacks, and how do they keep getting into their victims’ systems?

Nearly All Ransomware Attacks Originate from Four Countries

From July 2020 to June 2021, 58% of attacks came from ransomware groups based in Russia,8 either tolerated or directly sponsored by the government. A further 23% came from North Korea, 11% from Iran, and 8% from China.8

Almost All Attacks Involve Compromised Credentials

The most common ransomware attack vector in 2021 was an old nuisance: credential compromise.13 In 85% of attacks, the ransomware groups employed some form of credential access, such as phishing emails (taking on a false identity to steal credentials) or using duplicate passwords obtained through data breaches.

One reason for the sharp rise in ransomware attacks in the last two years is that many companies have adopted remote work systems without fully securing them. Flaws in remote services were the second-most common ransomware attack vector in 2021, seen in 83% of all attacks.13

Why Should You Worry About Ransomware & How Can You Protect Yourself

The ransomware problem is not going away. As Coveware points out, ransomware is both more profitable and vastly less dangerous than cocaine trafficking, with lower barriers to entry. That kind of opportunity isn’t going to lie in the street for long. Fortunately, there are easy ways for individuals and businesses to protect themselves.

1. Backup Your Files

By far, the most important is to have a cloud backup of all your most important files. That way, when the ransomware group holds your encrypted files for ransom, you can just grab the backups and tell them to go hack themselves. Learn more about how encryption works in our complete encryption guide.

2. Beef Up Password Security

However, backups don’t protect against the threat of double extortion data breaches. To stop those, you’ll have to secure your entry points. That starts with basic password security: no password reuse, unguessable passwords and two-factor authentication.

3. Update Software

If you use remote work tools, like a remote desktop protocol or corporate VPN, make sure to stay up to date on any vulnerabilities. 

4. Use Multiple Servers

Depending on the size of your file base, you can also split your files across several servers, quarantining them so a ransomware group can’t get to everything at once.

Conclusion: Ransomware Statistics

By this point, you’ve got a clear understanding of the shape and stakes of the ransomware fight. Ransomware remains dangerous, and it’s constantly evolving, so check back regularly for new ransomware statistics.

Have you ever been a victim of ransomware? Did I forget anything important? Sound off in the comments, and thanks for reading.


  1. Ransomware trends, statistics and facts in 2022
  2. Ransomware as a Service (RaaS) Explained
  3. The 5 biggest ransomware pay-outs of all time
  4. Ransomware Awareness for Holidays and Weekends
  5. There’s a huge surge in hackers holding data for ransom, and experts want everyone to take these steps
  6. Bitdefender Threat Debrief: December 2021
  7. Ransomware: Over half of attacks are targeting these three industries
  8. Microsoft Digital Defense Report: October 2021
  9. https://www.paloaltonetworks.com/blog/2021/08/ransomware-crisis/
  10. Extortion Payments Hit New Records as Ransomware Crisis Intensifies
  11. 2022 Unit 42 Ransomware Threat Report
  12. Acer Reportedly Suffered a REvil Ransomware Attack Attracting the Highest Ransom Demand in History of $50 Million
  13. The State of Ransomware 2021
  14. Ransomware attackers down shift to ‘Mid-Game’ hunting in Q3 2021

Leave a Reply

Your email address will not be published. Required fields are marked *