20 Ransomware Statistics You’re Powerless to Resist Reading [Updated for 2024]
$4.91 million — that’s what IBM’s 2024 report indicates is the average cost of a ransomware attack. But this ransomware statistic doesn’t include the cost of the ransom demand itself, which could cost tens of millions!
Editor’s Note: This ransomware statistics article was originally published in February 2020. The content was updated in May 2022 and again in October 2024 with new statistics, data, and content.
Let’s kick off our ransomware statistics list with one gut-wrenching number: $75 million.
On its face, this number may not seem all that devastating, but this is the amount Zscaler reports a single company reportedly paid the Dark Angels ransomware gang. Again, this amount was the ransom that was paid to the threat actors — this isn’t even representative of other costs the company faced as a result of the ransomware attack!
To put this in perspective, this single ransom payment is the equivalent of Serbia’s GDP value (according to 2023 data from the World Bank Group). Knowing this, we’ll explore other ransomware statistics that help put this thriving criminal enterprise into perspective.
Let’s hash it out.
Ransomware Statistics You Should Know in 2024 and Beyond
We’ve broken down these ransomware statistics into smaller sub-lists relating to ransomware costs (yeah, we know that’s mainly why you’re here), the breakdown of industries being targeted, and ways that organizations are fighting back.
Ransomware Statistics: The Costs of Ransomware Attacks
This year alone, we’ve seen record-breaking ransom payments. But these aren’t the only costs businesses face as a result of ransomware attacks. There are direct and indirect costs relating to mitigation and recovery efforts, and those amounts vary based on the scope of the attacks and each company’s level of preparedness to deal with such situations.
Regardless of whether a company chooses to pay a ransom, reaches out to law enforcement, or tries to deal with the situation themselves without the help of law enforcement, it’s still going to cost them a lot, both in terms of money and reputational harm. And those attacks continue to increase when attackers go above and beyond the traditional extortion methods and publish or sell extricated data.
Let’s explore some of the most notable ransomware statistics relating to direct and indirect costs of these attacks.
1. Unpatched Vulnerabilities Lead to 4X Higher Recovery Costs
Data from Sophos’s State of Ransomware 2024 survey report indicates that organizations whose ransomware attacks began with unpatched vulnerability exploits experienced slower recovery time and recovery costs that were four times higher than ransomware attacks that stemmed from compromised credentials.
Sophos researchers share that 99% of the survey respondents indicated that they could identify how the attacks started. Here’s an overview of how the identified ransomware attacks started over the past two years:
2. Ransomware Costs Nearly $60 Million in Adjusted Losses in 2023
A total of 2,825 ransomware attacks were reported to the FBI’s Internet Crime Complaint Center (IC3) in 2023. While the number of attack complaints received that year was down from those reported in 2021 (3,729), the adjusted losses associated with this attack method came in more than $10 million higher, coming in at $59,641,384 in 2023.
Now, keep in mind that these adjusted losses don’t account for some indirect and direct costs, such as lost business opportunities, equipment, files, time, wages, or third-party remediation costs. Furthermore, the FBI indicates that it’s an “artificially low overall ransomware loss rate” for several reasons:
- some incidents never get reported at all.
- some reports didn’t even include a loss amount,
- these reported numbers only include reports made directly to the IC3 (not FBI field offices or agents)
3. Change Healthcare Forked Out a $22 Million Ransom Payment to No Avail
The United Healthcare subsidiary paid out big bucks in response to BlackCat/AlphV’s ransom demand in exchange for keeping their stolen data secret. However, that obviously didn’t pan out, as the payment did nothing to stop RansomHub threat actors from publishing the extricated information anyhow.
4. Involving Law Enforcement Decreases Ransomware Costs by 20%+
Not sure whether you want to involve law enforcement in your ransomware situation? Doing so is advantageous from both breach resolution speed and financial perspectives.
Data from IBM’s 2024 Cost of a Data Breach report (we linked to it at the beginning of the article) indicates that the average cost of a breach involving ransomware attacks is lower for organizations that choose to involve law enforcement. In 2024, that difference was approximately $1 million!
Something to keep in mind, of course, is that these averages don’t include ransom payment costs.
5. Attacks Not Involving Authorities Took 16 Extra Days to ID & Contain
Not all ransomware costs are strictly financial. It’s also a matter of time and resources you have to dedicate to dealing with the issue at hand. With this in mind, let’s consider the mean-time-to-identify (MTTI) and mean-time-to-contain (MTTC) aspect of ransomware attacks.
IBM reports in its 2024 Cost of a Data Breach report that organizations that chose to involve law enforcement did so more than 2 weeks faster than their DIY counterparts:
- 281 days: This is the average number of days it took to identify (213) and contain (68 days) a breach when law enforcement was involved.
- 297 days: This stat marks the amount of time it took to identify (220 days) and contain (77 days) a ransomware attack when law enforcement wasn’t involved.
Ransomware Statistics: A Look at Ransomware as a Business Model
It certainly shouldn’t come as a shock that ransomware, much like other types of cybercrime, is a booming business. In a ransomware attack, bad guys use their collective evil to extort money from private individuals, companies, and public entities.
With that in mind, let’s take a closer look at ransomware from a business perspective.
6. Ransomware Actors Received $1.1 Billion in Ransom Payments in 2023
Unfortunately, bad guys were makin’ bank in 2023. Chainalysis reports that ransomware payments skyrocketed from $567 million in 2022 to surpass $1 billion in 2023. That’s nearly the entire 2025 proposed operating budget for the Metra commuter rail system, which provides services for Chicago and the six-county surrounding area of Illinois.
7. Ransomware Inflows Reach Nearly $450 Million in 1H 2024
Chainalysis reports that although aggregate illicit activity has dropped nearly 20% year-to-date, ransomware is one of two categories that are seeing these transactions increasing. Ransomware increased approximately 2% from $449.1 million to $459.8 million in the first half of 2024.
Want some good news? In its report, Chainalysis indicates that the ransomware ecosystem has been experiencing a shakeup and fragmentation as a result of law enforcement actions against major players like LockBit and Blackcat/ALPHV.
8. One Crypto Company Associated with $51M+ in Ransomware Attacks
According to a September press release from the Financial Crimes Enforcement Network, the U.S. Office of Foreign Assets Control (OFAC) slapped sanctions on Cryptex, a virtual currency exchange organization registered under the name “International Payment Service Provider” in St. Vincent and the Grenadines.
Cryptex is associated with ransomware attackers and other cybercriminals operating in Russia and is thought to have played a role in more than $720 million in transactions related to other types of cybercrime.
9. Attackers Can Exfiltrate Data in as Little as 2 Days
In our phishing statistics article from earlier this year, we shared some disturbing data from Palo Alto Network’s Incident Response Report 2024. In the report, researchers shared that cybercriminals have figured out how to speed up the timeline on how quickly they can exfiltrate data in a ransomware attack.
No longer does it take more than a week between the time when data gets compromised for bad guys to exfiltrate it; now, the median time between the compromised and when it’s exfiltrated drops from 9 days in 2023 to 2 days in 2024!
10. Ransomware-as-a-Service Subscriptions Cost as Little as $40/Month
Ransomware-as-a-service (RaaS) creates a bit of an unusual situation for cyber defenders: the person carrying out the cyber attack might not be the same individual who created the malware. According to IBM, bad guys often peddle their ransomware tools and services, packaging them as so-called RaaS kits.
Ransomware attacks are no longer one-person operations; they’re often partnerships often involving multiple individuals or networks of individuals (operators, affiliates, etc.). For obvious reasons, this can make it trickier for cybersecurity experts to figure out who is responsible for ransomware attacks.
11. RaaS Affiliates Can Get Commissions Upwards of 90%
As mentioned, RaaS is changing, and cyber defenders often have outdated perceptions about this booming cybercrime industry.
In the past, many RaaS incidents involved developers who developed and sold malicious software, and affiliates who spread it and extorted companies and individuals for ransom payments. The subscription model was a common approach, and these opportunities still exist on the dark web.
However, things have evolved over the past few years. Martin Zugec, technical solution director at BitDefender, likens the modern RaaS model we’re now seeing to the cybercrime approach to the “gig economy model”: it’s all about profit-sharing. Check out a previous presentation by Zugec on the “Top 10 Myths and Misconceptions About Ransomware”:
So, how much can these threat actors make? In this profit-sharing model, affiliates pocket the higher percentages of the profits — upwards of 90%, according to Recorded Future — while operators make the lesser percentage.
Ransomware Statistics: Who (or What) Are the Targets?
Simply knowing the costs of ransomware attacks isn’t enough. It’s just as important to know who or what threat actors are targeting in the first place.
It doesn’t matter whether it’s a private citizen, a politician, a mom-and-pop business, or even a multi-national conglomerate — ransomware can affect anyone and everyone. However, some specific industries do make more attractive targets than others…
Determining which industries are the “most targeted” varies based on the data source you’re looking at.
12. 249 Ransomware Complaints Makes Healthcare/Public Health Most Targeted Critical Infrastructure Sector
Data from the FBI IC3’s 2023 Internet Crime Report (cited earlier) shows that the Healthcare and Public Health sector took home the gold in the sense of being the most affected sector. It was closely followed by Critical Manufacturing.
It’s no secret that bad guys love to cause havoc. A particularly great way to achieve this goal is to target critical infrastructure because they know it’ll be the most challenging and cause the most mayhem. One such recent healthcare-focused ransomware attack targeted University Medical Center (UMC) Health System:
“UMC Health System recently detected unusual activity within our IT systems. Immediately after detecting this activity, our teams launched an investigation and took steps to proactively disconnect our systems to contain the incident. Through the ongoing investigation, we determined that the unusual activity was connected to a ransomware incident. UMC healthcare facilities remain open for existing inpatients and UMCP clinics also remain open. We are accepting patients via ambulance and only diverting a very select number of patients until all of our resources are fully functioning.”
13. 47% of Ransomware Victims Are Smaller Organizations (<$10M in Revenue)
Data from Sophos’s earlier-cited 2024 ransomware report indicates that even smaller organizations (i.e., those with less than $10 million in revenue) often found themselves in cybercriminals’ sights in the last year. So, while the data shows that larger organizations with higher revenue were more likely to be targeted, it doesn’t mean that smaller ones are out of the woods.
14. 9 in 10 Ransomware Attacks Involved Targeting Data Backups
Separate research from Sophos shows that an average of 94% of the survey respondent organizations that fell prey to ransomware indicated the attackers actively tried to “compromise their backups” during the assaults.
This is particularly troubling when you consider that data backups are only one of two ways that businesses can get back their data in a ransomware attack — the other method involves paying the attackers (which often won’t do you any good or can land you in hot water with the U.S. Office of Foreign Assets Control [OFAC])
Sophos’s report “The Impact of Compromised Backups On Ransomware Outcomes” shares that the industry with boasted the lowest number of compromise attempts was Distribution and Transportation, with “only” 82% of the ransomware attacks involving the attempts.
Wondering which five industries faced the most attempts to compromise their backups?
- Entertainment, Leisure, and Media (99%)
- Local/State Government (99%)
- Energy, Gas/Oil, and Utilities (98%)
- Business and Professional Services (98%)
- Central/Federal Government (98%)
But the bad news doesn’t stop there….
15. Backups Were Impacted by Ransomware Attackers 76% of the Time
Data from Veeam’s 2024 Ransomware Trends Report shows that more than 3 in 4 ransomware events involved threat actors successfully impacting backup repositories. On average, Veeam researchers indicate that 43% of data affected by ransomware attacks isn’t recoverable.
But you know what the scarier part is? Their data shows that only 37% of survey respondents indicated that they’d use a sandbox or other quarantine method when restoring their data. The rest admitted that they “restored directly back into their production environment” — no scans, no quarantine, but lots of risks.
Ransomware Statistics: How Organizations & Governments Are Fighting Back
16. NoMoreRansom.org Offers Decryption Tools for 180 Ransomware Types
The No More Ransom project is a collaborative effort between IT security companies and law enforcement agencies. The objective is to help individuals and companies regain access to their encrypted data without paying bad guys anything.
As of the writing of this article, the project has made available decryption tools for 180 types of ransomware, including Darkside, LockBit, and Revil/Sodinokibi. According to an Oct. 1 press release from the European Union’s Agency for Law Enforcement Cooperation (Europol), which is one of the organizations involved in No More Ransom, more than 6 million victims globally have benefitted from the project.
17. 91% of Organizations Recognize Cybersec & Backups Need Improvements
Veeam’s 2024 Ransomware Trends Report data shows just how displeased survey respondents are regarding their misaligned priorities and strategies:
- A full 63% indicated that either a “significant improvement” or “complete overhaul” would be required to get their Cybersecurity and IT Backup teams in alignment.
- Another 28% indicated that “some improvement” would be necessary.
- The remaining 10% thought “little improvement” (9%) or “no improvement” (1%) would be needed.
18. 94% of Organizations Know Who’d They Call When Facing an Attack
The last bit of data we’ll share from Veeam’s 2024 Ransomware Trends Report focuses on the “cavalry” — the third-party experts organizations indicate they’d call when the proverbial crap hits the fan. Survey respondents were split on calling their backup vendor (42%) or a security/forensics expert (42%). The remaining companies said they’d call a ransom negotiator.
19. 18 New Members Join the International Counter Ransomware Initiative (CRI)
Representatives from 68 member countries and organizations across the globe met up in Washington, D.C. at the Fourth CRI Gathering with the goal of building relationships and resilience against ransomware attacks.
These efforts, in part, aim to help reduce ransomware payments, improve reporting, better secure software, and take additional steps to weaken the ransomware ecosystem. It also explored the use of artificial intelligence (AI) to counter and increase resilience against ransomware and other malicious cyber attacks.
20. U.S. State Department Offers Up to $15 Million Reward for LockBit Actors
LockBit joined the notorious ranks of cybercriminals listed on the Transnational Organized Crime Rewards Program (TOCRP). In February, the U.S. Department of State put out an offer for:
- Up to $10 million for info leading to the identification and whereabouts of key leaders in the group, and
- Another $5 million for info that leads to the arrest and/or conviction of anyone involved in LockBit ransomware activities.
In May, the U.S. placed sanctions on one of the group’s senior leaders, Dmitry Khoroshev, and offered a $10 million reward for info leading up to his arrest and/or connection.
TL;DR — A Quick Recap (Or an Overview for Skimmers)
Don’t have time to read through all of the ransomware statistics above? No worries. We’ve put together a brief highlights list of the top five ransomware stats to note from the list above:
- Ransomware actors received $1.1B in ransom payments in 2023 (Chainalysis)
- Attackers can exfiltrate data in as little as 2 days (Palo Alto Networks)
- Healthcare & Public Health organizations made 249 complaints to the IC3 (FBI IC3)
- 47% of ransomware victims are those with less than $10 million in revenue (Sophos)
- Backups were affected by ransomware attackers in 76% of instances (Veeam)
As always, feel free to leave a comment and share your most notable ransomware statistics below…
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownA Call To Let’s Encrypt: Stop Issuing “PayPal” Certificates
in Industry Lowdown