Ransomware Statistics You Must Know About

Ransomware is malware that denies people access to computer files. In 2020, there were 304.6 million detected ransomware attacks worldwide. That number skyrocketed to 623.3 million in 2021. 

Traditional methods and outmoded practices are no longer enough for data protection. Continue reading to learn more about ransomware and how to avoid becoming a victim.

Editor's Choice 

• Ransomware has been around since 2017, with a total of 183.6 million incidents that year.
• The most recurring entry point for ransomware attacks is phishing. 
• A ransomware attack is valued at $4.54 million on average. 
• The highest average ransom payments were in the manufacturing industry, amounting to $2.04 million. 
• In 2022, one in 42 healthcare organizations was attacked.
• Healthcare will most likely settle the ransom demands, ranking first with 61% of organizations paying the ransom to get encrypted data back.
• Colonial Pipeline reported a ransomware attack, halting operations and specific I.T. systems.
• After stealing 150 GB of data, DarkSide demanded $7.5 million in Bitcoin from Brenntag.
• Vice Society stole 500 gigabytes from LAUSD's networks over Labor Day weekend.
• Only 2% of higher education institutions retrieved their data after ransom payments.

How Many Ransomware Attacks Are There? 

Ransomware-related cyber attacks have been seeping through organizations' databases since 2020. These breaches doubled in number in 2021. As a result, businesses take tremendous measures to prevent ransomware attacks and preserve their data.

With this, we can delve further into the operation of ransomware and the scale of its growth since it first entered data systems.

Ransomware Attack Statistics

Ransomware is a common yet costly occurrence. There are around 1.7 million ransomware attacks daily, and costs are expected to increase by $265 million by 2031. 

Hackers also use ransomware to compromise organizational systems; this includes adding malware to increase data breach capacity. 

Here are the most intriguing ransomware attack statistics from recent years: 

1. Ransomware has been around since 2017, with a total of 183.6 million incidents that year. 

(Statista)

The rise of ransomware started in 2017 and climbed to servers quickly, and just a few years later, there were 623.25 million ransomware attacks in 2021. This is primarily due to problems adapting networks and supply chains for hybrid and remote work. 

2. The volume of ransomware incidents will decrease by 23% in 2022. 

(AAG)

With the imminent danger of ransomware lurking around the corner, more companies and government organizations are taking extreme measures to increase government protection and general awareness of their data. The decrease in ransomware in 2022 indicates that precaution is taking effect.

3. 74% of construction companies surveyed say they'll pay for the ransomware.

(Cybereason) 

74% of construction companies stated that their organization would pay in the event of an attack, while 51% from the tech sector and 43% from the utility or energy section.

For a construction company, being a victim of a ransomware attack entails several problems, such as: 

• losing essential plans
• halting the progress of large contracts
• Setting the company's reputation in danger

These issues may push the organization to settle the ransom demands. 

4. Email was the first point of contact for 69% of ransomware victims.

(AAG)

Phishing aims to trick the victim into sharing private information, such as passwords and card details. Almost 30% of phishing emails are opened, which increases the chances of downloading from suspicious links containing ransomware or malware. 

Since phishing emails are easy to send and garner faster responses, it is one of the top entry points for ransomware attacks.

5. In 2020, 15 ransomware families used double extortion to maximize profits. 

(Zscaler)

Double extortion occurs when a ransomware attacker gains access to a victim's private network and discovers high-value data and assets to store on their storage network. The attacker will encrypt the data and demand a ransomware payment. 

If left unpaid, the criminal will sell the stolen assets and data or publish it for public consumption. This technique caused 1,200 incidents in 2020, resulting in numerous high-visibility data breaches.

Cost of Ransomware Statistics

The cost of ransomware attacks usually puts companies in a position where they will think about paying due to the value of data. Even if the organization decides to pay, recovery periods of ransomware attacks still entail.

Recovering from a ransomware attack also means spending more money to ensure the data's safe and the company won't be vulnerable to attacks again. 

How much does paying off a cyberattack like ransomware cost? Let's go through a few statistics to learn more about it: 

6. Data breaches cost an average of $4.35 million. 

(UpGuard) 

In general, data breaches have become more expensive. Breach response costs grew by 13% over the past two years. The COVID-19 pandemic caused most organizations to adopt remote working in 2020–2021. 

7. The average value of a ransomware attack is $4.54 million. 

(Lexology)

Companies need to shell out around $4 million to cover all the expenses incurred from a ransomware attack. This doesn't include the ransom payment, which can amount to around $800,000. 

8. The highest ransom payments were in the manufacturing industry, amounting to $2.04 million. 

(Cybersecurity Dive)

Apart from the manufacturing industry, ransomware attackers target energy and utilities at $2.03 million. The lowest ransom payments were in the healthcare industry, valued at $197,000, and state governments at $214,000. 

9. Companies must account for the downtime of 22 days after ransomware attacks. 

(NetApp)

Experiencing a cyberattack doesn't end with the ransom. Most companies spend 50 times the cost of the ransom payment to account for the downtime. Recovery costs, like lost productivity and hiring contractors to rush recovery processes, add up quickly. 

10. New York's Erie County Medical Center experienced a ransomware attack in which the attackers demanded $30,000. 

(PureStorage)

The organization didn't pay the ransom yet and still incurred expenses of $10 million. Companies must spend money on new hardware and software, staff pay, and third-party cybersecurity consultants.

Apart from that, these attacks expose the weaknesses in a company's security systems. With this, the company will need to invest in expensive cybersecurity ventures to prevent a data breach from happening again. 

Healthcare Ransomware Statistics

Ransomware attackers always target industries with urgent needs, one of which is healthcare. Millions of lives are in danger when the data is compromised and inaccessible; this makes healthcare organizations more likely to pay a ransom as its a matter of life and death.

How important is data to healthcare companies? These statistics will tell you all about it: 

11. One in 42 healthcare organizations was the target of an attack in 2022, making them one of the most targeted industries.

(PhoenixNAP)

Healthcare companies have sensitive data, such as financial information, medical records, and other personal data. These kinds of information make healthcare databases goldmines for identity theft. Healthcare providers are also more likely to pay the attackers' demands because they need that encrypted information to treat people. 

12. From 2016 to 2021, the annual count of ransomware attacks doubled from 43 to 91. 

(Healthcare I.T. News)

While this number is alarming, researchers are also unsure about how accurate this statistic is as not all companies report ransomware attacks due to HIPAA; healthcare providers need not report incidents that show the low probability that patient information has been exposed. 

13. Healthcare will most likely settle the demands, with 61% of organizations paying ransom to regain encrypted data. 

(Sophos News)

Since many lives are put in danger because of ransomware attacks, most healthcare organizations don't think twice about paying the ransom demands of the attackers. This makes attackers more inclined to target this industry. Because healthcare systems need life-saving equipment and reliable hospital operations, attackers can demand quick and high ransoms. 

14. 54% of all analyzed ransomware attacks were reported to HHS outside HIPAA's required 60-day reporting window. 

(Health I.T. Security)

Even with a reporting window of 60 days, not all healthcare organizations can fulfill the ransomware report within the time frame. While this may make other statistics inaccurate, it's important to note that these healthcare companies still make the report to try and lessen the attacks in the future.

15. Only 4-7% of the health system's I.T. budget is invested in cybersecurity. 

(Astra)

While ransom payments for healthcare organizations may be lower than the average, it doesn't mean they shouldn't invest in cybersecurity. 

A data breach could entail many issues, such as lost productivity among doctors and clinicians, added expenses to transport patients to other medical institutions, and readjusting standard practices during downtime to keep treating patients.

16. 61% of data breaches that involve an insider are unintentional and caused by negligent insiders. 

(Healthcare Innovation)

An insider threat is a group member with access to the organization's security processes, systems, and data. This person can use this to negatively impact the organization, such as extorting them for profit. 

Insider threats in an organization may be careless workers, inside agents, disgruntled employees, and third parties. However, it’s reported that most of the threats were careless workers unaware of security policies and could not attend security awareness training.

17. Healthcare organizations that paid the ransom got back only 65% of their data in 2021, down from 69% in 2020. 

(Sophos News)

Most healthcare organizations settle the ransom payment to retrieve their data quickly. However, it only sometimes works in their favor. Fewer data is recovered even after paying the ransom. Only 2% of those that settled in 2021 got 100% of their data back, down from 8% in the previous year. 

Ransomware Cases Examples

Cyber attackers target companies with deep pockets. Organizations and companies holding valuable data will be more than willing to settle the ransom payment to regain access to their data. 

What are some notable cases of ransomware attacks? Learn more below.  

18. Sodinokibi (REvil) was behind the ransomware to Travelex, demanding $6 million.

(Kaspersky)

Travelex was attacked by Sodinokibi (REvil), a private Russian ransomware-as-a-service (RaaS) operation, in January 2020. The ransomware attack led the attackers to acquire 5 G.B. of sensitive client data, including birth dates and credit card information. 

Sodinokibi told Travelex that if the ransom were paid, they would delete the data they had. If unpaid, the ransom will double every other day. This forced the forex company to pay $2.3 million in Bitcoin and was able to restore their systems after 14 days.

19. DarkSide demanded a $4 million ransom from Colonial Pipeline.

(ZDNet)

DarkSide infiltrated Colonial Pipeline's network, which provides 45% of the East Coast's fuel, and demanded $4 million as a ransom. The company decided to pay the ransom when the demands were made. As a result, the company shut down for six days.

In the meantime, several local government officials declared states of emergency. They assured the public they did not need to hoard gas. However, panic buying still occurred in 11 states.

20. After stealing 150 GB of data, DarkSide demanded $7.5 million in Bitcoin from Brenntag. 

(Touro College Illinois)

After successfully attacking Colonial Pipeline, DarkSide targeted Brenntag, a chemical distribution company. Brenntag was forced to settle the ransom. Despite the amount, it's still recorded as one of the highest ransomware payments in history.

21. Lapsus$ claimed responsibility for the attack against Nvidia in 2022 and demanded a $1 million ransom.

(Sangfor)

Lapsus$ has a history of using ransomware to attack other big tech companies like Samsung, Impresa, T-Mobile, and Microsoft. They attacked Nvidia, the largest semiconductor chip company. Nvidia confirmed that a threat actor leaked employee information and proprietary details online. 

22. CHI Health was hit by a ransomware attack that compromised patient data and affected their daily operations. 

(Sangfor)

The hospital chain experienced a ransomware attack that compromised patient information. Fortunately, CHI Health acted quickly and secured its infrastructure to ensure continuity of care for patients. 

Employees and nurses shared that they've been forced to do everything manually, including charting patient data, which takes them longer than usual. Edward Porter, who has diabetes, could not reorder sensors for his glucose monitor as the CHI Health System was offline. 

23. Curo Fund Services could not access I.T. systems for five days after a ransomware attack. 

(Black Fog)

The investment organization investigated the attack's origin, scope, and nature to assess any data breaches. Curo Fund Services claims to have already taken drastic steps to implement additional security, which can keep them safe from further unauthorized access. 

Unlike other companies, this investment group did not engage with the attackers and instead focused its energy on restoring its operations with the help of third-party specialists. 

24. LockBit tried to get $80 million from the U.K.'s Royal Mail. 

(Malware Bytes Labs)

Lockbit, one of the five most dangerous cyber threats facing businesses in 2023, posted 126 victims on its site early in 2023. They targeted the U.K.'s Royal Mail, a significant operation that ships to 231 countries worldwide.

The cyber attackers demanded $80 million from them in January. LockBit negotiated down to $40 million, but it still needs to be determined if the Royal Mail paid this amount. 

Ransomware Education Statistics

The education sector is highly vulnerable to hackers as it holds skills information, budgetary and financial data issues, and their overall lack of preparation.

Usually, data exfiltration is the primary goal of ransomware criminals - because the integrity of the data is essential to the schools and the students, faculty, and staff within them. Holding this information at ransom makes it more probable for the organization to settle the demands. 

25. Ransomware attacks on education increased from 44% in 2020 to 56% in lower education and 64% in higher education in 2021.

(Sophos News) 

Since the education sector limits its budget against cybersecurity, they're an obvious target for hackers. The rate of ransomware attacks in education is rising daily, reflecting the success of the RaaS operation to get into schools' data systems effectively.

Even if an educational institution is insured, it might still have difficulty recovering the ransom. This is due to the high rate of ransomware events in this sector, which forces them to improve their cyber defenses and security to improve their cyber insurance standing.

26. 67 individual ransomware attacks affected 954 schools and colleges, potentially impacting 950,129 students. 

(Comparitech)

Educational institutions have an estimated amount of $3.56 billion in downtime alone. Most have also incurred massive recovery expenses when restoring their programs and computers. Also, their cybersecurity improvement processes add to the list of costs during a ransomware attack. 

The attack against Lincoln College was devastating; they had to shut down their institution permanently. The cyber attack impacted their systems, causing a shortfall in enrollments, which meant the school could no longer operate. 

27. Vice Society took the lead with 9 publicly disclosed attacks. 

(Security Boulevard)

14 schools in the U.K. have been reported to be attacked by ransomware, which was attributed to the RaaS group named Vice Society. 

They were said to leak data such as passport scans of students and parents, contractual offers for staff, headmaster's salary, Special Educational Needs (SEN) information, and student bursary fund recipients. 

28. The K–12 Cybersecurity Center reported 408 incidents across 377 school districts in 40 states in 2020-2022. 

(Graphus)

Since online classes have started, most educational institutions must adapt to the new practices and shift to this learning environment. Most schools needed help with these processes and required more preparation. This meant their systems had many weak points and vulnerabilities, which the hackers used to their advantage. 

29. Vice Society breached the Los Angeles Unified School District's networks and grabbed 500 TB of data.

(Cybersecurity Dive)

Among the 17,000 school districts across the U.S., the Los Angeles school system is the second biggest in the country, after New York City. Officials in L.A. claimed there was no response to the ransom demand. The RaaS group stole sensitive data, such as contractors' personal information and Social Security Numbers (SSNs). 

30. Higher education institutions are more likely to pay a ransom, yet only 2% reported that they retrieved it.

(Governing)

Lower education respondents in the Sophos worldwide survey recovered 62% of their data after paying the ransom, while higher education at 61%. This is a step down from the 68% recovery rate in 2020. 

It also took 26% of lower education respondents and 40% of higher education ones more than 30 days to recover from the attack. Experts say that most higher education institutions recovered most, if not all, of their data within 3-4 weeks; It would still take months to repair and improve their cyber security defenses fully. 

Wrap Up

Ransomware is rapidly becoming one of the most dangerous and threatening malware to hit the digital age. Organizations are put at a standstill when this occurs, forcing them to decide how valuable their data is. 

Some companies and organizations fall due to compromises within their internal security and servers. This should be a warning sign to all using online servers to caution against ransomware. Companies should add more security measures to improve their cybersecurity practices and defenses. 

Employees need practical training and routine checks to ensure they're not accidentally leaking anything. I.T. systems and databases should have regular backups so that they're not entirely blind when an attack like this occurs.