2018-2022 Ransomware statistics facts

*This article is regularly updated with the latest ransomware statistics for 2018 – 2022. We’ve compiled 35+ ransomware facts, figures, and trends along with a round-up of predictions from industry experts at the bottom of the article.

Once upon a time, ransomware was just a popular buzzword – now it is an all-too-real threat to businesses, governments, and individuals worldwide. The problem with ransomware is twofold:

First, ransomware is designed to completely encrypt a victim’s file system, potentially causing an irreversible loss of data. Second, an increasing number of cybercriminals are utilizing ransomware to extract money out of victims. Some surveys have shown that losses for businesses can average $2,500 for each incident, with businesses willing to shell out millions of dollars to decrypt their data in some instances.

The threat is only growing, as some reports find. Sonicwall, for example, found that this kind of attack increased by more than 100% in 2021 alone. Further, while small-to-midsized businesses were at the largest risk, ransom demands regularly hit seven or even eight-figures. The highest ransom confirmed to have been paid at the moment is $40 million USD by CNA Financial in May 2021.

Sonicwall ransomware report

All of this is proof positive that this type of threat continues to be an extremely lucrative venture for cybercriminals, with attackers against all sources (businesses, governments, and individuals) now collecting more than $100,000 per attack.

To get a better idea of what the ransomware landscape looks like, we’ve gathered some of the most interesting facts and statistics from 2018 to 2022 that highlight this ongoing security concern.

See also: Best ransomware protection tools

Ransomware attacks increasingly also target backup repositories

According to the 2022 report from VEEAM, 95% of ransomware attacks also attempted to infect backup repositories. This underscores the dangerous nature of this growing threat and highlights how businesses may find themselves in trouble unless they have properly segregated off-site backups in place – preferably with multiple backups in multiple locations.

Hackers can successfully penetrate 93% of corporate networks

According to a December 2021 study by Positive Technologies,  companies have a long way to go before they are adequately protected against hacking and ransomware attacks. According to their research, a whopping 93% of corporate networks can successfully be penetrated by hackers, allowing them to deploy ransomware, trojans, spyware, or other malicious exploits.

Only 50% of US SMBs have cybersecurity

Perhaps unbelievably, half of US small and midsize businesses have no cybersecurity in place according to a 2022 study by UpCity. This reveals that startups and SMBs are at extreme risk of ransomware attacks, and must put cybersecurity at the top of their agenda if they want to avoid losing valuable intellectual property, customer data, and other company information necessary for carrying out day-to-day.

When data loss meets dollars

Given the whole purpose of ransomware is to extract money from victims, total loss values are often the numbers people care about the most. Between 2018 and 2022, an increasingly large number of businesses, governments, and individuals faced huge losses thanks to these types of virus attacks.

In 2020, CWT, a travel-management company shelled out $4.5 million to hackers holding its data for ransom. While this represents a particularly huge payout, it’s still less than half of the attacker’s initial demand of $10 million. Additionally, the average ransom demand has increased significantly, with attackers asking for $50 million from computer giant Acer in 2021.

These past few years have seen attackers move away from targeting individuals. Instead, it’s become common to target infrastructure, with local governments, hospitals, and universities around the world suddenly facing demands for huge amounts of money. Naturally, these institutions have huge incentive to pay, and while the FBI strongly advises against it, Thycotic’s 2021 State of Ransomware report found that around 83% of victims end up paying.

The highest-profile attack of 2021 was arguably the one on Colonial Pipeline. This provided over 40% of the East Coast’s fuel, but as the ransomware attack left the company unable to bill properly, it was forced to suspend operations temporarily. Even though the company paid a $4.4 million ransom, it took a long time to get everything back online, leading to fuel purchasing restrictions in 17 US states.

This isn’t the only instance of lengthy problems following an attack. In 2019, the Baltimore City government was crippled for over a month. Estimates put the cost to recover at over $18 million dollars, although the cybercriminal behind the malware only demanded $76,000 worth of Bitcoin. The attack reportedly impacted vaccine production, ATMs, airports, and hospitals.

While many chose not to pay the cost for ransomware (and indeed, most security professionals say paying is typically a bad idea anyway), those that do pay up often find their files remain encrypted. After all, placing trust in the good graces of criminals often leads to disappointment.

Sophos Ransomware report
Source: Sophos State of Ransomware 2021 Report

With current trends, loss values are likely to exceed $265 billion by 2031. Additionally, as well as walking off with more money from ransomware in recent years, cybercriminals also caused far more damage than ever before.

  • In 2022, NVIDIA had around a terabyte of proprietary information encrypted by ransomware group LAPSUS$, which proceeded to release the data when no payment was made.
  • More than 10 universities across the UK and Canada were compromised after attackers successfully hacked Blackbaud, a cloud computing provider frequently used by educational institutions. Despite claiming it had successfully repelled the attack, it was later revealed that Blackbaud simply paid the ransom.
  • JBS, the world’s largest meat supplier, paid $11 million to regain access to confidential files. However, in the meantime, it was forced to halt operations, leading to shortages.
  • Garmin, a major player in the tech space, suffered a severe breach that brought its GPS services offline for several days. In order to regain control, the company allegedly paid a $10 million ransom.
  • Cyber attacks marred the start of the 2019-2020 academic school year for two American colleges. Regis University in Denver, Colorado, had its entire phone and internet services shut down after a late August cyber attack. Meanwhile, Monroe College in New York City had files locked down due to ransomware. The school did not reveal whether or not it paid the ransom. (Source: Inside Higher Ed)
  • A ransomware attack against the New Orleans city government in early 2020 cost the city over $7 million dollars. Thankfully, the city carries cybersecurity insurance and received $3 million back—which may indicate the city was still underinsured. (Source: SC Magazine)
  • The Baltimore City government was hit with a massive ransomware attack in 2019 that left it crippled for over a month, with a loss value of over $18 million. (Source: Baltimore Sun)
  • New York City’s capital was hit with a ransomware attack in 2019 that took several key services offline. (Source: CNET)
  • The city of Riviera Beach in Florida paid a $600,000 ransom in June 2019 to recover files following a ransomware attack. (Source: CBS News)
  • Multiple healthcare providers were hit with ransomware in early 2019 and paid the ransom to retrieve files. One paid $75,000 to recover its encrypted files. (Source: Health IT Security)
  • Ransomware remediation costs organizations more than $1.4 million on average. (Source: Sophos)
  • Even in 2016, ransomware was costing businesses more than $75 billion per year. (Source: Datto)
  • The FBI’s latest IC3 report (PDF) recorded over 3,700 reported instances of ransomware in 2021. Overall, $49 million was lost. However, this only accounts for the US, and many such incidents go completely unreported.
  • In 2018, businesses lost around $8,500 per hour due to ransomware-induced downtime. (Source: Govtech)
  • Ransomware infections more than doubled from 2020 to 2021. (Source: Symantec)
  • Symantec also found enterprises accounted for 81% of all ransomware attacks in 2018. (Source: Symantec)
  • British MSP businesses reported an average payment of $5,600 in 2020. (Source: Datto)
  • In 2016, less than 40% of victims paid the ransom. This has risen to 46% in 2022. (Source: Malwarebytes, Sophos)
  • As of 2020, only 38% of state and local government employees are trained in ransomware prevention. In fact, 65% of executives have been asked by hackers to assist them. (Source: IBM, Hitachi-ID)
  • Albany County in New York was hit by three cyberattacks in the span of three weeks in late 2019, including a Christmas day attack on the Albany County Airport Authority (ACAA) that resulted in a five-figure ransomware payment by the ACAA. (Source: Times Union)
  • After getting hit by the SamSam ransomware in March 2018, Atlanta, Georgia, has spent more than $5 million rebuilding its computer network, including spending nearly $3 million hiring emergency consultants and crisis managers. (Source: Statescoop)
  • A Massachusetts school district paid $10,000 in Bitcoin after a ransomware attack in April 2018. (Source: Cyberscoop)
  • In 2019, 96% of organizations that paid the ransom received a decryption tool from the hackers. (Source: Coveware)
  • Decryption success depends on the type of virus. Dharma variants were often unreliable after paying the ransom, compared to GrandGrab TOR which almost always delivered a successful decryption tool after a ransom was paid. (Source: Coveware)
  • In 2021, victims received all of their data after paying just 4% of the time. (Source: Sophos)
  • Bitcoin was the primary method of payment for ransomware. Around 98% of payments were made in Bitcoin. (Source: Coveware)
  • The US Treasury has linked more than $5 billion of Bitcoin transactions to ransomware.
  • Companies providing professional services are still the most likely to be targeted, although consumer services and public sector organizations are becoming more popular targets. (Source: Coveware)

coveware ransomware targets

Ransomware continues to grow, hitting consumers and businesses hard

The hard truth about ransomware is that knowing more about the threat doesn’t easily translate to a decreased impact. FedEx is a good example of this. Despite knowledge of the threat for years now, the company saw a $300 million loss in 2017 due to these crippling virus attacks. The loss was not a result of paying the ransom but primarily for the cost of disaster recovery and system downtimes. The company’s lack of cyber insurance highlights the fact that many individuals and even large, multinational businesses have yet to fully grasp the threat.

As for readiness for ransomware and other cyber threats, Sophos reports that local governments are among the least likely organizations to be able to stop their data from being encrypted. Additionally, these are the slowest to recover, with 40% needing a month or more to bounce back. Meanwhile, media, leisure, and entertainment companies are the most prepared, but still only avoided encryption a little over half of the time.

Nevertheless, as more reports roll in, it’s clear that ransomware is now the preferred medium of choice for cybercriminals. As 2022 continues to progress, we’re likely to see reports from major players indicating that year-over-year growth in virus-related ransom threats is increasing at an incredible pace.

That being said, here are some of the ways ransomware hit hard and fast in the past few years.

ransomware payments quarter
Source: Coveware Ransomware Marketplace Report, Q4 2021
  • A Q4 2021 report from Coveware found that ransomware payments are at an all time high, possibly due to a larger number of victims paying up. This itself may be because around 90% of organizations hit had ransomware insurance (Source: Coveware)
  • Coveware also found that attackers are increasingly permanently destroying data, rather than targeting backups or critical parts of a company’s infrastructure. In some cases, this happened even after a ransom was paid. (Source: Coveware)
  • Most users who recover their data do so in ways other than by paying the ransom. (Source: Datto)

    Datto Ransomware recovery
    Source: Datto
  • According to a 2020 Ransomware Resiliency Report by NinjaOne, managed service providers (MSPs) lose far more clients following a ransomware attack than they anticipate. In fact, 57% lost 11-20% of their client base after a ransomware attack; 13% of businesses lost over 50% of their clients. Conversely, around 35% of MSPs expected to lose no more than 10% of their clients after a ransomware attack. (Source: NinjaOne)
  • Around 40% of MSPs and IT professionals believe their organization could not withstand $500,000 or more in damage related to a ransomware attack. Considering 52% of businesses that suffered from a ransomware attack reported damages in excess of $500,000, many businesses could experience irreparable damage should an attack occur. (Source: NinjaOne)
  •  NinjaRMM reports that half of all MSPs believe they can sustain up to 2 days of downtime before losing clients, yet most affected clients actually experienced 3 to 14 days of downtime. This prolonged period of downtime could be a major factor in client churn rate but does indicate that many MSPs overestimate how quickly they’ll lose clients when downtime occurs. (Source: NinjaOne)

Ransomware predictions: 2023 and beyond

Unfortunately, ransomware isn’t going anywhere fast. Cybercriminals have learned just how lucrative encrypting data can be, especially thanks to the influx of Ransomware-as-a-Service programs that require no expertise to use. Other forms of security threats still exist, data breaches in particular, but criminals who want to extract an easy buck are regularly turning to readily-available ransomware packages.

So what can we expect in 2023 and beyond? Here are a few predictions.

  • SC Media predicts that the US government will focus on cybersecurity training to combat increasingly common ransomware attacks.
  • Cybersecurity Ventures predicts ransomware will cost $10.5 trillion annually by 2025, and that an attack will take place every 2 seconds by 2031. (Source: Cybersecurity Ventures)
  • Security predicts a widespread shift to businesses adopting zero trust models. (Source: Security)
  • McAfee expects ransomware as a service to continue to grow, with more competition due to new groups entering the scene. It also cites the lack of one specific communications board as a reason why no group can maintain credibility for long.
  • Check Point predicts an increase in the number of supply-chain attacks. (Source: Check Point)
  • According to RSA Security, attackers will increasingly use IoT devices to target users with ransomware. (Source: RSA Security)

See also: Cybersecurity and cybercrime statistics