Ransomware attacks cost the US $159.4bn in downtime alone in 2021

In 2021, 576 US organizations fell victim to ransomware. This affected at least 34.1 million records and resulted in a cost of $159.4 billion in downtime alone. Entities may have faced further costs as they offered identity theft protection for affected customers, restored affected computers, and tried to improve their systems to ward off future attacks.

According to the confirmed ransomware attacks tracked by Comparitech, ransomware attacks actually decreased by over seven percent last year (falling from 620 to 576), after almost doubling from 2019 to 2020. While positive, our data highlights that ransomware attacks have become more targeted and, ultimately, more devastating.

Ransom demands and payments reached new highs in 2021. In 2021, the average ransom demand was $5.8 million (up from just over $2 million in 2020) and the average ransom payment was $7.9 million (up from just over $1 million in 2020). We estimate that ransom demands totaled as much as $3.4 billion last year, with hackers receiving payment in just less than 30 percent of cases. That equates to around $1.3 billion in bounty for hackers.

But how do these figures break down by state and industry? And what does 2022 look like so far?

You can keep up to date with ransomware attacks in the US with our live map which is updated daily. We also keep an ongoing database of the ransomware attacks that have been confirmed.

Please note: we try to make sure all of the ransomware attacks we include within our analysis are publicly confirmed. The recent case with Walmart (it refuted claims it had been hit by Yanluowang ransomware despite the gang posting data it said it had stolen during the attack) being a prime example of why we try not to include any attacks that haven’t been confirmed.

Key findings

In 2021:

  • 576 individual ransomware attacks on US organizations–a 7 percent decrease from 2020 (620)
  • 34,142,385 individual records were impacted–a 32 percent decrease from 2020 (50,175,017). This is due to one large data breach via a ransomware attack in 2020 (the attack on SmartCivic which saw 22.6M records stolen from ParkMobile)
  • The average number of records impacted by ransomware attacks decreased significantly from 2020 to 2021. In 2021, 142,855 records were impacted on average per ransomware attack (from 220,066 in 2020)–again, this is due to the one huge breach mentioned above
  • Ransom amounts varied from $5,506 to a whopping $40 million (in two cases!)
  • Hackers demanded $145.7 million across just 25 attacks and received payment in eight out of 20 cases in which the organization disclosed whether or not it paid the ransom (however, they are more likely to disclose that they haven’t paid the ransom than if they have). In one case, hackers received $40 million
  • On average, organizations lost 22 days to ransomware downtime
  • The overall cost of these attacks is estimated at around $159.4 billion in downtime alone
  • Ransomware attacks on businesses (especially in the service, finance, and food and beverage industries) saw an increase in attacks. Healthcare remained a prime target for hackers, too, but the government and education sectors saw declines

Which state had the most ransomware attacks in 2021?

It’s perhaps no surprise that the most populous state of California is the one to have had the largest number of ransomware attacks in 2021 (61). This is only a slight decrease from 2020’s figure of 62.

Massachusetts in second place is a little less expected, however. With 38 ransomware attacks in total (the majority of which–27–occurred in Q1 and Q2 of 2021), Massachusetts saw a 31 percent increase in ransomware attacks last year (rising from 29 in 2020).

Also within the top five most affected states are Texas (37), New York (36), and Illinois (32). But unlike MA, Texas and New York saw significant decreases in the number of attacks last year. In 2020, Texas suffered 52 ransomware attacks, while New York suffered 44. Illinois’ figure increased only slightly from 30 in 2020.

Breakdown by sector

In 2021, businesses were the only sector to see an increased number of ransomware attacks–rising by 3 percent from 336 attacks in 2020 to 346 attacks in 2021. Healthcare-based attacks also remained at similar levels to 2020 (112 attacks were logged in 2020, while 109 were logged in 2021).

Meanwhile, the education sector saw an 18 percent decrease (from 82 in 2020 to 67 in 2021) and government organizations saw a 40 percent decrease (from 90 in 2020 to 54 in 2021). This is a trend we saw from 2019 to 2020, too.

Number of US Ransomware Attacks by Month, Year, and Sector

So why the focus on businesses and healthcare?

As our recent study on school ransomware attacks found, figures may have decreased but attacks appear to be more targeted with many large school districts at the heart of these attacks. For example, Broward County Public Schools were attacked by Conti who demanded $40 million in ransom–something the hackers felt the school could afford thanks to its $4 billion budget.

Government organizations have also been under increasing pressure to refuse ransom payments. North Carolina recently became the first state to prohibit public entities from paying ransoms. Nevertheless, there were a number of confirmed ransomware payments from government entities in 2021, including $320,000 paid by the City of Joplin and $71,250 paid by Pottawatomie County.

But businesses provided the most (confirmed) bounty for hackers. CNA Financial Corporation paid $40 million to try and get its systems decrypted from the Phoenix CryptoLocker ransomware. This was the biggest-known confirmed ransomware payment in the US.

DarkSide also received $4.4 million from both the Colonial Pipeline Company and Brenntag North America, Inc. REvil secured $11 million from JBS USA Holdings, Inc., and Conti bagged $2.6 million from ExaGrid.

While we don’t have any such figures or confirmations from the healthcare industry, the consistently high attacks on these organizations demonstrate that they’re a key target for hackers. Ransomware attacks on these entities have the ability to cause mass disruption, creating an urgent need to decrypt systems and/or protect the highly sensitive data collected by such organizations.

Finally, with our “business” category covering a wide range of companies, which industries are prime targets and how has this changed over the years?

Breakdown by industry

When it comes to the business industries that have seen the biggest increases, the service industry saw the most significant rise in the volume of attacks from 2020 to 2021. In 2020 there were 65 attacks in this industry, increasing to 92 in 2021 (an increase of nearly 42 percent).

US Ransomware Attacks by Industry

Finance, food and beverage, and construction also saw rises. Finance businesses saw a 60 percent increase, rising from 15 to 24. The food and beverage industry saw an 85 percent rise from 13 to 24 attacks. And construction saw a slight increase (from 22 to 24).

Transportation and utilities saw slight reductions in the number of attacks, dropping from 16 to 14 and 16 to 11, respectively.

In contrast, manufacturing, retail, and technology saw a bigger decline in the number of ransomware attacks. 46 manufacturers were hit with ransomware attacks in 2021 compared to 63 in 2020 (a 27 percent decrease). 24 retailers were hit with ransomware in 2021 compared to 32 in 2020 (a 25 percent decrease), and 29 tech companies were hit with ransomware in 2021 compared to 48 in 2020 (a 40 percent decrease).

How much did these ransomware attacks cost US organizations in 2021?

As we have already seen, ransom demands can vary dramatically, and whether or not these ransoms are paid is often not publicized (we could only find confirmation of payment or non-payment in 72 of the 576 confirmed attacks). It probably goes without saying that companies are reluctant to disclose if they’ve paid the ransom in fear this may make them more susceptible to future attacks.

But as well as the ransoms demanded, organizations often face a crippling amount of downtime.

Using Coveware’s quarterly ransomware reports on downtime, we can estimate how much downtime has been suffered by US organizations. In Q1, Q2, Q3, and Q4 of 2021, Coveware found that companies suffered 23, 23, 22, and 20 days of downtime respectively during a ransomware attack.

What’s the cost?

An estimate from 2017 puts the average cost of downtime at $8,662 per minute (across 20 different industries). This would mean that in 2021, US organizations suffered downtime costs of around $159.4 billion. This is a 12 percent increase on 2020’s figure of $141.6 billion (the average number of days downtime across 2020 was 17.8 days compared to 22 days in 2021).

While these figures seem astronomical, they may only scratch the surface. For example, the January 2021 attack on manufacturing business WestRock cost it $189 million in revenue and $80 million in cash flow. This didn’t include the $20 million it had paid to recover from the ransomware, either. And, more recently, the ransomware attack on Expeditors in 2022 cost $40 million in lost opportunities and shipping, plus a further $20 million in remediation, recovery, and investigation.

Key findings from January 2018 to June 2022:

Our researchers have tracked all of the confirmed US ransomware attacks from January 2018 to June 2022. During this time:

  • 1,756 ransomware attacks have been confirmed on US organizations
  • 91.7 million records have been breached as a result of these attacks, averaging 154,852 records per attack
  • Ransom requests varied from $1,000 to $40 million with the average request being $1,994,185
  • Hackers demanded $281.2 million in ransoms across 141 cases, equating to a total estimated ransom demand of around $4.99 billion across all of the attacks
  • Hackers have received at least $89.4 million in ransom payments with the average payment being $1,596,630
  • We estimate that the amount of ransom paid is around $1.5 billion
  • US organizations suffered an estimated 31,375 days of downtime due to ransomware attacks, which cost around $391.4 billion

US Ransomware Figures by Year and State

 TOTAL20182019202020212022 (to June)
State# of Attacks# of Records AffectedEstimated Ransom Demanded ($)Estimated Ransom Paid ($)Cost of Downtime ($)# of Attacks# of Records AffectedEstimated Ransom Demanded ($)Estimated Ransom Paid ($)Cost of Downtime ($)# of Attacks# of Records AffectedEstimated Ransom Demanded ($)Estimated Ransom Paid ($)Cost of Downtime ($)# of Attacks# of Records AffectedEstimated Ransom Demanded ($)Estimated Ransom Paid ($)Cost of Downtime ($)# of Attacks# of Records AffectedEstimated Ransom Demanded ($)Estimated Ransom Paid ($)Cost of Downtime ($)# of Attacks# of Records AffectedEstimated Ransom Demanded ($)Estimated Ransom Paid ($)Cost of Downtime ($)
District of Columbia780,91523,007,58411,450,8821,811,120,2560000010915,09437,639202,067,136102,092,490329,049187,099,200580,91520,000,00011,084,1941,421,953,92000000
New Hampshire1067,95138,417,20621,109,3982,497,150,6560000010915,0940202,067,136459,2108,369,9611,316,195960,442,56058,74129,132,15119,793,2031,334,640,96000000
New Jersey56394,405117,032,49441,725,69712,770,144,06430162,87418,832194,583,1681124,1769,436,680517,5412,060,585,85623164,86513,486,5565,157,7045,163,937,92016204,70693,222,88435,469,4204,490,380,8003658723,500562,200860,656,320
New Mexico19848,44420,248,9589,150,1164,153,602,2401035,000064,861,0564020,0000646,115,90473,9971,750,0001,750,0001,434,427,2003844,44717,479,2916,650,516860,656,32040964,667749,6001,147,541,760
New York1162,979,664355,784,54118,224,40226,009,283,45633,465162,87462,775194,583,16827448,31228,188,000950,4004,048,826,688441,304,528315,186,66716,086,82710,090,883,520361,205,08610,800,00009,953,677,440618,2731,447,0001,124,4001,721,312,640
North Carolina552,410,39847,430,4381,124,40011,928,197,664581612,5000324,305,280103,4779,150,93801,400,749,34421389,42914,070,00004,839,632,640132,008,67022,750,00003,642,197,76068,0061,447,0001,124,4001,721,312,640
North Dakota3013,745,3504,433,678773,343,3600000000000102,092,4900199,572,4802011,652,8604,433,678573,770,88000000
Rhode Island73,28516,544,9224,769,0041,310,941,7281054,2916,27764,861,056302,745,2810472,737,31211422,092,490329,049199,572,48023,14311,652,8604,433,678573,770,88000000
South Carolina2012,333,30966,904,0026,768,3754,623,844,8962070,0000129,722,112201,830,1880352,993,824612,331,07212,554,9426,580,9751,284,747,84092,23752,437,87202,569,495,6801011,000187,400286,885,440
South Dakota303,061,875366,688371,703,7441054,291064,861,05610915,09437,639119,743,488102,092,490329,049187,099,2000000000000
West Virginia69,99113,989,5174,953,1271,419,459,26400000203,0003,000321,810,624102,092,490329,049236,992,32026,07911,652,8604,433,678573,770,88013,912241,167187,400286,885,440

How does 2022 look so far?

When we compare all of the figures from previous years, 2022 is looking very quiet (so far). However, as some attacks are late to be confirmed, we do expect these figures to grow in the coming months. And, as we have seen, hackers do appear to be more targeted in their approach, suggesting a reduction in the volume of attacks but an increase in the success and impact of each individual attack.

Outside of the US, we can see the targeted nature of hackers with recent ransom requests of $75 million to Oil India Limited, $15 million to Delta Electronics of Taiwan and TransUnion South Africa, and $10 million (raised to $20 million) to the Costa Rican government.

Year# of Attacks# of Records Affected# of Reports Where Records Affected IndicatedAverage # of Records AffectedTotal Ransom Demanded (Known Cases)# of Known Ransom DemandsAverage Ransom Demand ($)# of Confirmed Ransom Payments# of Known Ransom Payment AmountsTotal Ransom PaidAverage Ransom Payment# of Confirmed Non-Payments% of Known Payments That Are PaidEstimated Ransom Demanded ($)Estimated Ransom Paid ($)Estimated Downtime (Days)Estimated Downtime Cost ($)

So while things are on the low and quiet side so far in 2022, with the likely confirmation of more ransom payments in the coming months, we expect these figures to rise.


Using state data breach reports, company and industry news, and cybersecurity databases, our researchers have collated a list of ransomware attacks on US organizations. From these, we are sometimes able to find out the ransom amounts demanded, the ransoms paid, and whether or not the ransom was paid. From these figures, we were able to create averages for ransom amounts demanded and paid.

Using Coveware’s quarterly reports for downtime figures, we created estimated downtimes caused by each quarter of the year. Then, using an average cost per minute of downtime ($8,662) from a recent report, we were then able to create estimates as to how much this may have cost US organizations. This only took into consideration the amount of downtime schools suffered due to ransomware attacks–it does not cover the recovery period and expenses that follow.

While Coveware releases quarterly reports for ransomware downtime figures, these only started in Q3 2018, so for 2018, we used the average of Q3 (4.2) and Q4 (6.2) reports for the full year (5.2).

Furthermore, for one case in 2018 and two cases in 2019, we have been unable to determine the month of the ransomware attack. In these cases the yearly average for downtime has been applied. For example, in 2019, each was assigned the average downtime of 11.3 (based on Q1 = 7.3, Q2 = 9.6, Q3 = 12.1, Q4 = 16.2).

Where possible, we have assigned the attack to the month in which it happened. However, in some cases, the attack may have been assigned to the month in which it was reported due to a lack of data.

Texarkana Water Utility was omitted from state-specific figures in 2020 due to it affecting two states–Texas and Arkansas.

For a full list of sources, please request access here.

Data researcher: Rebecca Moody