Each dot represents the location of a ransomware attack, with the size of the dot depicting the number of records impacted. 
This map updates weekly and pinpoints the locations of each ransomware attack in the US, from 2018 to present day. Where available, it includes the ransom amount, whether or not the ransom was paid, the entity and industry that was targeted, and the strain of ransomware used. Our researchers search through state reports, industry news, and cybersecurity databases to find the latest ransomware attacks on US businesses, healthcare organizations, educational institutions, and government agencies.

In our industry-specific reports, we found:

You can also track global ransomware attacks through our map of worldwide ransomware attacks (updated daily).


2022 key findings

According to the publicly-reported ransomware attacks collated by Comparitech researchers, 2022 saw:

  • 335 attacks–half the amount recorded in 2021 (676)
  • An average ransom demand of $4.74 million–over half a million less than the average demand in 2021 ($5.5 million)
  • 17,309,015 records impacted–a vast reduction on 2021’s total of 43.6 million
  • An average of 96,161 records impacted per attack–slightly less than 2021’s average of 116,497

When broken down by industry:


  • 181 attacks
  • An average ransom demand of $13.2 million
  • 8,053,578 records impacted
  • An average of 76,701 records impacted per attack


  • 54 attacks
  • An average ransom demand of $600,000
  • 686,219 records impacted
  • An average of 45,748 records impacted per attack


  • 38 attacks
  • An average ransom demand of $1.06 million
  • 157,597 records impacted
  • An average of 15,760 records impacted per attack


  • 62 attacks
  • An average ransom demand of $783,333
  • 8,411,621 records impacted
  • An average of 168,232 records impacted per attack


Our researchers have searched through state data breach sites, cybersecurity reports, high-authority news articles, and extensive cybersecurity databases to collate this list of ransomware attacks. Where possible, we have only included attacks that have been confirmed by relevant authorities or companies. This is the same for ransoms that have or have not been paid. Some may assume an entity has paid a ransom after data disappears from a hacker’s website, however, we do not make this assumption.

For a full list of sources, please request access here.

Data researchers: George Moody, Rebecca Moody