Inside Out Security Blog   /  

86 Ransomware Statistics, Data, Trends, and Facts [updated 2022]

86 Ransomware Statistics, Data, Trends, and Facts [updated 2022]


    Ransomware is a form of malicious software that infiltrates a computer or network and limits or restricts access to critical data by encrypting files until a ransom is paid. The first use of ransomware dates back to 1989, when floppy disks were high-tech and the price of the ransom was a mere $189.

    Ransomware attacks are on the rise and continue to be a disruptive force in the cybersecurity industry, affecting everything from financial institutions to higher education. Because of the increase in remote work — prompted by the pandemic —  attacks are up 148 percent.

    Read these top ransomware statistics you should know in 2022, plus tips on how to avoid becoming a victim and how to keep your organization protected.

    Learn ransomware fundamentals now with our free course

    Read these top ransomware statistics, plus tips on how to avoid becoming a victim and how to keep your organization protected.

    Top ransomware statistics

    Ransomware is an ever-growing threat to thousands of organizations and businesses worldwide. Since 2016, an average of 4,000 ransomware attacks have occurred every day in the U.S. Here are the top ransomware statistics you need to be aware of: 

    1. The average downtime a company experiences after a ransomware attack is 22 days. (Statista, 2021)
    2. Malicious emails are up 600 percent due to COVID-19. (ABC News, 2021)
    3. A recent survey found 37 percent of respondents’ organizations were affected by ransomware attacks in the last year. (Sophos, 2021)
    4. Ransomware is the No. 1 malware threat. (Datto, 2020)
    5. In 2021, the largest ransomware payout was made by an insurance company for $40 million, setting a world record. (Business Insider, 2021)
    6. The average ransom fee requested has increased from $5,000 in 2018 to around $200,000 in 2020. (National Security Institute, 2021)
    7. Out of 1,086 organizations whose data had been encrypted, 96 percent got their data back. (Sophos, 2021)
    8. As of 2020, about one in 6,000 emails contain suspicious URLs, including ransomware. (Fortinet, 2020)
    9. The most common tactics hackers use to carry out ransomware attacks are email phishing campaigns, RDP vulnerabilities and software vulnerabilities. (Cybersecurity & Infrastructure Security Agency, 2021)
    10. 59 percent of employers allow their employees to access company applications from unmanaged personal devices. (Bitglass, 2021)
    11. A survey conducted with 1,263 companies found 80 percent of victims who submitted a ransom payment experienced another attack soon after, and 46 percent got access to their data but most of it was corrupted. (Cybereason, 2021)
    12. Additionally, 60 percent of survey respondents experienced revenue loss and 53 percent stated their brands were damaged as a result. (Cybereason, 2021)
    13. 29 percent of respondents stated their companies were forced to eliminate positions following a ransomware attack. (Cybereason, 2021)
    14. 42 percent of companies with cyber insurance policies in place indicated that insurance only covered a small part of the damages resulting from a ransomware attack. (Cybereason, 2021)

    Recent ransomware statistics

    There have been many ransomware attacks in recent years that affected organizations across the globe and their customers. Here are some notable recent ransomware attacks:

    1. In March 2021, global IT hardware vendor Acer was the victim of a ransomware attack executed by the REvil ransomware group. (TechTarget, 2021)
    2. Also in March 2021, cyber insurance carrier CNA Financial disclosed that it was the victim of a cyber attack. The attack was allegedly executed by a group known as Phoenix. (TechTarget, 2021)
    3. In May 2021, Colonial Pipeline was the victim of a ransomware attack that affected the flow of oil across the eastern U.S. (TechTarget, 2021)
    4. In June 2021, meat processing vendor JBS USA was hit by a ransomware attack that reduced the company's ability to package meat products. The company is reported to have paid $11 million in ransom to REvil cyber criminals. (TechTarget, 2021)
    5. In July 2021, remote management software vendor Kaseya was the victim of a supply chain ransomware attack, allegedly perpetrated by the REvil group. (TechTarget, 2021)
    6. In October 2021, Sinclair Broadcast Group was the victim of a ransomware attack that crippled the network's broadcast operations. (TechTarget, 2021)

    Industry-specific ransomware stats

    Ransomware attacks impact nearly all industries of all sectors and sizes. In 2021, 80 percent of organizations were hit by a ransomware attack (Claroty x Forbes). Check out more shocking statistics by industry below.


    1. More than 2,100 data breaches in the healthcare industry have been reported since 2009. (TechJury, 2021)
    2. As of 2020, healthcare organizations dedicate only about six percent of their budget to cybersecurity measures. (Fierce Healthcare, 2020)
    3. Ransomware attacks were responsible for almost 50 percent of all healthcare data breaches in 2020. (Health and Human Services, 2021)
    4. Attacks on healthcare cost more than any other industry, at $408 per compromised record. (HIPAA Journal, 2020)
    5. Ransomware attacks against U.S. healthcare providers have caused more than $157 million in losses since 2016. (HIPAA Journal, 2020)
    6.  In 2020, 560 healthcare facilities were affected by ransomware attacks in 80 separate incidents. (Emsisoft, 2021)
    7. The healthcare industry experienced a 51 percent increase in the total volume of records exposed between 2019 and 2021. (Constella, 2021)
    8. From January 1 to July 31, 2021, there were 2,084 ransomware complaints, a 62 percent increase over the same time period a year earlier. (Constella, 2021)


    1. Ransomware attacks against universities increased by 100 percent between 2019 and 2020. (BlueVoyant, 2021)
    2. The average cost of a ransomware attack in the higher education industry is $447,000. (BlueVoyant, 2021)
    3. Since 2020, 1,681 higher education facilities have been affected by 84 ransomware attacks. (Emsisoft, 2021)
    4. 66 percent of universities lack basic email security configurations. (BlueVoyant, 2021)
    5. 38 percent of analyzed universities in the Cybersecurity in Higher Education Report had unsecured or open database ports. (BlueVoyant, 2021)
    6. Cyberattacks against K-12 schools rose 18 percent in 2020. (K-12 Cybersecurity, 2020)
    7. A ransomware attack in April 2018 cost a school district in Massachusetts $10,000 in Bitcoin. (CyberScoop, 2018)

    Finance and insurance

    1. In 2020, 90 percent of all financial institutions experienced ransomware attacks. (HUB Security)
    2. More than 204,000 people experienced a malicious login attempt to access their banking information in 2021. (HUB Security, 2021)
    3. 90 percent of financial institutions have been targeted by ransomware attacks. (PR Distribution, 2018)
    4. There’s a rising threat to small financial institutions with less than $35 million in revenue. (National Credit Union Administration, 2019)
    5. In 2020, 70 percent of the 52 percent of attacks that went after financial institutions came from the Kryptik Trojan malware. (HUB Security, 2021)
    6. LokiBot has targeted more than 100 financial institutions, getting away with more than $2 million in revenue. (HUB Security, 2021)
    7. Banks experienced a 520 percent increase in phishing and ransomware attempts between March and June 2020. (American Banker, 2020)


    1. Over the past three years, 246 ransomware attacks have struck U.S. government organizations at an estimated cost of $52.88 billion. (Sungard AS, 2021)
    2. In June 2019, a city in Florida paid a $600,000 ransom to recover hacked files. (CBS News, 2019)
    3. As of 2020, only about 38 percent of local and state government employees are trained in ransomware attack prevention. (IBM, 2020)
    4. A 2020 ransomware attack against New Orleans cost more than $7 million. (SC Media, 2020)
    5. A ransomware attack struck Baltimore in 2019 and caused a loss of more than $18 million. (Baltimore Sun, 2019)
    6. In 2019, 226 U.S. city mayors in 40 states agreed to a pact that denies ransom payments to cyber criminals. (Hashed Out, 2020)
    7. In 2019, attacks against municipalities increased 60 percent from the year before. (Kaspersky, 2019)
    8. The top cybersecurity story in 2019 was about ransomware attacks against state and local governments. (Government Technology, 2019)
    9. Between 2013 and 2018, 48 U.S. states were affected by at least one ransomware attack. (Bank Info Security, 2019)

    Mobile ransomware statistics 

    With the increase of dependence on mobile phones, especially with the use of personal mobile devices in the workplace, comes a higher risk of ransomware attacks. Within the workplace, employees are able to access sensitive information from their mobile devices via corporate Wi-Fi and oftentimes unsecured networks. 

    This leaves the user and their organization with major vulnerabilities. Take a look at the statistics below, along with some Wi-Fi security tips to avoid falling victim to a hacker.

    1. More than 68,000 new ransomware Trojans for mobile were found in 2019. (Hashed Out, 2020)
    2. In 2017, mobile malware variants increased by 54 percent. (Symantec, 2018)
    3. Over 4.2 million American mobile users have suffered ransomware attacks on their phones. (Kaspersky, 2020)
    4. In 2018, Symantec detected over 18 million mobile malware instances. (Symantec, 2018)
    5. 60,176 mobile ransomware Trojans were detected in 80,638 users in 150 different countries in 2018. (Kaspersky, 2018)
    6. There are over 4,000 mobile threat variants and families within the McAfee sample database. (McAfee, 2021)
    7. Over 8,000 mobile banking ransomware Trojan installations were detected in 2018. (Kaspersky, 2018)
    8. 900,000 Android phones were hit by ScarePakage ransomware in just 30 days. (KnowBe4, 2020)

    Ransomware cryptocurrency stats

    Since the start of Bitcoin, the world’s first cryptocurrency, transferring money and data has become increasingly efficient. As of 2021, there are over 4,000 different types of cryptocurrency. But with this advancement in digital and financial technology, new threats in cybersecurity have come to the surface.  

    1. In 2017, 95 percent of all ransom payments were cashed out via BTC-e, a Bitcoin platform. (Bleeping Computer, 2017)
    2. In 2020, ransomware payments were 7 percent of all funds received by cryptocurrency addresses. (Chainalysis, 2020)
    3. Hackers who attacked an oil company earned over $90 million in Bitcoin. (Business Insider, 2021)
    4.  In June 2020, a West Coast university paid cyber criminals  $1.14 million in Bitcoin after a ransomware attack. (BBC News, 2020)
    5. Cryptocurrency transactions can be traced back to the individual 60 percent of the time. (MIT Technology Review, 2017)
    6. Illegal activity comprised 2.1 percent of all cryptocurrency transaction volume, or about $21.4 billion worth of transfers in 2019. (Chainalysis, 2021)

    The cost of ransomware attacks

    Ransomware attacks can be costly, both financially and to your reputation — businesses around the globe that have been victims of ransomware attacks have spent around $144.2 million in resolving the effects of the attacks. Here are some statistics covering the costs that are caused by ransomware attacks.

    1. The value of ransom demands has gone up, with some demands exceeding over $1 million. (Cybersecurity & Infrastructure Security Agency, 2021)
    2. The cost of ransomware attacks surpassed $7.5 billion in 2019. (Emsisoft, 2019)
    3. In 2021, the average payout by a mid-sized organization was $170,404. (Sophos, 2021)
    4. In May 2021, Colonial Pipeline paid hackers $4.4 million in bitcoin after receiving a ransom note. (The Wall Street Journal, 2021)
    5. In Q1 2017, FedEx lost an estimated $300 million from the NotPetya ransomware attack. (CyberScoop, 2021)
    6. The average cost to recover from a ransomware attack is $1.85 million. (Sophos, 2021)
    7. Damage as a result of ransomware attacks was over $5 billion in 2017 — 15 times the cost in 2015. (Cybercrime Magazine, 2017)
    8. Downtime costs are nearly 50 times greater than the ransom requested in 2020. (Datto, 2020)
    9. On average, ransomware attacks cause 15 business days of downtime. Due to this inactivity, businesses lose around $8,500 an hour. (Health IT Security, 2020)
    10. Ransomware that attacked an unnamed oil and gas company cost $30 million. (Datto, 2017)
    11. The hacker group behind an oil company attack allegedly acquired $90 million in ransom payments in only nine months from around 47 victims. (Fox Business, 2021)

    Ransomware projections

    Ransomware is an ever-growing issue in the cybersecurity space and continues to shape the world today. Looking ahead, here are some statistics that cover the projections and future trends of ransomware. 

    1. In 2022, there will be more cooperation between countries to find, extradite and ultimately prosecute ransomware groups. (Forbes, 2022)
    2. Ransomware will become the top tactic used in software supply chain attacks and third-party data breaches in 2022. (SC Media, 2022)
    3. 30 percent of organizations will adopt zero trust network access (ZTNA) models by 2024. (Gartner, 2022)
    4. 60 percent of organizations, along with investors and venture capitalists, will use cybersecurity risk as a key factor in assessing new business opportunities by 2025. (Gartner, 2022)
    5. Remote workers have been the main target of cyber criminals throughout 2021 and will continue to be in 2022. (Security Magazine, 2020)

    Ransomware attack trends 

    2021 and early 2022 have already seen a steady rise in the number of cyberattacks and ransoms demanded by hackers. Below are some of the most visible trends in ransomware that have recently affected the cyber landscape.

    Exploitation of IT outsourcing services

    Ransomware groups have been shifting their focus to managed service providers (MSPs), a platform that serves many clients at once. This means that if a hacker gains access to one MSP, it could also reach the clients it’s serving as well. Most of the time, MSPs are hacked due to remote access tools that are poorly secured. 

    Attention shifting to vulnerable industries 

    Due to the ongoing economic, logistical, and financial implications of the pandemic, cyber attackers have been taking advantage of industries that have been hit the hardest, such as healthcare, municipalities, and educational facilities. Hackers also continue to see the pandemic as an opportunity to take advantage of employees who are now working remotely on their personal devices.  

    Evolving ransomware strains (and defenses)

    In 2022, ransomware and the tactics that hackers use to carry out attacks is evolving — but luckily, so are the defenses. In recent years, new ransomware strains have been discovered, including: 

    • Netwalker: Created by the cybercrime group known as Circus Spider in 2019, this ransomware allows hackers to rent access to malware code in exchange for a percentage of the funds that are received.
      • Darkside: Darkside is a relatively new group that attempts theft and encryption of sensitive data, including backups through RaaS.
    • Conti: Conti ransomware uses a double-extortion technique to encrypt data on an infected machine. Attackers from this group usually send a phishing email originating from an address that the victim trusts.
    • REvil: Also known as Sodin and Sodinokibi, REvil is a ransomware group that has gained a reputation for extorting larger ransom payments than its competitors, as well as promoting underground cybercrime forums. 

    Since newer strains of ransomware behave differently today, there is now a need for alternate methods of detection. Defenses have recently begun to harden, including improved heuristics or behavioral analysis, and the use of canary or bait files for earlier detection. 

    Greater spread to mobile devices

    Hackers have been taking advantage of mobile device features such as emergency alerts and relaxed permissions to spread malware. The majority of mobile ransomware variants have the ability to cover every browser window or app with a ransom note, rendering the mobile device unusable. 

    Prevalence of Ransomware-as-a-Service

    Ransomware-as-a-service, or RaaS, is a subscription that allows affiliates to use ransomware tools that are already developed to carry out ransomware attacks and extend their reach. The decentralized nature of the attacks makes it difficult for authorities to shut down. 

    The creators of these tools take a percentage of each successful ransom payment. As the average ransom ($11,605) demanded by hackers has increased by 33 percent since Q3 2019, affiliates are making up to 80 percent of each payment. 

    Ransomware attack prevention 

    Ensure you take the necessary steps to prevent an attack and data loss within your organization. Here are a few effective ways to prevent ransomware from affecting your company.

    Educate your employees

    Utilize security training within your company to help your employees gain a better understanding of cybersecurity and its importance. Implementing this training will help ensure a working culture that is even more resilient. 

    Avoid clicking on suspicious links 

    Be wary of opening or clicking on attachments or links that come from spam or unsolicited emails. According to Verizon’s 2021 Data Breach Investigations Report, phishing is involved in 70 percent of data breaches. To avoid this, it’s beneficial to know how to spot a phishing scam.

    Use email and endpoint protection

    Be sure to scan all emails, filter malicious attachments and links, and keep firewalls and endpoint detection software up to date with the latest malware signatures. You should also notify users of out-of-network emails and provide VPNs for employees to use outside of the network.

    Implement a stronger password system

    Password security is crucial when protecting the assets of a company. Utilize two-factor authentication within your organization to prevent password sharing and overuse of the same password. It may also be beneficial to use an SSO system for additional security.

    Keep immutable, offsite backups

    Make sure you have backups of any important or sensitive data and systems. Practice your restore motion in the event of a ransomware strike. Limit access to backups, as ransomware gangs often target backup files to cripple your ability to restore.

    However, keep in mind that backups cannot help in cases where the ransomware actor has also exfiltrated the data to their own servers and threatened to release that data publicly unless the ransom is paid. To combat exfiltration, consider data loss prevention software.    

    Mitigating the impact of ransomware

    Reduce your blast radius

    Your blast radius is the amount of damage that can be caused by compromising a single random user or device. Reduce your blast radius by limiting access to critical data so that only those who require access have it. 

    Implement a zero-trust security model

    Assume your perimeter defenses will fail and make sure everything within is still safe and secure. The Zero Trust security model requires you to authenticate all users and devices that connect to your network every time they connect, not just once. You must also monitor activity in your environment and ensure users only have access to what they need and nothing else.

    Utilize UEBA for threat detection and response

    You should continually monitor for and alert to telltale signs of ransomware activity on your data. Utilize user and entity behavior analysis tools to detect and alert when users or devices behave abnormally and implement automatic responses to stop threats in their tracks.

    Below is a visual guide of some of the most important facts and figures that shape ransomware.

    Ransomware statistics FAQ

    Below are a few of the most frequently asked ransomware questions, with answers supported by additional ransomware statistics and facts. 

    Q: What is the average length of impact after a ransomware attack?

    A: As of the third quarter of 2021, the average length of interruption after ransomware attacks on businesses and organizations in the United States was 22 days. (Statista, 2021)

    Q: What industries were hit the most by ransomware attacks? 

    A: In 2021, 37 percent of all businesses and organizations were hit by ransomware. (Sophos, 2021)

    Q: What is the average payout for ransomware?

    A: The average ransomware payment climbed 82 percent since 2020 to a record $570,000 in the first half of 2021. (Palo Alto Networks, 2021)

    Q: What is the average payout for small businesses?

    A:  Smaller businesses are impacted less than bigger companies. However, the average payout for a small business is around $5,900. (Datto)

    Q: Do I have to pay for a ransomware attack?

    A: The FBI does not support paying a ransom since it does not guarantee that you or your company will have the data returned to you. Paying ransoms can also encourage the attacker to go after additional victims.

    Ransomware is not going away any time soon — as an organization, it’s important to stay ahead of cyber criminals and take the steps to become more cyber aware. Learn how to protect your business and gauge your readiness for a potential ransomware attack with a free ransomware preparedness assessment.

    What you should do now

    Below are three ways we can help you begin your journey to reducing data risk at your company:

    1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
    2. Download our free report and learn the risks associated with SaaS data exposure.
    3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Twitter, Reddit, or Facebook.

    Get a free Risk Assessment

    You can't protect what you don't know is vulnerable.

    Give us 90-minutes of your time, and we'll create a Free Risk Assessment that will open your eyes to your unknown weak spots—fast, and without adding work to your plate.

    Start Your Risk Assessment