Blog

Global Ransomware Volume by Year, in Millions

An “incident” is a single ransomware program discovered anywhere on a system. There was an average of 1,384 ransomware programs per customer at every impacted company worldwide.

This decrease in ransomware attacks was not evenly distributed. Though ransomware attacks decreased in general, major industries — including healthcare (8% increase), finance (41% increase) and education (275% increase) — experienced a continued increase, and attacks were higher at some points than at those same points the previous year. ¹

In both Sophos’s 2022 and 2023 annual surveys of IT leaders, the same fraction of respondents — 66% — revealed that their organizations had suffered ransomware attacks. ²

According to Sophos’s 2023 State of Ransomware report, ransomware is more common among companies with higher revenue. More than half (56%) of organizations with a revenue of $10-$50 million were hit by a ransomware attack in 2022, and 72% of those generating revenue of more than $5 billion. ²

The most prevalent reason for ransomware attacks (36%) was an exploited vulnerability, with compromised credentials coming in second place (29%). These issues underscore the need for more robust security practices such as strong passwords, multi-factor authentication and regular software updates. ²

Over 75% of ransomware incidents now involve encrypting the victim’s data. ²

In 2023, the estimated mean ransomware recovery cost for organizations was $1.82 million, up from $1.4 million in 2022, but slightly down from $1.85 million in 2021. ²

Mean Recovery Cost, in Millions

According to Sophos’s 2023 survey, organizations that used backups to recover from ransomware incurred a median recovery cost of $375,000, almost 50% of the cost incurred by those that paid the ransom ($750,000). The average (mean) figures showed an even bigger difference, with companies that kept backups saving an average of $980,000. ²

In 2023, 84% of private-sector organizations said they had lost business or revenue due to a ransomware attack. The financial repercussions can entail direct costs incurred from paying the ransom as well as indirect costs incurred due to business crisis, downtime and credibility loss. ²

Over 60% of organizations involved law enforcement after a ransomware attack. These organizations experienced less financial loss than the 37% who did not involve the authorities. Working with law enforcement led to an average ransomware cost of $4.64 million, while not involving law enforcement led to an average ransomware cost of $5.11 million. ³

There was a significant spike in the average ransom payment in 2023, increasing from $812,380 in 2022 to $1,542,333 in 2023. ² Despite fewer ransoms being paid overall, they are becoming so large that the average is still increasing.

Ransomware Payments: 2022

Ransomware Payments: 2023

This reflects a 33% decrease compared to the average ransom payment in Q3 of 2023. Two occurrences that may have caused this decrease are a 32% drop in the median size of organizations impacted by an attempted ransomware attack and a resurgence of smaller actor groups who lost some presence in Q3 of 2023. ⁴

This proportion dropped to an all-time low margin of 29%. Two key drivers of this trend are companies’ increasing capability of recovering fully or partially from ransomware attacks using their own backups and security measures, and the data-driven decision to not pay the ransom without evidence that the cybercriminals will keep their word. ⁴

This record high amount can be attributed to the increased concentration of ransomware attacks targeted at notable institutions, including government organizations, healthcare facilities and banks. In 2023, the BBC, British Airways and Aer Lingus were all impacted by attacks on the file transfer software MOVEit. ⁵

The construction industry had the highest number of ransomware cases during this period, with 142, followed by finance with 123 cases and manufacturing with 121 cases. Though ransomware targets organizations in a wide range of industries, the most susceptible ones are major players in supply chains and manage large amounts of customer data. ⁶

Top 10 Industries Targeted by Ransomware, 2023

The 16 critical infrastructure sectors of the United States manage assets, systems and networks that play a vital role in national security, the economy and public health and safety. The FBI’s 2023 Internet Crime Survey revealed that healthcare was number one on the list of critical infrastructure sectors most affected by ransomware, with 249 reported cases. ⁷

Healthcare institutions are at a higher risk of ransomware attacks due to their extensive collections of sensitive patient data, legacy systems and limited resources. In addition, the urgent nature of caring for patients means they often give in to ransom demands to recover data immediately, making them lucrative targets for cybercriminals. 

The manufacturing industry felt the biggest impact, comprising 29% of all attack cases and seeing almost double the reported year-on-year increase in attacks.

In second place was the healthcare industry, which accounted for 11% of attacks and saw a 63% year-on-year increase in attacks. Compared to manufacturing and healthcare, retail/wholesale experienced 8% of these attacks. ⁸

Communications firms faced a 177% year-on-year increase in cyberattacks, though they comprised just 4% of the reported attacks in the first quarter of 2024. ⁸ The phone and internet industries are tempting targets for ransomware attacks due to the vast amounts of sensitive information they store and manage.

The GandCrab ransomware family comprised a significant portion of the samples received, accounting for 78.5%, according to a 2021 VirusTotal report. GandCrab ransomware was first discovered in 2018 and was the most prevalent ransomware that year. ⁹ Cybercriminals often distribute it through spam emails and exploit kits.

GandCrab stands out from many other ransomware strains because it doesn’t require any admin privileges to execute its attacks. However, like most ransomware strains, you can mitigate it by backing up your files, avoiding sketchy email attachments and links, and keeping your system up to date.

Of all the samples submitted during the VirusTotal survey, 95% were Windows-based executable files. ⁹ This may indicate that cybercriminals find Windows platforms to be an easy target. 

The set of samples VirusTotal selected for the analysis can be categorized into more than 30,000 different clusters based on similar traits. When there are a lot of ransomware strains within a single cluster, it can be challenging to identify the exact strain used during an attack. ⁹

On Feb. 21, 2024, UnitedHealth subsidiary Change Healthcare suffered a ransomware attack that disrupted administration at hospitals and pharmacies for over a week. The attack, which Russia-based ransomware gang ALPHV (or BlackCat) perpetuated, cost UnitedHealth $872 million, not including the ransom itself. ¹⁰

In a recent hearing before the U.S. Senate Committee on Finance, United Health CEO Andrew Witty revealed that the company paid a $22 million ransom to ALPHV. ¹⁰

On April 14, 2024, Omni Hotels & Resorts corroborated reports that it had been hacked by the Daixin Team ransomware group, which compromised some of its data. According to reports, the Daixin Team demanded $3.5 million in ransom but reduced it to $2 million during negotiations. ¹¹

The ransom reduction indicates that Omni Group may have had good backups, according to Narayana Pappu, Chief Executive Officer at Zendata. There’s no indication of whether they paid the ransom, though. ¹¹

In November 2023, officials in the Huber Heights suburb of Dayton, Ohio, revealed that the town had been hit by a ransomware attack that compromised the personal information of almost 6,000 people and affected major operations.

Not many details were disclosed, including the ransomware group responsible for the attack, whether they demanded a ransom or whether the city agreed to pay. However, it was revealed that the Huber Heights City Council sanctioned an investment of about $800,000 in data recovery. ¹²

Ardent Health Services, a healthcare chain comprising 30 hospitals located in six states, suffered a ransomware attack on Nov. 23, 2023. The attack forced Ardent to redirect its patients from several emergency rooms to other hospitals and cancel certain elective procedures. 

In a series of updates posted on its website, Ardent revealed that it had restored access to its electronic medical record platform and its patient portal, and was in the process of restoring all systems impacted by the attack. Ardent Health Services didn’t disclose the ransomware group responsible for the attack, and there’s no indication of whether it paid the ransom. ¹³

On Dec. 28, 2023, the World Council of Churches (WCC), a fellowship of multiple Christian sects, revealed that it had been the victim of ransomware. On Jan. 5, 2024, the Rhysida ransomware gang took responsibility for attacking the Lutheran World Federation, one of the WCC’s members. ¹⁴

It stated a demand for six bitcoins, currently worth about $390,000. WCC General Secretary Professor Jerry Pillay revealed that operations would continue as normal and that the fellowship had no plans of paying the ransom. ¹⁴