In 2023, the worldwide number of malware attacks reached 6.06 billion, an increase of 10 percent compared to the preceding year. In recent years, the highest number of malware attacks was detected in 2018, when 10.5 billion such attacks were reported across the globe. Malware attacks worldwide In 2022, worm malware was blocked over 205 million times. Another common malware type during that period, Emotet, primarily targeted the Asia-Pacific region. Overall, websites are the most common vector for malware attacks and recent industry data found that malware attacks were frequently received via exe files. Most targeted industries In 2022, the education sector was heavily targeted by malware, encountering 2,314 weekly attacks on average. Government and military organizations ranked second, followed by the healthcare units. Overall, in 2022, the education sector saw over five million malware attacks in the examined year.

While every industry is affected by ransomware attacks, the truth is that some industries are more susceptible than others. This is the full breakdown of the top 15 sectors most targeted by malware.

In 2022, organizations in the United States saw around 2.68 billion malware attacks, ranking first among selected countries worldwide. The United Kingdom (UK) ranked second, detecting nearly 433 million malware attacks, followed by India, with 335 million attacks.

Title: Network Traffic Analysis Dataset for Cybersecurity

Description: This dataset contains network traffic data that simulates various types of communication between network entities, specifically focusing on different protocols and potential security threats. The data includes information about packets exchanged between sender and receiver entities, their attributes, and associated attack types.

Columns:

Protocol: The communication protocol used for the packet (e.g., TCP or UDP). Flag: The flag associated with the packet (e.g., SYN, ACK, RST, FIN). Packet: The type of packet exchanged (e.g., HTTP, DNS, SSH, FTP, NTP). Sender ID: Unique identifier for the sender entity. Receiver ID: Unique identifier for the receiver entity. Source IP Address: IP address of the source entity. Destination IP Address: IP address of the destination entity. Source Port: Port number on the source entity. Destination Port: Port number on the destination entity. Packet Size: Size of the packet in bytes. Target Variable: The potential security threat associated with the packet (e.g., Phishing, DoS, Man-in-the-Middle, DDoS, SQL Injection, Cross-Site Scripting, Ransomware, Password Attacks, Zero-Day Exploits). Intended Use: This dataset is intended for use in cybersecurity research and analysis, particularly for the development and evaluation of intrusion detection systems, network anomaly detection algorithms, and predictive models for identifying potential security threats. It can also be utilized to explore patterns and relationships between different types of network traffic and associated attack vectors.

Considerations:

Data Privacy: Ensure that any sensitive or personal information in the dataset is anonymized or masked to protect user privacy. Data Preprocessing: Before using the dataset, perform preprocessing tasks such as handling missing values, standardizing column names, and encoding categorical variables. Feature Engineering: Depending on the analysis goals, additional features may be engineered from the available attributes to enhance model performance. Data Splitting: Divide the dataset into training, validation, and testing subsets for model development and evaluation. Documentation: Provide clear documentation detailing the dataset's origin, structure, and any preprocessing steps applied. By providing this dataset on Kaggle, researchers and data scientists interested in the field of cybersecurity can access a controlled simulation of network traffic to explore and develop solutions for detecting and mitigating potential security threats.

These latest ransomware statistics show how much damage is caused by attacks and the emerging trends you need to be aware of.

As of the second quarter of 2025, Trojan-Banker was the most commonly detected mobile malware worldwide, accounting for nearly 30 percent of all mobile malware detected worldwide. Meanwhile, RiskTool ranked second with approximately 18 percent share.

Here are the most important ransomware statistics you need to know about the attacks, demands, payments and consequences that can occur.

Between 2018 and 2024, the share of global malware attacks that occurred via e-mail increased from ** to ** percent. The percentage of web attacks has decreased, going from ** percent in 2018 to ** percent in 2024.

Different types of ransomware are more common than others and more likely to affect your cybersecurity. The top 5 most common types of ransomware strains are...

To cite the dataset please reference it as “Stratosphere Laboratory. A labeled dataset with malicious and benign IoT network traffic. January 22th. Agustin Parmisano, Sebastian Garcia, Maria Jose Erquiaga. https://www.stratosphereips.org/datasets-iot23

This dataset includes labels that explain the linkages between flows connected with harmful or possibly malicious activity to provide network malware researchers and analysts with more thorough information. These labels were painstakingly created at the Stratosphere labs using malware capture analysis.

We present a concise explanation of the labels used for the identification of malicious flows, based on manual network analysis, below:

Attack: This label signifies the occurrence of an attack originating from an infected device directed towards another host. Any flow that endeavors to exploit a vulnerable service, discerned through payload and behavioral analysis, falls under this classification. Examples include brute force attempts on telnet logins or header-based command injections in GET requests.

Benign: The "Benign" label denotes connections where no suspicious or malicious activities have been detected.

C&C (Command and Control): This label indicates that the infected device has established a connection with a Command and Control server. This observation is rooted in the periodic nature of connections or activities such as binary downloads or the exchange of IRC-like or decoded commands.

DDoS (Distributed Denial of Service): "DDoS" is assigned when the infected device is actively involved in a Distributed Denial of Service attack, identifiable by the volume of flows directed towards a single IP address.

FileDownload: This label signifies that a file is being downloaded to the infected device. It is determined by examining connections with response bytes exceeding a specified threshold (typically 3KB or 5KB), often in conjunction with known suspicious destination ports or IPs associated with Command and Control servers.

HeartBeat: "HeartBeat" designates connections where packets serve the purpose of tracking the infected host by the Command and Control server. Such connections are identified through response bytes below a certain threshold (typically 1B) and exhibit periodic similarities. This is often associated with known suspicious destination ports or IPs linked to Command and Control servers.

Mirai: This label is applied when connections exhibit characteristics resembling those of the Mirai botnet, based on patterns consistent with common Mirai attack profiles.

Okiru: Similar to "Mirai," the "Okiru" label is assigned to connections displaying characteristics of the Okiru botnet. The parameters for this label are the same as for Mirai, but Okiru is a less prevalent botnet family.

PartOfAHorizontalPortScan: This label is employed when connections are involved in a horizontal port scan aimed at gathering information for potential subsequent attacks. The labeling decision hinges on patterns such as shared ports, similar transmitted byte counts, and multiple distinct destination IPs among the connections.

Torii: The "Torii" label is used when connections exhibit traits indicative of the Torii botnet, with labeling criteria similar to those used for Mirai, albeit in the context of a less common botnet family.

During the second quarter of 2025, over 142,000 mobile malware installation packages were detected. This number has continuously decreased since the first quarter of 2021.

Discover critical ransomware statistics, explore attack frequency, financial losses, and how ransomware threats are evolving!

The top 15 countries that were affected the most were...

Editor’s Choice

• The Global Cyber Security Market size is expected to be worth around USD 533.9 Billion by 2032 from USD 193 Billion in 2023, growing at a CAGR of 11% during the forecast period from 2022 to 2032.
• Every 39 seconds there's an attack by hackers.
• Healthcare is still the most targeted victim of ransomware attacks.
• 92% of malware was distributed via email.
• 4.1 million websites are infected by malware at any moment.
• 49 days is the standard amount of time needed to spot a ransomware infection.
• A total of $29M was snatched from the fintech firm by hackers.
• 97% of security breaches are caused by WordPress plugins.
• A total of $3 billion in cryptocurrency was stolen during hacks that have been ongoing to this day.
• 66% of CIOs have said they intend to increase their investment in cybersecurity.
• The statistics on cybersecurity for remote work indicate that 74% of IT experts believe that it is an extreme risk to cybersecurity.

(Source: Tripwire)

📌 Context of the Dataset

The Healthcare Ransomware Dataset was created to simulate real-world cyberattacks in the healthcare industry. Hospitals, clinics, and research labs have become prime targets for ransomware due to their reliance on real-time patient data and legacy IT infrastructure. This dataset provides insight into attack patterns, recovery times, and cybersecurity practices across different healthcare organizations.

Why is this important?

Ransomware attacks on healthcare organizations can shut down entire hospitals, delay treatments, and put lives at risk. Understanding how different healthcare organizations respond to attacks can help develop better security strategies. The dataset allows cybersecurity analysts, data scientists, and researchers to study patterns in ransomware incidents and explore predictive modeling for risk mitigation.

📌 Sources and Research Inspiration This simulated dataset was inspired by real-world cybersecurity reports and built using insights from official sources, including:

1️⃣ IBM Cost of a Data Breach Report (2024)

The healthcare sector had the highest average cost of data breaches ($10.93 million per incident). On average, organizations recovered only 64.8% of their data after paying ransom. Healthcare breaches took 277 days on average to detect and contain.

2️⃣ Sophos State of Ransomware in Healthcare (2024)

67% of healthcare organizations were hit by ransomware in 2024, an increase from 60% in 2023. 66% of backup compromise attempts succeeded, making data recovery significantly more difficult. The most common attack vectors included exploited vulnerabilities (34%) and compromised credentials (34%).

3️⃣ Health & Human Services (HHS) Cybersecurity Reports

Ransomware incidents in healthcare have doubled since 2016. Organizations that fail to monitor threats frequently experience higher infection rates.

4️⃣ Cybersecurity & Infrastructure Security Agency (CISA) Alerts

Identified phishing, unpatched software, and exposed RDP ports as top ransomware entry points. Only 13% of healthcare organizations monitor cyber threats more than once per day, increasing the risk of undetected attacks.

5️⃣ Emsisoft 2020 Report on Ransomware in Healthcare

The number of ransomware attacks in healthcare increased by 278% between 2018 and 2023. 560 healthcare facilities were affected in a single year, disrupting patient care and emergency services.

📌 Why is This a Simulated Dataset?

This dataset does not contain real patient data or actual ransomware cases. Instead, it was built using probabilistic modeling and structured randomness based on industry benchmarks and cybersecurity reports.

How It Was Created:

1️⃣ Defining the Dataset Structure

The dataset was designed to simulate realistic attack patterns in healthcare, using actual ransomware case studies as inspiration.

Columns were selected based on what real-world cybersecurity teams track, such as: Attack methods (phishing, RDP exploits, credential theft). Infection rates, recovery time, and backup compromise rates. Organization type (hospitals, clinics, research labs) and monitoring frequency.

2️⃣ Generating Realistic Data Using ChatGPT & Python

ChatGPT assisted in defining relationships between attack factors, ensuring that key cybersecurity concepts were accurately reflected. Python’s NumPy and Pandas libraries were used to introduce randomized attack simulations based on real-world statistics. Data was validated against industry research to ensure it aligns with actual ransomware attack trends.

3️⃣ Ensuring Logical Relationships Between Data Points

Hospitals take longer to recover due to larger infrastructure and compliance requirements. Organizations that track more cyber threats recover faster because they detect attacks earlier. Backup security significantly impacts recovery time, reflecting the real-world risk of backup encryption attacks.

This dataset is part of my PhD research on malware detection and classification using Deep Learning. It contains static analysis data: Top-1000 imported functions extracted from the 'pe_imports' elements of Cuckoo Sandbox reports. PE malware examples were downloaded from virusshare.com. PE goodware examples were downloaded from portableapps.com and from Windows 7 x86 directories.

Discover alarming AI cyber attacks statistics, explore rising threats, attack types, industry impact, and how AI is used in cybercrime!

The CyberTec IIoT Malware Detection Dataset (CIMD-2024) is a real-world dataset collected from industrial IoT (IIoT) environments to analyze and detect various forms of malware in network traffic. The dataset spans from November 2019 to December 2024, capturing detailed hourly network activity logs, system performance metrics, and temporal attributes from a diverse range of IIoT devices, including sensors, actuators, cameras, and gateways.

This dataset is specifically designed for multi-class malware classification and contains a variety of cybersecurity threats, including ransomware, spyware, botnets, trojans, and worms, along with benign traffic for baseline analysis. The dataset is structured to facilitate research in federated learning-based cybersecurity models, network anomaly detection, and malware classification using AI-driven methods.

Key Features of the Dataset: Time-series format with hourly resolution over a period of 5 years. Multi-class labels including Benign, Ransomware, Spyware, Botnet, Trojan, Worm. Comprehensive feature set covering network traffic, statistical attributes, payload-based indicators, system-level metrics, and malware-specific behaviors. Device-level profiling to analyze malware impact on different IIoT devices. Contextual metadata including attack type, device type, and threat intensity. Ideal for AI-based intrusion detection, malware classification, and federated learning applications in IIoT security. Feature Description: The dataset consists of 40 features categorized into six groups, each providing crucial insights into network and system behaviors.

1. Network Traffic Features These features capture low-level network activity, flow statistics, and packet behavior.

Packet Size, Packet Length, Inter-Arrival Time – Measure packet transmission properties. Protocol Type, Flags – Identify network protocols (TCP, UDP, ICMP, HTTP, DNS) and packet-level attributes (SYN, ACK, FIN). Source IP, Destination IP, Source Port, Destination Port – Track communication endpoints. Flow Duration, Total Packets, Total Bytes, Average Packet Size, Packet Arrival Rate – Provide aggregated insights into network flows. 2. Statistical Features These features highlight entropy-based variations and abnormal network behaviors.

Payload Entropy, Flow Entropy – Measure randomness in network communication, often linked to obfuscation techniques. Baseline Deviation, Packet Size Variance – Capture sudden anomalies in traffic volume or packet distributions. 3. Payload Features Extracted from network packet contents, these features focus on detecting malicious commands and embedded malware signatures.

Payload Pattern (Hex, ASCII, Binary) – Represents packet content encoding. Malicious Signatures, Embedded Commands – Indicate presence of malware execution triggers or shellcode. 4. System-Level Features Reflect device-level behavior and resource usage patterns, crucial for identifying malware-induced anomalies.

Device Type (Sensor, Actuator, Camera, Gateway) – Classifies the IIoT hardware source. Device Activity Patterns – Captures operational changes caused by potential intrusions. CPU Usage, Memory Usage, Network Interface Statistics – Monitor resource consumption, as malware often leads to high CPU/memory utilization. 5. Temporal Features Time-based indicators that help detect periodic attacks and temporal anomalies.

Time of Day, Day of Week – Analyze attack frequency and trends. Duration Anomaly – Captures how long a malware infection persists before termination. 6. Malware-Specific Indicators Critical cybersecurity signals that reveal direct malware activity within the IIoT ecosystem.

Known IoCs (Indicators of Compromise) – Identifies flagged malicious IPs, domains, or URLs. C&C Communication – Detects interactions with command-and-control servers. Data Exfiltration – Flags unauthorized data transfers, often linked to espionage or ransomware attacks. 7. Labels (Target Variables) The dataset includes a multi-class classification label that categorizes each instance as: ✅ Benign – Normal network behavior. ✅ Ransomware – Malicious encryption-based attacks. ✅ Spyware – Stealthy data theft malware. ✅ Botnet – Devices hijacked into a malicious network. ✅ Trojan – Deceptive malware disguised as legitimate software. ✅ Worm – Self-replicating malware spreading across networks.

Additionally, secondary labels provide further contextual understanding:

Attack Type (e.g., Denial-of-Service, Data Exfiltration, Command & Control). Device Context (e.g., Sensor, Actuator, Camera, Gateway). Threat Intensity (Low, Medium, High). Use Cases & Applications: The CyberTec IIoT Malware Detection Dataset (CIMD-2024) is ideal for: ✅ Federated Learning for IIoT Security – Enables decentralized malware detection without exposing sensitive data. ✅ Anomaly-Based Intrusion Detection – Helps detect zero-day attacks us...

Between October 2020 and September 2021, Backdoor was the most common type of malware attack worldwide. Cyber attacks of this group amounted to 37 percent of all detected malware attacks in the measured period. Downloader ranked second, with 17 percent, while Worm followed with 16 percent among all malware attacks reported.

Here are the leading causes of ransomware attacks today.