These latest ransomware statistics show how much damage is caused by attacks and the emerging trends you need to be aware of.

Here are the most important ransomware statistics you need to know about the attacks, demands, payments and consequences that can occur.

Discover critical ransomware statistics, explore attack frequency, financial losses, and how ransomware threats are evolving!

According to the results of a survey among the organizations hit by ransomware attacks in the past 12 months, ***** out of ten ransomware attacks in the United Kingdom (UK) resulted in data encryption as of 2025. This was the largest share among the surveyed countries. To compare, the data encryption rate in ransomware attacks in South Africa stood at ** percent, while in India it was measured at ** percent.

As of 2025, nearly 63 percent of businesses worldwide were affected by ransomware attacks. This figure represents a decrease on the previous year and was by far the lowest figure reported since 2020. Overall, since 2018, more than half of the total survey respondents each year stated that their organizations had been victimized by ransomware. Most targeted industries In 2024, the critical manufacturing industry in the United States was once again most targeted by ransomware attacks. Overall, organizations in this industry experienced 258 cyberattacks in the measured year. Healthcare and the public health sector ranked second, followed by government facilities, with 238 and 220 cyberattacks, respectively. Ransomware in the manufacturing industry The manufacturing industry, along with its subindustries, is constantly targeted by ransomware attacks, causing data loss, business disruptions, and reputational damage. Often, such cyberattacks are international and have a political intent. In 2024, exploited vulnerabilities were the leading cause of ransomware attacks in the manufacturing industry.

The top 15 countries that were affected the most were...

From 2021 to 2024, the share of financial institutions worldwide experiencing ransomware attacks has increased significantly. In 2024, roughly 65 percent of financial organizations worldwide reported experiencing a ransomware attack, compared to 64 percent in 2023 and 34 percent in 2021.

Different types of ransomware are more common than others and more likely to affect your cybersecurity. The top 5 most common types of ransomware strains are...

Insights into ransomware attack trends in the USA, including affected devices, organizational costs, preventive measures, and industries most targeted, based on survey data from respondents in 2024.

In 2023, organizations all around the world detected 317.59 million ransomware attempts. Overall, this number decreased significantly between the third and fourth quarters of 2022, going from around 102 million to nearly 155 million cases, respectively. Ransomware attacks usually target organizations that collect large amounts of data and are critically important. In case of an attack, these organizations prefer paying the ransom to restore stolen data rather than to report the attack immediately. The incidents of data loss also damage companies’ reputation, which is one of the reasons why ransomware attacks are not reported. Most targeted industries and regions As a part of critical infrastructure, the manufacturing industry is usually targeted by ransomware attacks. In 2022, manufacturing organizations worldwide saw 437 such attacks. The food and beverage industry ranked second, with over 50 ransomware attacks. By the share of ransomware attacks on critical infrastructure, North America ranked first among other worldwide regions, followed by Europe. Healthcare and public health sector organizations filed the highest number of complaints to the U.S. law enforcement in 2022 about ransomware attacks. Ransomware as a service (RaaS) The Ransomware as a Service (RaaS) business model has existed for over a decade. The model involves hackers and affiliates. Hackers develop ransomware attack models and sell them to affiliates. The latter then use them independently to attack targets. According to the business model, the hacker who created the RaaS receives a service fee per collected ransom. In the first quarter of 2022, there were 31 Ransomware as a Service (RaaS) extortion groups worldwide, compared to the 19 such groups in the same quarter of 2021.

While every industry is affected by ransomware attacks, the truth is that some industries are more susceptible than others. This is the full breakdown of the top 15 sectors most targeted by malware.

The following ransomware statistics detail which industries get attacked the most and which countries are most likely to be targeted.

A 2025 survey of cybersecurity professionals of organizations worldwide revealed that 32 percent of the organizations suffered ransomware attacks due to exploited vulnerabilities. Compromised credentials were the second-most common cause of successful ransomware attacks, while malicious e-mail ranked third.

About 360 ransomware attacks, including target, sector, organization size, ransom amount, and if the ransom was paid. Work in progress still.

May need a bit of data cleaning.

As of July 2025, the WannaCry ransomware attack launched in 2017 was the biggest attack by its impact. During this attack, cyber actors took over 250 thousand user accounts of Microsoft Windows. As a result of this attack, the company lost over four billion U.S. dollars. The latest of selected significant cyberattacks was the 2022 ransomware attack against Swisspost, in which 1.6 terabytes of data was stolen.

Here are the leading causes of ransomware attacks today.

The dataset comprises a collection of Bitcoin addresses associated with ransomware payments, including details such as balances, transaction histories, blockchain information, and timestamps of creation and updates. Each address is linked to specific ransomware families, notably including Netwalker and Qlocker. These addresses have recorded varying balances, indicating ransom payments made to these ransomware actors. The dataset serves as a valuable resource for analyzing ransomware payment behaviors, understanding trends, and tracking the financial activities associated with different ransomware strains.

Metadata

Sources

Cable, J. (2022) “Ransomwhere: A Crowdsourced Ransomware Payment Dataset”. Zenodo. doi: 10.5281/zenodo.6562484.
Dib, A., Sabri, G. and Mohamed Said Mehdi, M. (2023). Ransomware/Benignware System Calls. mendeley, [online] 3. doi: 10.17632/kbt8xt3678.3.
Atapour Abarghouei, A., Bonner, S. and McGough, A. S. (2019) ransomware_classification.zip. Newcastle University. Dataset. doi: 10.25405/data.ncl.9735080.v1

License

Ransomwhere: A Crowdsourced Ransomware Payment Dataset : Creative Commons Attribution 4.0 International
Ransomware/Benignware System Calls : Creative Commons Attribution 4.0 International
ransomware_classification.zip : Massachusetts Institute of Technology License

Related Papers

Read research published based on Ransomware data:

Gray, I.W., Cable, J., Brown, B., Cuiujuclu, V. and McCoy, D., 2022, November. Money Over Morals: A Business Analysis of Conti Ransomware. In 2022 APWG Symposium on Electronic Crime Research (eCrime) (pp. 1-12). IEEE.

Oosthoek, K., Cable, J. and Smaragdakis, G., 2023. A tale of two markets: Investigating the ransomware payments economy. Communications of the ACM, 66(8), pp.74-83.

Dib, A., Ghazi, S. and Said, M. (2023). Ransomware Attack Detection based on Pertinent System Calls Using Machine Learning Techniques. International Journal of Computer Networks & Communications, 15(04), pp.123–145. doi: 10.5121/ijcnc.2023.15408.

Atapour-Abarghouei, A., Bonner, S. and McGough, A.S. (2019). A Kings Ransom for Encryption: Ransomware Classification using Augmented One-Shot Learning and Bayesian Approximation. [online] arXiv.org. doi: 10.48550/arXiv.1908.06750.

‌

The main goal of any ransomware attacker is to hold people to ransom by not releasing their data until they get paid. But is it actually a good idea to pay the ransom? Here’s what the ransomware statistics tell us about organisations that paid up.

In 2024, ** percent of organizations worldwide claimed to have fallen victim to a ransomware attack in the previous year, according to a survey conducted among cybersecurity leaders of worldwide organizations. This is a decline compared to *** previous years, when ** percent of global organizations encountered ransomware attacks.

📌 Context of the Dataset

The Healthcare Ransomware Dataset was created to simulate real-world cyberattacks in the healthcare industry. Hospitals, clinics, and research labs have become prime targets for ransomware due to their reliance on real-time patient data and legacy IT infrastructure. This dataset provides insight into attack patterns, recovery times, and cybersecurity practices across different healthcare organizations.

Why is this important?

Ransomware attacks on healthcare organizations can shut down entire hospitals, delay treatments, and put lives at risk. Understanding how different healthcare organizations respond to attacks can help develop better security strategies. The dataset allows cybersecurity analysts, data scientists, and researchers to study patterns in ransomware incidents and explore predictive modeling for risk mitigation.

📌 Sources and Research Inspiration This simulated dataset was inspired by real-world cybersecurity reports and built using insights from official sources, including:

1️⃣ IBM Cost of a Data Breach Report (2024)

The healthcare sector had the highest average cost of data breaches ($10.93 million per incident). On average, organizations recovered only 64.8% of their data after paying ransom. Healthcare breaches took 277 days on average to detect and contain.

2️⃣ Sophos State of Ransomware in Healthcare (2024)

67% of healthcare organizations were hit by ransomware in 2024, an increase from 60% in 2023. 66% of backup compromise attempts succeeded, making data recovery significantly more difficult. The most common attack vectors included exploited vulnerabilities (34%) and compromised credentials (34%).

3️⃣ Health & Human Services (HHS) Cybersecurity Reports

Ransomware incidents in healthcare have doubled since 2016. Organizations that fail to monitor threats frequently experience higher infection rates.

4️⃣ Cybersecurity & Infrastructure Security Agency (CISA) Alerts

Identified phishing, unpatched software, and exposed RDP ports as top ransomware entry points. Only 13% of healthcare organizations monitor cyber threats more than once per day, increasing the risk of undetected attacks.

5️⃣ Emsisoft 2020 Report on Ransomware in Healthcare

The number of ransomware attacks in healthcare increased by 278% between 2018 and 2023. 560 healthcare facilities were affected in a single year, disrupting patient care and emergency services.

📌 Why is This a Simulated Dataset?

This dataset does not contain real patient data or actual ransomware cases. Instead, it was built using probabilistic modeling and structured randomness based on industry benchmarks and cybersecurity reports.

How It Was Created:

1️⃣ Defining the Dataset Structure

The dataset was designed to simulate realistic attack patterns in healthcare, using actual ransomware case studies as inspiration.

Columns were selected based on what real-world cybersecurity teams track, such as: Attack methods (phishing, RDP exploits, credential theft). Infection rates, recovery time, and backup compromise rates. Organization type (hospitals, clinics, research labs) and monitoring frequency.

2️⃣ Generating Realistic Data Using ChatGPT & Python

ChatGPT assisted in defining relationships between attack factors, ensuring that key cybersecurity concepts were accurately reflected. Python’s NumPy and Pandas libraries were used to introduce randomized attack simulations based on real-world statistics. Data was validated against industry research to ensure it aligns with actual ransomware attack trends.

3️⃣ Ensuring Logical Relationships Between Data Points

Hospitals take longer to recover due to larger infrastructure and compliance requirements. Organizations that track more cyber threats recover faster because they detect attacks earlier. Backup security significantly impacts recovery time, reflecting the real-world risk of backup encryption attacks.