Ransomware statistics: Who is targeted the most?

Ransomware is a virus that takes over a device and demands a ransom from the victim to get their files back. It is by far the biggest threat businesses face, as it’s capable of crippling a business of any size and permanently staining its reputation. To answer which companies are targeted the most, we’ve analyzed a collection of ransomware cases that occurred between January 2020 and July 2022. This is what we found.

5,212
Recorded cases
$4.15 trillion
Collective revenue of targeted companies
12 million+
Number of employees affected

Ransomware distribution worldwide

While ransomware is a global problem, English-speaking and other Western countries are targeted the most. In this map, we’re using NordLocker’s Ransomware Risk Index to better understand the threat of being targeted by ransomware around the world. What is RRI?

Top 10 countries most affected by ransomware

Source: Ransomware groups' websites

*Explore an interactive map with more
information on a desktop device.

Ransomware cases
across the US

By sheer numbers, California, Texas, Florida, and New York top ransomware reports. However, after adjusting the attack rate iby the number of businesses active in the state, Michigan takes the lead. Meanwhile, Missouri and South Dakota are more than 10 times safer for businesses.

Source: Ransomware groups’ websites and US Bureau of Labor Statistics

Ransomware cases by industry

Companies affected by ransomware come from a variety of industries. However, the ones that are targeted the most often play a critical role in supply chains or handle lots of customer data. These factors put immense pressure on the companies to pay the ransom and resume operations. The research shows that other factors include an insufficient focus on cybersecurity, high-stakes working conditions, and a lack of resources. These industries are likely chosen because of the high attack success rate.

Rank
Industry
Number of cases
  • 1
    Manufacturing
    436
  • 2
    Construction
    410
  • 3
    Transportation/Logistics
    356
  • 4
    Tech/IT
    343
  • 5
    Healthcare
    259
  • 6
    Finance/Insurance
    251
  • 7
    Public sector
    238
  • 8
    Business Services
    236
  • 9
    Retail
    232
  • 10
    Consumer Services
    228
  • 11
    Energy
    194
  • 12
    Legal services
    176
  • 13
    Food production
    175
  • 14
    Education
    161
  • 15
    Materials
    155
  • 16
    Automotive
    139
  • 17
    Real Estate
    126
  • 18
    Entertainment
    102
  • 19
    Other
    63

Source: Ransomware gangs’ websites and publically available financial databases

Who is responsible for the attacks?

Ransomware groups are not common thieves. Instead of hiding, they proudly display their achievements because that may help bully the victim into paying the ransom. Some of these groups are even protected by their governments in agreement that attacks won’t be carried out in their country. While two groups (Lock Bit and Conti) top the list as the most active ransomware groups by far, the analysis did not measure the magnitude or impact of each group individually.

Rank
Group
Cases reported
  • 1
    Lock Bit
    855
  • 2
    Conti
    796
  • 3
    Pysa
    311
  • 4
    REvil
    284
  • 5
    Maze
    264
  • 6
    Egregor
    204
  • 7
    DoppelPaymer
    199
  • 8
    Avaddon
    182
  • 9
    NetWalker
    144
  • 10
    AlphaVM (Blackcat)
    123
  • 11
    Hive Leaks
    122
  • 12
    Cl0p Leaks
    115
  • 13
    Darkside
    99
  • 14
    Grief
    85
  • 15
    Everest
    85
  • 16
    Vice Society
    77
  • 17
    LV Blog
    76
  • 18
    Marketo
    71
  • 19
    Karakurt
    68
  • 20
    AvosLocker
    62

Source: ransomware gang websites

How does company size impact the ransomware threat?

Are smaller companies targeted less because of their limited resources? Or maybe more? As our analysis shows, it’s neither. While the fewest ransomware attacks were recorded against companies worth between $5 and $10 billion, companies earning over $10 billion had twice as many cases. Moreover, companies with less than $1 million in revenue and thoses between $500 million and up to $1 billion were targeted at a similar rate.

The research has also found that small and medium-sized companies between 11 and 50 employees as well as companies with 51-200 employees suffered the most attacks. One-person businesses suffered the least.

Source: Ransomware groups’ websites and
publicly available financial databases

Protect your business from ransomware

Get NordLocker Business

What is ransomware?

By definition, ransomware is a type of malware that restricts user’s access to their files and demands a payment. But how it does it, what kind of a payment is requested, and what is encrypted differs a lot.

Ransomware has been employed for decades, but never at the level it is used today. Last year, some businesses faced ransom demands of $30 million. Ransomware is effective because most companies are ill-equipped to deal with it. To increase the likelihood of the ransom being paid, criminals may also threaten to post their victim’s data online.

How you can help protect your business from ransomware

1

Encourage cybersecurity training

Cybersecurity training is one of the fastest ways to prevent ransomware. It has to be organized regularly and involve everyone in the company because each person is a part of your company’s cybersecurity.

2

Pay extra attention to email

By far, the most popular way to spread malware is by email. Be extra careful when an email contains links or files. Learn how to recognize a fake email domain or a spoofed website.

3

Introduce better security tools

Tools like NordLocker are built to help companies maintain their reputation. It's a secure cloud where you can work daily while your data is backed up, synced, and secure on your device and in the cloud.

4

Nurture a culture of support

Reporting threats or asking for help should be straightforward. Moreover, it should be encouraged and celebrated. This helps keep everyone sharp, catch threats early, and recognize training opportunities.

5

Assess your current security

A company is prepared to face cyberattacks only when it has evaluated its cybersecurity capabilities. Such assessment helps counter the company's flaws either in-house or by involving third parties.

6

Create a disaster recovery plan

To force the victim to pay the ransom, criminals use a variety of tactics like urgency, humiliation, and intimidation. If you prepare a response plan in advance and introduce it to everyone in the company, it will help prevent and respond to a ransomware attack.

7

Ensure a regular backup process

Backups can't stop cyberattacks, but they give the company leverage. Even if a company becomes a target for ransomware, the ability to restore data right away will guarantee business continuity.

8

Keep software up to date

Most cyberattacks either use social engineering to prey on the flaws in human nature or malware to exploit outdated software. Make sure everyone at the company understands how important it is to keep software updated.

9

If you can, never pay the attackers

Ransomware attacks have blown up because they're profitable. Paying the ransom only funds the criminals to launch more attacks. While each case is unique, we encourage everyone to explore all options before paying off the criminals.

Methodology

Data collection: The data was collected from multiple publicly available online blogs where ransomware groups had posted the names of their victims and their demands. The exact names of URLs and other identifying information of those blogs remain undisclosed in this report for a reason. It follows from the fact that we do not want to encourage visits to sources that publicize information related to illegal activities. To the best of our knowledge, the ransomware attacks analyzed in this report happened between 01/01/2020 and 01/07/2022. Financial, employee count, and industry data was collected from numerous publicly available databases. All the previously said data was collected from 25/05/22 to 01/07/2022.

Analysis: For the world map, we compared the number of ransomware cases with UN population statistics to get the per capita number. We then logarithmically normalized these numbers to produce scaled ratings between 0 and 1. The map of US states was devised by comparing the number of ransomware cases in each state with company census data from the U.S. Bureau of Labor Statistics.The remaining data blocks were devised by matching targeted companies with publicly available financial, employee count, or industry data.

Get in touch

If you’d like to learn more about protecting your business from ransomware, please fill out the form. To know more about the report, contact us at [email protected]

Download research data

We will only use this information to reply to you as per our Privacy Policy.