Ransomware statistics: Who is targeted the most?

Ransomware is a virus that takes over a device and demands a ransom from the victim to get their files back. It is by far the biggest threat businesses face, as it’s capable of crippling a business of any size and permanently staining its reputation. To answer which companies are targeted the most, we’ve analyzed a collection of ransomware cases that occurred between January 2022 and January 2023. This is what we found.

2,263
Recorded cases
2,1 million+
Number of employees affected

Ransomware distribution worldwide

While ransomware is a global problem, English-speaking and other Western countries are targeted the most. In this map, we’re using NordLocker’s Ransomware Risk Index to better understand the threat of being targeted by ransomware around the world. What is RRI?

Top 10 countries most affected by ransomware

Source: Ransomware groups' websites

*Explore an interactive map with more
information on a desktop device.

Ransomware cases
across the US

By sheer numbers, California, Texas, Florida, and New York top ransomware reports. However, after adjusting the attack rate iby the number of businesses active in the state, Michigan takes the lead. Meanwhile, Missouri and South Dakota are more than 10 times safer for businesses.

Source: Ransomware groups’ websites and US Bureau of Labor Statistics

Ransomware cases by industry

Companies affected by ransomware come from a variety of industries. However, the ones that are targeted the most often play a critical role in supply chains or handle lots of customer data. These factors put immense pressure on the companies to pay the ransom and resume operations. The research shows that other factors include an insufficient focus on cybersecurity, high-stakes working conditions, and a lack of resources. These industries are likely chosen because of the high attack success rate.

Rank
Industry
Number of cases
  • 1
    Construction
    142
  • 2
    Finance
    123
  • 3
    Manufacturing
    121
  • 4
    Tech
    116
  • 5
    Business services
    99
  • 6
    Transportation
    91
  • 7
    Public sector
    78
  • 8
    Consumer services
    77
  • 9
    Retail
    77
  • 10
    Education
    67
  • 11
    Healthcare
    65
  • 12
    Food production
    55
  • 13
    Legal services
    52
  • 14
    Energy
    45
  • 15
    Automotive
    40
  • 16
    Entertainment
    37
  • 17
    Materials
    34
  • 18
    Real estate
    32
  • 19
    IT services and IT consulting
    30
  • 20
    Other
    577

Source: Ransomware gangs’ websites and publically available financial databases

Who is responsible for the attacks?

Ransomware groups are not common thieves. Instead of hiding, they proudly display their achievements because that may help bully the victim into paying the ransom. Some of these groups are even protected by their governments in agreement that attacks won’t be carried out in their country. While one group - Lock Bit - tops the list as the most active ransomware group by far, there are hundreds of other Ransomware groups. Below are listed the most active ones.

Rank
Group
Cases reported
  • 1
    Lock Bit
    726
  • 2
    AlphaVM (Blackcat)
    197
  • 3
    Conti
    187
  • 4
    Black Basta
    161
  • 5
    Hive Leaks
    140
  • 6
    Vice Society
    93
  • 7
    Karakurt
    74
  • 8
    Bian Lian
    57
  • 9
    Royal
    52
  • 10
    Lorenz
    44
  • 11
    Quantum
    44
  • 12
    BlackByte
    39
  • 13
    Cuba
    39
  • 14
    Cl0p Leaks
    39
  • 15
    AvosLocker
    36
  • 16
    Snatch
    31
  • 17
    LV Blog
    30
  • 18
    Ragnar Locker
    28
  • 19
    Everest
    21
  • 20
    Medusa Locker
    18

Source: ransomware gang websites

How does company size impact the ransomware threat?

Are smaller companies targeted less because of their limited resources? Or maybe more? As our analysis shows, it’s neither. While the fewest ransomware attacks were recorded against companies worth between $1 and $2 billion (18 cases), companies earning $10 to $25 million had 133 cases. Moreover, companies with less than $1 million in revenue and those between $500 million and up to $1 billion were targeted at a similar rate.

The research has also found that small and medium-sized companies between 11 and 50 employees as well as companies with 51-200 employees suffered the most attacks. One-person businesses suffered the least. But companies with 1-10 employees suffered at a similar range as companies with 1000-5000 employees.

Source: Ransomware groups’ websites and
publicly available financial databases

Protect your business from ransomware

Get NordLocker Business

What is ransomware?

By definition, ransomware is a type of malware that restricts user’s access to their files and demands a payment. But how it does it, what kind of a payment is requested, and what is encrypted differs a lot.

Ransomware has been employed for decades, but never at the level it is used today. Last year, some businesses faced ransom demands of $30 million. Ransomware is effective because most companies are ill-equipped to deal with it. To increase the likelihood of the ransom being paid, criminals may also threaten to post their victim’s data online.

How you can help protect your business from ransomware

1

Encourage cybersecurity training

Cybersecurity training is one of the fastest ways to prevent ransomware. It has to be organized regularly and involve everyone in the company because each person is a part of your company’s cybersecurity.

2

Pay extra attention to email

By far, the most popular way to spread malware is by email. Be extra careful when an email contains links or files. Learn how to recognize a fake email domain or a spoofed website.

3

Introduce better security tools

Tools like NordLocker are built to help companies maintain their reputation. It's a secure cloud where you can work daily while your data is backed up, synced, and secure on your device and in the cloud.

4

Nurture a culture of support

Reporting threats or asking for help should be straightforward. Moreover, it should be encouraged and celebrated. This helps keep everyone sharp, catch threats early, and recognize training opportunities.

5

Assess your current security

A company is prepared to face cyberattacks only when it has evaluated its cybersecurity capabilities. Such assessment helps counter the company's flaws either in-house or by involving third parties.

6

Create a disaster recovery plan

To force the victim to pay the ransom, criminals use a variety of tactics like urgency, humiliation, and intimidation. If you prepare a response plan in advance and introduce it to everyone in the company, it will help prevent and respond to a ransomware attack.

7

Ensure a regular backup process

Backups can't stop cyberattacks, but they give the company leverage. Even if a company becomes a target for ransomware, the ability to restore data right away will guarantee business continuity.

8

Keep software up to date

Most cyberattacks either use social engineering to prey on the flaws in human nature or malware to exploit outdated software. Make sure everyone at the company understands how important it is to keep software updated.

9

If you can, never pay the attackers

Ransomware attacks have blown up because they're profitable. Paying the ransom only funds the criminals to launch more attacks. While each case is unique, we encourage everyone to explore all options before paying off the criminals.

Methodology

Data collection: The data was collected from multiple publicly available online blogs where ransomware groups had posted the names of their victims and their demands. The exact names of URLs and other identifying information of those blogs remain undisclosed in this report for a reason. It follows from the fact that we do not want to encourage visits to sources that publicize information related to illegal activities. To the best of our knowledge, the ransomware attacks analyzed in this report happened between 01/01/2020 and 01/07/2022. Financial, employee count, and industry data was collected from numerous publicly available databases. All the previously said data was collected from 25/05/22 to 01/07/2022.

Analysis: For the world map, we compared the number of ransomware cases with UN population statistics to get the per capita number. We then logarithmically normalized these numbers to produce scaled ratings between 0 and 1. The map of US states was devised by comparing the number of ransomware cases in each state with company census data from the U.S. Bureau of Labor Statistics.The remaining data blocks were devised by matching targeted companies with publicly available financial, employee count, or industry data.