Skip to main content

50+ ransomware statistics for 2022 (updated October 2022)

October 18, 2022

Barnaby Clarke

Get the latest on ransomware trends and research in our 2022 stats roundup.

It seems like there’s a high-profile ransomware attack hitting the news every week. From Thales Group to McDonalds, and Moncler to the San Francisco 49ers, there were 54 major ransomware news stories in just January and February of 2022.

As a result, ransomware is a board level priority, which is why we published the CISO’s guide to creating a ransomware board report. It draws on fresh research and provides key ransomware stats, as well as insight from seasoned CISOs on creating accurate and effective cybersecurity board reports.

If you’re looking for guidance on ransomware reporting for the board, including tips on goal-setting, educating executives, putting security in business context, and utilising automation, check out the full report.

With that, let’s explore some important ransomware stats that will give context on the state of play in the security industry.


New ransomware stats from our CISO’s guide

91% of security leaders are now regularly reporting on ransomware to the board. But, only 33% of CISOs are ‘very satisfied’ with the amount of time and resources spent, accuracy, and detail of their ransomware board reporting.

This not only means that the board reporting could be in question, but also the cybersecurity and risk decisions that security leaders are making around their ransomware protection. If they aren’t confident in their reporting to the board, they can’t be fully confident in those decisions.

It’s particularly notable given that 86% of security leaders have ransomware mitigation as a specific budgeted priority for 2022. Any investment decisions in that area need to be made with certainty, so the other 67% could be struggling.


Statistics on the increase in ransomware

  • Ransomware attacks increased 105% in 2021. (TechTarget)
  • Ransomware has risen 232% since 2019. (TechTarget)
  • There are 20 ransomware attacks attempted every second. (TechTarget)
  • Ransomware is now responsible for 10% of global breaches (up from 2% in 2016). (Verizon)
  • 78% of organisations experienced email-based ransomware attacks in 2021. (Proofpoint)
  • 68% of organisations were infected by ransomware in 2021, up from 66% in 2020. Nearly two-thirds of those organisations were hit by three separate ransomware infections, while nearly 15% of those experienced more than 10 separate ransomware infections. (Proofpoint)
  • Operating systems targeted most targeted by ransomware: Windows (85%), MacOS (7%), Android (5%), iOS (3%). (SafetyDetectives)
  • Most common methods of ransomware infection: phishing emails (67%), lack of cyber awareness training (36%), weak passwords/access management (30%), poor user practices (25%), malicious websites or ads (16%), other (16%). Some were targeted by multiple methods. (SafetyDetectives)
  • Since 2020, more than 130 different strains of ransomware have been detected. (VirusTotal)


Statistics on the cost of ransomware

A successful ransomware attack costs the targeted organisation more than the ransom payment itself. There are additional costs such as downtime, mitigation, reputational damage, analysis, and increasing insurance premiums. Indeed, the cyber insurance market itself has been hugely affected by the rising threat of ransomware.

The latest research shows that:

  • The first half of 2021 saw $590 million in ransom payments. (Financial Crimes Enforcement Network)
  • Ransomware costs averaged $4.62 million in 2021, with mega-breaches costing as much as 100 times higher. (Mimecast)
  • The average ransomware payment was $570,000 in the first half of 2021, up from $312,000. (Mimecast)
  • The bigger ransoms now run in the tens of millions of dollars. (Mimecast)
  • 58% of organisations infected with ransomware agreed to pay a ransom in 2021, compared with 34% in 2020. (Proofpoint)
  • Of those, 32% had to make an additional ransom payment to regain access to their data/systems. (Proofpoint)
  • And 4% of those who paid were never able to get access to their data and systems. (Proofpoint)
  • The highest ransom demand of a single victim rose to $50 million in the first half of 2021 from $30 million in 2020. (PaloAlto)
  • The average downtime due to a ransomware attack was 22 days in Q3 of 2021 compared to 19 days in Q3 2020. (Coveware)


Statistics on where ransomware attacks happen

Ransomware is a global threat. Attacks in any country can originate in any other. As the stats will show, most ransomware attacks are in the US, and many originate in Russia or China. Nonetheless, research from Sophos shows attacks are not limited global powerhouse nations like the above, with data from over 30 countries.

  • In the first half of 2022, global ransomware volume shrunk by 23%. (SonicWall)
  • Ransomware in North America dropped by 42% in the first half of 2022. (SonicWall)
  • However, it increased elsewhere. (SonicWall)
    • In Asia, ransomware went up by 4%.
    • Europe saw a 63% increase in ransomware.
    • Brazil saw an increase of 217%, making it now the second most-targeted country (after the USA and displacing the UK).
  • There was a ransomware peak in Q2 and Q3 of 2021, with 374 million ransomware attempts in that six-month period. (SonicWall)
  • 51% of ransomware attacks are in the USA. For context, the UK is 10%, Canada is 5%, France and Australia are 3%. (BlackFog)
  • 1/3 attacks exfiltrate to Russia or China. (BlackFog)
  • UK ransomware attacks doubled in 2021. (CityAM)
  • The USA suffered over 227 million ransomware attacks in 2021. (SonicWall)
  • North America saw a 180% increase in ransomware attacks in 2021. (SonicWall)
  • Europe saw a 234% rise in ransomware attacks in 2021. (SonicWall)
  • Over 68% of organisations in India reported a ransomware attack in 2021. (Statista)


Statistics on ransomware attacks by industry

While cyber criminals attack almost every type of organisation, industries such as banking, utilities and retail are targeted particularly. They hold a large amount of customer information and can have wide-ranging affects if services are stopped — the Colonial Pipeline ransomware attack is a well-known example.

  • In the first half of 2022, ransomware targeting government organisations dropped 84%. (SonicWall)
  • However, other industries saw significant increases. (SonicWall)
    • Education rose 51%.
    • Retail rose 90%.
    • Finance rose 243%.
    • Healthcare rose 328%.
  • The average organisation size for a ransomware attack is 8,300. (BlackFog)
  • Over half of ransomware attacks are targeting one of three industries; banking, utilities and retail. (ZDNet)
  • In 2021, ransomware attacks in retail increased by 100%, compared to an 89% increase in the technology sector, 24% increase in government, and 30% increase in the health sector. (BlackFog)
  • 32% of organisations paid the ransom, but it varies by industry. The least likely to pay the ransom are manufacturing (19%) and financial services (25%). The most likely are energy and utilities (43%) and local government (42%). (Sophos)
  • In 2020, 92 individual ransomware attacks cost US healthcare organisations an estimated $21 billion, affecting 18 million patient records. (Comparitech)
  • Ransomware attacks were responsible for almost 50% of all healthcare data breaches in 2020. (Health and Human Services)
  • 90% of all financial institutions experienced ransomware attacks in 2020. (Hub Security)
  • 44% of organisations in the education sector reported a ransomware attack in 2021, compared to an average of 37%. (EdScoop)
  • Ransomware attacks in education increased by 100% from 2019 to 2020. (BlueVoyant)
  • The average cost of a ransomware attack in education in 2020 was $447,000. (BlueVoyant)
  • 25% of all British universities have been the victim of a ransomware attack in the last decade. (BlueVoyant)


Statistics on how ransomware attacks happen

  • Seven of the top 10 ransomware strains so far in 2022 weren’t in the top 10 last year. That indicates swiftly-changing dynamics among cyber criminals and their campaigns. (Arete & Cyentia)
  • In 61% of attacks, ransomware initially infected victims by exploiting poorly-secured remote access services. (Arete & Cyentia)
  • Ransom demands are five times higher when data exfiltration is involved. And that’s happening six times more often in 2022 than in 2019. (Arete & Cyentia)
  • The top 20 so-called “ransomware families” are responsible for 71% of ransomware attacks. (Arete & Cyentia)


Statistics on ransomware during the Covid-19 pandemic

The global pandemic has been a goldmine for cyber criminals. The shift towards working from home has meant security teams have had to make considerable changes at speed, especially those large enterprises used to protecting an office environment.

Similarly, attackers have been playing on fear with Covid-themed phishing and taking advantage of industries that have suffered in the pandemic, such as healthcare and education.

Stats relating to the pandemic include:

  • Due to the rise in remote work prompted by the pandemic, attacks are up 148%. (TechTarget)
  • 84% of organisations will keep remote work as the norm even after COVID-19 restrictions are lifted, resulting in an increase of internet users and a greater risk of data exposure. (Bitglass)
  • Banks experienced a 520% increase in phishing and ransomware attempts between March and June 2020, just as the pandemic developed globally. (American Banker)
  • VirusTotal shows a considerable spike in ransomware submissions in the first six months of 2020, the start of the pandemic. (VirusTotal)


The final word

Hopefully you’ve picked up some useful insight from these ransomware statistics. If you want to find out more about how Panaseer can help with ransomware, we already mentioned our new CISO’s guide to creating an effective ransomware board report.

Additionally, check out our interview with Andrew Jaquith, a leading CISO and metrics expert, about security metrics to help protect against ransomware, or our article exploring our platform’s ransomware-focused dashboard.

Book a demo to find out how Continuous Controls Monitoring can mitigate the risk of a ransomware attack by giving you greater visibility over your assets and controls.