Ransomware statistics:
Who is targeted
the most?
Ransomware is a virus that takes over a device and demands a ransom from the victim to get their files back. It is by far the biggest threat businesses face, as it’s capable of crippling a business of any size and permanently staining its reputation. To answer which companies are targeted the most, we’ve analyzed a collection of ransomware cases that occurred between January 2022 and January 2023. This is what we found.
- 2,263
- Recorded cases
- 2,1 million+
- Number of employees affected
Ransomware distribution worldwide
While ransomware is a global problem, English-speaking and other Western countries are targeted the most. In this map, we’re using NordLocker’s Ransomware Risk Index to better understand the threat of being targeted by ransomware around the world. What is RRI?
Top 10 countries most affected by
ransomware
Source: Ransomware groups' websites
United States
RRI
1
United Kingdom
RRI
1
Germany
RRI
0.9
Canada
RRI
0.9
Italy
RRI
0.9
France
RRI
0.9
Spain
RRI
0.8
Brazil
RRI
0.6
Australia
RRI
0.9
India
RRI
0.3
Mexico
RRI
0.6
Austria
RRI
0.9
Netherlands
RRI
0.8
Belgium
RRI
0.9
China
RRI
0.2
Hong Kong SAR China
RRI
0.9
South Africa
RRI
0.6
United Arab Emirates
RRI
0.8
Argentina
RRI
0.6
Taiwan
RRI
0.7
Indonesia
RRI
0.4
Norway
RRI
0.9
Singapore
RRI
0.9
Israel
RRI
0.8
Portugal
RRI
0.8
Sweden
RRI
0.8
Thailand
RRI
0.5
Colombia
RRI
0.6
Saudi Arabia
RRI
0.6
Chile
RRI
0.7
Denmark
RRI
0.9
Turkey
RRI
0.5
Peru
RRI
0.6
Greece
RRI
0.7
Poland
RRI
0.6
New Zealand
RRI
0.9
Czechia
RRI
0.7
Costa Rica
RRI
0.8
Philippines
RRI
0.4
Romania
RRI
0.6
Malaysia
RRI
0.6
South Korea
RRI
0.5
Ecuador
RRI
0.6
Hungary
RRI
0.7
Ireland
RRI
0.8
Lebanon
RRI
0.7
Dominican Republic
RRI
0.6
Venezuela
RRI
0.5
Kuwait
RRI
0.7
Qatar
RRI
0.8
Luxembourg
RRI
1
Pakistan
RRI
0.2
Honduras
RRI
0.6
Vietnam
RRI
0.3
Nigeria
RRI
0.2
El Salvador
RRI
0.6
Egypt
RRI
0.2
Jamaica
RRI
0.7
Oman
RRI
0.6
Slovenia
RRI
0.8
Iran
RRI
0.8
Finland
RRI
0.6
Bosnia & Herzegovina
RRI
0.7
Lithuania
RRI
0.7
Croatia
RRI
0.7
Cyprus
RRI
0.8
Sri Lanka
RRI
0.4
Morocco
RRI
0.3
Serbia
RRI
0.5
Nicaragua
RRI
0.5
Botswana
RRI
0.7
Bulgaria
RRI
0.5
Mongolia
RRI
0.6
Kenya
RRI
0.3
Russia
RRI
0.1
Angola
RRI
0.3
Brunei
RRI
0.8
Tunisia
RRI
0.4
Bangladesh
RRI
0
Bahamas
RRI
0.8
Senegal
RRI
0.3
Côte d’Ivoire
RRI
0.3
Congo - Brazzaville
RRI
0.5
Ethiopia
RRI
0.1
Trinidad & Tobago
RRI
0.7
Fiji
RRI
0.7
Puerto Rico
RRI
0.6
Slovakia
RRI
0.5
Myanmar (Burma)
RRI
0.2
Burkina Faso
RRI
0.3
Albania
RRI
0.6
Ghana
RRI
0.2
Algeria
RRI
0.2
Paraguay
RRI
0.4
Iraq
RRI
0.2
Estonia
RRI
0.7
Uruguay
RRI
0.5
Malta
RRI
0.8
Jordan
RRI
0.4
Kazakhstan
RRI
0.3
North Macedonia
RRI
0.6
Panama
RRI
0.5
Liberia
RRI
0.5
Mauritius
RRI
0.7
Zimbabwe
RRI
0.3
Ransomware risk index (RRI)
*Explore an interactive map with more
information on a desktop device.
Ransomware cases
across
the US
By sheer numbers, California, Texas, Florida, and New York top ransomware reports. However, after adjusting the attack rate iby the number of businesses active in the state, Michigan takes the lead. Meanwhile, Missouri and South Dakota are more than 10 times safer for businesses.
Source: Ransomware groups’ websites and US Bureau of Labor Statistics
Ransomware cases by industry
Companies affected by ransomware come from a variety of industries. However, the ones that are targeted the most often play a critical role in supply chains or handle lots of customer data. These factors put immense pressure on the companies to pay the ransom and resume operations. The research shows that other factors include an insufficient focus on cybersecurity, high-stakes working conditions, and a lack of resources. These industries are likely chosen because of the high attack success rate.
- 1Construction142
- 2Finance123
- 3Manufacturing121
- 4Tech116
- 5Business services99
- 6Transportation91
- 7Public sector78
- 8Consumer services77
- 9Retail77
- 10Education67
- 11Healthcare65
- 12Food production55
- 13Legal services52
- 14Energy45
- 15Automotive40
- 16Entertainment37
- 17Materials34
- 18Real estate32
- 19IT services and IT consulting30
- 20Other577
Source: Ransomware gangs’ websites and publically available financial databases
Who is responsible for the attacks?
Ransomware groups are not common thieves. Instead of hiding, they proudly display their achievements because that may help bully the victim into paying the ransom. Some of these groups are even protected by their governments in agreement that attacks won’t be carried out in their country. While one group - Lock Bit - tops the list as the most active ransomware group by far, there are hundreds of other Ransomware groups. Below are listed the most active ones.
- 1Lock Bit726
- 2AlphaVM (Blackcat)197
- 3Conti187
- 4Black Basta161
- 5Hive Leaks140
- 6Vice Society93
- 7Karakurt74
- 8Bian Lian57
- 9Royal52
- 10Lorenz44
- 11Quantum44
- 12BlackByte39
- 13Cuba39
- 14Cl0p Leaks39
- 15AvosLocker36
- 16Snatch31
- 17LV Blog30
- 18Ragnar Locker28
- 19Everest21
- 20Medusa Locker18
Source: ransomware gang websites
How does company size impact the ransomware threat?
Are smaller companies targeted less because of their limited resources? Or maybe more? As our analysis shows, it’s neither. While the fewest ransomware attacks were recorded against companies worth between $1 and $2 billion (18 cases), companies earning $10 to $25 million had 133 cases. Moreover, companies with less than $1 million in revenue and those between $500 million and up to $1 billion were targeted at a similar rate.
The research has also found that small and medium-sized companies between 11 and 50 employees as well as companies with 51-200 employees suffered the most attacks. One-person businesses suffered the least. But companies with 1-10 employees suffered at a similar range as companies with 1000-5000 employees.
Source: Ransomware groups’ websites and
publicly available financial databases
Protect your business from ransomware
What is ransomware?
By definition, ransomware is a type of malware that restricts user’s access to their files and demands a payment. But how it does it, what kind of a payment is requested, and what is encrypted differs a lot.
Ransomware has been employed for decades, but never at the level it is used today. Last year, some businesses faced ransom demands of $30 million. Ransomware is effective because most companies are ill-equipped to deal with it. To increase the likelihood of the ransom being paid, criminals may also threaten to post their victim’s data online.
How you can help protect your business from ransomware
Encourage cybersecurity training
Cybersecurity training is one of the fastest ways to prevent ransomware. It has to be organized regularly and involve everyone in the company because each person is a part of your company’s cybersecurity.
Pay extra attention to email
By far, the most popular way to spread malware is by email. Be extra careful when an email contains links or files. Learn how to recognize a fake email domain or a spoofed website.
Introduce better security tools
Tools like NordLocker are built to help companies maintain their reputation. It's a secure cloud where you can work daily while your data is backed up, synced, and secure on your device and in the cloud.
Nurture a culture of support
Reporting threats or asking for help should be straightforward. Moreover, it should be encouraged and celebrated. This helps keep everyone sharp, catch threats early, and recognize training opportunities.
Assess your current security
A company is prepared to face cyberattacks only when it has evaluated its cybersecurity capabilities. Such assessment helps counter the company's flaws either in-house or by involving third parties.
Create a disaster recovery plan
To force the victim to pay the ransom, criminals use a variety of tactics like urgency, humiliation, and intimidation. If you prepare a response plan in advance and introduce it to everyone in the company, it will help prevent and respond to a ransomware attack.
Ensure a regular backup process
Backups can't stop cyberattacks, but they give the company leverage. Even if a company becomes a target for ransomware, the ability to restore data right away will guarantee business continuity.
Keep software up to date
Most cyberattacks either use social engineering to prey on the flaws in human nature or malware to exploit outdated software. Make sure everyone at the company understands how important it is to keep software updated.
If you can, never pay the attackers
Ransomware attacks have blown up because they're profitable. Paying the ransom only funds the criminals to launch more attacks. While each case is unique, we encourage everyone to explore all options before paying off the criminals.
Methodology
Data collection: The data was collected from multiple publicly available online blogs where ransomware groups had posted the names of their victims and their demands. The exact names of URLs and other identifying information of those blogs remain undisclosed in this report for a reason. It follows from the fact that we do not want to encourage visits to sources that publicize information related to illegal activities. To the best of our knowledge, the ransomware attacks analyzed in this report happened between 01/01/2020 and 01/07/2022. Financial, employee count, and industry data was collected from numerous publicly available databases. All the previously said data was collected from 25/05/22 to 01/07/2022.
Analysis: For the world map, we compared the number of ransomware cases with UN population statistics to get the per capita number. We then logarithmically normalized these numbers to produce scaled ratings between 0 and 1. The map of US states was devised by comparing the number of ransomware cases in each state with company census data from the U.S. Bureau of Labor Statistics.The remaining data blocks were devised by matching targeted companies with publicly available financial, employee count, or industry data.