85+ Ransomware Statistics Shaping 2025 Security Trends

The last decade has seen a steep increase in the occurrence of ransomware in healthcare, medicine, and supply chains.

Instead of manual ransomware attacks, threat actors are now using a combination of systems, such as ransomware as a service (RaaS), triple extortion, supply chain attacks, and phishing, to lure companies into paying ransom.

It’s no longer just about locking down systems. Ransomware companies double down by launching malware attacks and threatening companies to leak sensitive information, which has had an adverse financial impact on overall cybersecurity revenue. According to Statista, roughly 7 out of 10 cyberattacks in 2013 were ransomware attacks, with more than 317 million attempts recorded. 

Even though companies deploy the best endpoint protection software to provide an end-to-end mechanism against threats, attackers continue to find new ways in.

In this article, we trace the timeline of 85+ key ransomware events from 2011 to 2025, highlighting the rise in cybercrimes and what it means for businesses around the world.

Key ransomware attacks from 2017 to 2025

Between 2017 and 2025, ransomware attacks grew smarter as attackers targeted weak encryption standards to break into security systems and steal costly data.

Notable incidents include WannaCry in 2017, which crippled systems in 150 countries, and the Colonial Pipeline breach, which disrupted fuel supply in the US. A report from the University of Maryland, A. James Clark School of Engineering, reveals that cyberattacks occur at an alarming rate of 2,200 daily, with hackers attacking every 39 seconds. 

Below is a year-over-year breakdown of the 7 most notable data breaches that wreaked havoc across global industries and resulted in maximum financial damage.

Sources: Cloudflare, Cybersecurity Insiders, Bitdefender,  CISA, Cybersecurity Dive, Hyperproof, centraleyes, and DOJ

Ransomware statistics: total impact and data losses from 2017 to 2025

Ransomware attacks not only disrupt your business operations, productivity, and network efficiency but also gravely impact the bottom line. Companies are forced to pay a ransom to access the decryption key or hacked data to prevent major data leakages.

Ransom payments, however, are a fraction of the total cash loss caused by a ransomware attack. The collateral damages caused by such massive data breaches also impair a company's finances and results in millions of dollars spent on data recovery. 

As per Sophos’s State of Ransomware report for 2024, the average ransom payment saw a year-over-year increase, with paying “a seven-figure or more ransom sum” now the new norm. The organizations that pay ransoms reported an average payment of $2 million, up from $400,000 in 2023, which signals a steep increase in ransom and data recovery costs.

Below is a rundown of the major financial impact of ransomware attacks across the last 8 years that resulted in a gargantuan commercial and financial impact.

Ransomware statistics 2017: The rise in global ransomware threats 

In 2017, there was a rise in global cybercrime intensity, where companies had to compensate for the value of their data in exchange for heavy ransoms. 

Here are some of the most financially devastating threats:

• KeRanger Ransomware: The fully functional ransomware infected 7000+ Mac users via a trojanized transmission installer, demanding 1 BTC (~$400) for decryption.
• WannaCry: This ransomware provider affected over 200,000 computers across 150 countries, causing estimated damages up to $4 billion.
• NotPetya: Disguised as ransomware, this wiper malware caused widespread disruption, with Maersk reporting losses of up to $300 million.
• Locky Email Campaign: Over 23 million malicious emails were sent in 24 hours via Necurs Botnet, delivering Locky ransomware through spam attachments.
• Cerber: Accounted for 26% of all ransomware infections in Q1 2017, generating significant illicit revenue.
• Samas (Sam Sam): Targeted healthcare and government sectors, with ransom demands ranging from $10,000 to $50,000 per victim.
• CoinDash: Hackers stole $10M from CoinDash’s ICO in minutes by swapping the wallet address on its website. Days later, another $30M in Ether was drained from Parity wallet users.
• Jaff: This ransomware attack was distributed via spam campaigns, demanding ransoms of $3,700 in Bitcoin.
• Spora: A sophisticated campaign via Fake Chrome and Flash update downloads, infecting Russian and Soviet states, with ransom demands between $79 to $280 in Bitcoin.

Ransomware statistics 2019: Targeted attacks on municipalities 

2019 was the year in which ransomware attacks switched their focus to critical commercial institutions, like hospitals, schools, municipalities, and cities. 

According to a coverage by CBS news, over 621 institutions had to face a crisis due to an upsurge in ransomware attacks that led to an estimated price tag of hundreds and millions of dollars.

• Baltimore Ransomware attack: This ransomware attack incurred over $18 million in data recovery costs.
• Lake City, Florida: After a ransomware attack crippled the city's systems, it had to pay a $460,000 ransom.
• Rivera Beach, Florida: To regain access to and control of the encrypted files, it had to pay $600,000 in Bitcoin.
• Jackson County, Georgia: Cybercriminals were paid $400,000 following a ransomware attack.
• La Porte County, Indiana: The financial loss amounted to $130,000 in ransom after a ransomware infection. 
• New Bedford, Massachusetts: The attacker refused a $5.3 million ransom and instead chose a $400,000 recovery plan.
• Lubbock County, Texas: The El Paso attack at University Medical Center, Texas Tech Health Sciences Center, and TTUHSC El Paso impacted 1.4 million patients’ data and personal information.
• Onslow Water and Sewer Authority, North Carolina: The malware launched the Ryuk crypto virus, which spread quickly in the network and resulted in a ransom of $640,000.
• Imperial County, California: An attack was unleashed on Imperial Valley College’s computing system, which resulted in a payment of $55,068 to the ransomware attacker.
• Syracuse City School District, New York: Ransomware attacked the school's computing systems, forcing it to pay a $50,000 insurance deductible to restore them.

Ransomware statistics 2020: Surge in remote work exploits

Year 2020 witnessed the majority of data breaches in remote administrations, which disrupted individuals more than organizational resources.

Below is a summary of how ransomware systems infiltrate remote systems, tap into compromised data networks, and create lures.

• Cognizant: IT services giant Cognizant suffered a Maze ransomware attack, which resulted in estimated losses between $50 million and $70 million.
• Garmin: Reportedly paid a multi-million dollar ransom to recover from a WastedLocker ransomware attack.
• University of California, San Francisco (UCSF): The institution paid $1.14 million to recover data after a NetWalker ransomware attack.
• Travelex: The firm paid $2.3 million in Bitcoin to regain access to its systems after a Sodinokibi ransomware attack.
• Redcar and Cleveland Borough Council, UK: A ransomware attack cost the company over 10 million pounds.
• Grubman Shire Meislas and Sacks: It faced a REvil ransomware attack that demanded $42 million in exchange for data.
• Canon: The Maze ransomware exfiltrated up to 10 TB of Canon’s data, which affected users of the 10 GB free storage service.
• Carnival Corporation: A leader in the cruise industry, Carnival Corp. experienced a ransomware attack that accessed and encrypted a portion of one brand’s information technology systems. Its stock price fell 2% following its breach exposure.

Ransomware statistics 2021: Continuation of ransom threats 

There was a significant drop in ransomware attacks in 2021 compared to 2020, but organizations still had to double down on their data security and endpoint response infrastructure to remain in contention with ransomware systems at all times. 

According to US Agency FinCEN’s analysis of ransomware-related suspicious activity reports (SARs) filed during the first half of 2021, $590 million was paid in ransomware-related transactions (which mostly indicate ransoms from the US to ransomware groups), exceeding the total value reported in 2020, which was $416 million.

• Colonial Pipeline Attack: Led to fuel shortages across the US East Coast, ransom paid was $4.4 million.

• JBS Foods: The organization paid $11 million in ransom after a REvil ransomware attack disrupted company operations.

• Kaseya: REvil ransomware attack affected up to 1,500 businesses through Kaseya’s software.

• Acer: The firm faced a $50 million ransom demand from the REvil group, where the threat actors demanded the largest ransom of the year.

• CNA Financial: The company reportedly paid $40 million in ransom after a Phoenix locker ransomware attack.
• Sky Lakes Medical Center: The attack took down 650 servers and 150 applications, and the hospital took 7 months to recover.

• AXA Insurance: The Avaddon ransomware group claimed to have stolen three TB of sensitive data from AXA’s Asian operations and provided leak samples.

• Washington DC Police Department: The Babuk ransomware group released thousands of the Metropolitan Police Department’s sensitive information on the dark web. The Babuk group initially demanded $4 million not to release the files, but was only offered $100,000.
• Quanta Computer: Apple supplier Quanta was the target of a $50 million ransomware attack, which resulted in unprecedented schematic leaks of Apple product blueprints.
• Toshiba: Toshiba Tec Corp was attacked by DarkSide, and the firm said that more than 740 GB was compromised and included passports and other personal information.

Ransomware statistics 2022: Advanced extortion and government crises

The expansion of unpatched system ransomware and double and triple extortions meant that 4% of companies in 2022 were threatened to pay a ransom even if the data wasn’t encrypted.

In the same year, around 31% of industries successfully stopped the ransom attack before the malware could exfiltrate and encrypt their data. While that’s true, 65% of the time, cybercriminals succeeded in launching cyberattacks, accessing the data vault, and causing more disruptions.

• Nvidia: The Lapsus$ ransomware group attacked Nvidia and claimed to have stolen 1 TB of sensitive data and leaked the credentials of 70,000 users. 
• Samsung: The same group attacked Samsung Electronics and leaked 190 GB of data, including the source code of bootloaders, activation servers, and trusted applets.
• Okta: Okta faced a data breach caused by Lapsus$ digital extortion, which resulted in $40 GB of leaked data and a compromised administrative account.
• Medibank:  In October 2022, hackers targeted Medibank Private with a ransomware attack, putting 9.7 million medical records at risk of exploitation and fraud.
• CommonSpirit Health: The firm estimated that the financial losses caused by the attack reached $160 million, including business disruption, remediation costs, etc.
• Rackspace: Rackspace Technology recorded a $5 million ransom payment stemming from the December 2022 ransomware attack on the company’s Hosted Exchange Business.
• Costa Rica: Around 27 government bodies were targeted in a series of ransomware attacks, with 800 servers impacted and losses amounting to $38 million to $125 million per day.

Ransomware statistics 2023: Surge in ransomware activities

While the main target for ransomware vendors and actors was to cause extortion in critical business areas, this year, industries were the worst stricken territory of cybercrimes.

According to Chainalysis, ransomware actors intensified operations and targeted high-profile institutions and critical infrastructure in 2023. This was the year of the infamous supply chain attack exploiting the SaaS provider MOVEit, which led to disasters across firms, from the BBC to British Airways.

Although 2023 saw a drop in ransom payment volume, there were tangible economic impacts and productivity declines observed.

• MOVEit Data Breach: Clop ransomware exploited the MOVEit file transfer application, leading to significant data breaches and $1.1 billion in ransom payments.

• Capita Cyber Attack: The Black Basta ransomware gang targeted Capita, compromising sensitive data and affecting around 90 firms, costing between 15 to 20 million pounds.

• University of Hawaii: The NoEscape ransomware group targeted the Hawaiian community college, exfiltrating 65 GB of data and demanding a ransom.

• British Library: The British Library suffered an attack by the Rhysida group, which demanded a ransom of 20 bitcoin (approx $500,00 at that time), and leaked 65GB of sensitive data.
• Port of Nagoya: The Port of Nagoya, responsible for 10% of Japan’s trade, was attacked by LockBit ransomware, which destroyed container operations and caused significant delays.
• Munster Technological University: The ALPHV ransomware group, also known as BlackCat, listed over 6 GB of data allegedly stolen by Munster Technological University.

Ransomware statistics 2024: Disruption across supply chain and retail 

Apart from the blast radius disruptions in the supply chain, manufacturing, and assembly lines for industries, 2024 also saw a steep increase in insider threats. A research by Verizon states that around 83% of businesses reported experiencing at least one insider attack in 2024.

If the company had a decent ARR and annual revenue, the propensity of ransomware increased drastically. A total of 5 billion companies reported the joint highest rate of attack (67%), followed by smaller organizations (less than $10M revenue), out of which 47% of companies were targeted.

As 2024 observed double and triple extortions on healthcare, government, and educational institutions, here is a rundown of the financial impact of these ransomware attacks.

• Change Healthcare (USA): In February 2024, BlackCat/ALPHV launched a massive ransomware attack on Change Healthcare, a division of UnitedHealth Group, affecting over 100 million people. 

• Marks and Spencer (UK): The retailer suffered a ransomware attack by the DragonForce group, leading to an estimated loss of 300 million pounds and prolonged online service disruptions.

• CDK Global (USA and Canada): In June, a ransomware attack by the BlackSuit group disrupted services for thousands of car dealerships across North America, prompting a $25 million ransom payment.

• Kadokawa and Niconico (Japan): The Russian-linked BlackSuit group attacked Kadokawa and its video-sharing platform, Niconico, leaking the data of over 254,000 users. Although they allegedly paid a $2.98 million ransom, they still leaked the stolen data.

• University Hospital Center Zagreb (Croatia): LockBit’s ransomware attack severely disrupted operations at Croatia’s largest medical facility, forcing it to return to manual processes. 

• Healthcorps (USA): In March 2024, the Hades ransomware group (formerly Conti) targeted Healthcorps, compromising around 5.6 million patient records across multiple states.

• Patelco Credit Union (USA): The RansomHub gang breached Patelco Credit Union, leading to a widespread data breach that affected over 726,000 customers.
• Spanish Tax Agency: The Trinity ransomware group claimed responsibility for an attack on Spain’s Agencia Tributaria, alleging 500 GB of data theft and demanding a $38 million ransom.

Ransomware statistics 2025: Continued evolution of ransomware threats

The same report by Verizon also states that out of 22,052 real-world security incidents, 12,195 were confirmed data breaches that occurred inside organizations of all sizes and types. This only goes to show one thing: ransomware is on the rise.

In April 2025, ransomware incidents dropped to 450 (lowest since 2014), as affiliates split from legacy groups like LockBit to join RaaS communities.

Even though the number has dropped, attackers are increasingly using AI to create phishing lures, disrupt supply chains, and trigger unpatched vulnerabilities. As the severity of these attacks rises, companies are now looking to invest in intelligence tools to nip the evil in the bud.

• Marks and Spencer: Suspected Scattered Spider Attack caused 300 million pounds in losses and a 1 billion market cap drop in the UK, disrupting online retail and food supply chains. 

• Sensata Technologies: According to the U.S. Securities and Exchange Commission, this ransomware attack crippled critical operations, causing a $4 billion loss that must be recovered.

• Qakbot Network: Taken down by the Department of Justice (DOJ) and Europol, this malware infrastructure had enabled ransomware delivery for 15+ years and infected 7,00,000 systems.

• DanaBot Group: The U.S indicted 16 Russian nationals for using DanaBot in state-linked ransomware and espionage, which was tied to phishing and user credential theft. 

• Christie’s: Auction house Christie’s was hit by a cyber extortionist group RansomHub, which claimed to have the sensitive information of at least 500,000 clients.

Key ransomware statistics: industry-wise breakdown

Ransomware attacks are now growing to be more strategic than ever, with threat actors targeting sectors and industries with high-stakes operations and critical user databases. 

Regions with advanced digital infrastructure and higher ransom paying tendencies face disproportionate ransomware attacks, as ransom providers are becoming more volatile and active, as predicted in Cyble’s 2025 ransomware report that highlighted the RansomHub-DragonForce clash.

According to the Global Cybersecurity Outlook by WEF, around 72% of respondents report an increase in organizational cyber risks, with ransomware remaining a top concern. Nearly 47% of organizations cite adversarial advances powered by generative AI as their primary concern.

Keeping these figures in mind, let’s see a few instances of ransomware attacks across the most targeted industries and sectors in 2025:

• The healthcare sector experienced a 50% YoY increase in attacks, becoming the most targeted vertical in 2024.
• North America accounted for 54% of all ransomware data leak sites (DLS), making it the most attacked region globally.
• According to Fortinet's threat intelligence report 2024, education and financial services ranked second and third most targeted sectors, respectively, with a combined 33% share of known threats.
• Government and public administration entities saw a 9% rise in ransomware complaints reported to the FBI.
• Attackers increasingly focused on critical infrastructure, including utilities and energy, which were involved in 16% of reported ransomware attacks in 2024.

Ransomware attack trends: Vectors and methods of compromise

Cybercriminals are adapting faster than ever. As attackers and hackers outsource their malware requirements to RaaS, they’re fending off explicit cybersecurity protocols and compliance guidelines to encrypt and isolate databases. 

According to a study by BlackKite, a new hierarchy of vectors has emerged within the ransomware arena, pivoting towards the exploitation of data vulnerabilities. The landscape of cyber threats has already seen a surge in zero-day exploits, with threat actors keen on cracking the spine of systems before defenders can react. 

In the past year alone, a staggering tally of 200 vulnerabilities were recognized in CISA’s KEV catalog, a testament to evolving threat designs. Let’s now look at the major events that highlight attack vectors and data compromise incidents.

• Phishing emails initiated 67% of successful ransomware attacks in North America.
• Software vulnerabilities were exploited in 32% of attacks, which is more than double the share from 2022.
• Remote desktop protocol (RDP) compromise caused 30% of intrusions in small to medium businesses, especially in manufacturing and logistics.
• Stolen credentials were involved in 29% of the ransomware cases, often acquired via infostealer malware or dark web marketplaces
• Nearly 1 in 4 ransomware incidents began with access through unmanaged third-party software integrations.

Key ransomware statistics: Recovery time and mitigation strategies 

The best mitigation strategies for industries to nullify ransomware attacks are to invest in heavy malware defense mechanisms and train their employees accordingly to spot threat patterns.

According to G2, companies need to start their mitigation strategy with defense. It is crucial to know that even one compromised link can wreak havoc and cause destruction.

Below is a rundown of major recovery and mitigation strategies (both financial and data-driven) opted for by companies.

• The average ransomware payment in 2024 rose to $2.73 million, nearly $ $1 million more than the previous year.
• Only 35% of the organizations fully recovered from a ransomware attack within one week in 2024, down from 47% in 2023.
• 97% of victims who paid ransoms in 2024 regained access to their data, but only 59% recovered all data, highlighting unreliable decryptors.
• Cyber insurance claims due to ransomware accounted for 58% of all large-value claims in H1 2024.
• Organizations with immutable backups reported 4x faster recovery times and were 50% less likely to pay ransoms.

Vigilance shapes ransomware defenses

If there’s one thing these years of cybercrime evolution have taught us, it’s this: ransomware is a moving target. 

Threat groups have shown they can evolve faster than defenses — developing new payloads, forming new alliances, and using the latest tech to bypass even the most resilient infrastructures. 

It is crucial to safeguard and monitor ransomware patterns to steer clear of these extortions, and providing complete coverage of security is crucial. 

Looking at past evidence, it is safe to say that now is the time to invest in endpoint mechanisms and threat detection tools. This will secure your systems, eliminate threat actors, and safeguard your data and revenue.

Check out the best 50+ cybercrime statistics for 2025 to decipher the evolution of cybersecurity and how organizations are building a stronger front line of defense.