2024 Ransomware Attack Statistics & Trends to Know

Over a few short years, ransomware has become one of the most prominent cybersecurity threats IT leaders must face. Thanks to headline-making attacks against well-known organizations and the multimillion-dollar sums involved, few cybersecurity threats have captured as much attention as ransomware.

Ransomware is a catch-all term for a wide variety of cyberattacks based on extortion. Hackers use a variety of tactics, techniques, and procedures to gain access to sensitive data, steal or encrypt it, and then demand payment for its safe return.

Threat actors and cybersecurity vendors are in constant competition. When one side gains advantage over the other, it quickly makes changes and adapts its approach. Ransomware statistics and trends are the result of ongoing developments in this fast-moving field.

Ransomware Statistics – Editor’s Picks

• The number of ransomware attacks attempted has increased by 20% year-over-year.
• Government agencies and healthcare providers are the most frequently targeted organizations.
• Organizations with legacy IT infrastructure — like healthcare and energy providers — face higher levels of device disruption after a ransomware attack than organizations in other sectors.
• The average ransomware attack results in 21 days of downtime.
• The average cost of unplanned downtime is now $14,000 per minute.
• More than two-thirds of organizations worldwide have been targeted by ransomware.

Yearly Ransomware Statistics

JumpCloud’s 2024 IT Trends Report found ransomware among the top three biggest security concerns reported by IT admins. This trend remains unchanged from 2023, suggesting that threat actors retain the upper hand despite a year of advances in the cybersecurity industry. At the same time, security remains IT admins’ biggest challenge overall, with 56% of respondents putting it higher than new service rollouts (45%), increased work burden (44%), and the cost of remote work solutions (42%).

Historical Data from 2020-2024

According to Sophos, 59% of organizations were hit by ransomware last year. This is a small drop from the previous two years, but still alarmingly high. Since 2020, there has only been one year where the total percentage of ransomware attacks was lower than 50%. That was in 2021, after the Colonial Pipeline attack attracted national attention and put cybercrime groups under FBI scrutiny. 

Key Statistics for 2023

According to SonicWall, the number of ransomware attacks attempted in 2023 rose to 7.6 trillion. That’s a 20% increase from the year prior. This surge in attacks was accompanied by a significant increase in the number of novel attacks. Threat researchers published more than 28,000 new CVEs in 2023, 15% higher than the previous year, showing that cybercriminals continue to experiment with new technologies and attack strategies.

Emerging Trends in 2024 and Beyond

International police crackdowns have become a prominent feature of the cybercrime landscape in 2024. Wired reports that operations against prominent cybercrime groups like LockBit have done little to stop the flood of attacks. Due to the loose organizational structure these groups use, dismantling one often leads to many others popping up in its place — which is exactly what happened after the operation against LockBit.

Industry-Specific Ransomware Stats

Ransomware does not have a uniform impact across industry sectors. Certain types of organizations face much higher risks due to a variety of factors.

Healthcare Sector

Healthcare organizations consistently report facing higher numbers of ransomware attacks than others. Globally, healthcare has the second-highest attack rate (59%) behind government agencies (68%).

However, healthcare ransomware attacks tend to be more impactful than attacks on other industries. The combination of legacy technologies and ethical priority to protect patients’ lives gives cybercriminals an easy target. Despite healthcare providers’ best attempts, there is evidence that shows hospital mortality rates increase by 20% following a ransomware attack. 

Educational Institutions

Verizon’s 2024 Data Breach Investigations Report found that the educational services sector faced more than three times the number of incidents than in the previous year. The amount of data disclosed in attacks against educational institutions is even higher — more than six times the volume of data was exfiltrated in the same time frame. Experts attribute this surge in ransomware activity to the MOVEit data breach that impacted nearly 900 U.S. colleges.

Financial Services

Sophos reports that 65% of financial services organizations were targeted by ransomware in 2024. In nine out of 10 of these attacks, threat actors tried to compromise the organization’s backups. Just under half of these attacks resulted in successful data encryption — one of the lowest rates of encryption among all industry sectors.

Public Sector Agencies

According to Sophos, state and local government agencies reported the lowest frequency of attacks (34%). However, these organizations also reported the highest rate of data encryption, with 98% of attacks resulting in this outcome. This suggests that public sector organizations are not prepared for modern ransomware attacks, and that cybercriminals will increasingly target these underprepared organizations in the future.

Other Sectors

The energy, oil, and gas sector experiences the highest rate of disruption on individual devices from ransomware attacks, at 62%. This is nearly double the disruption experienced at IT, technology, and telecommunications firms (33%), who often have stronger cybersecurity policies in place. Healthcare also experiences a high level of device disruption (58%), suggesting that legacy infrastructure can have a major impact on an organization’s overall security posture.

Frequency and Probability of Ransomware Attacks

Attack Frequency Analysis

More than two-thirds of organizations have been targeted by ransomware attacks worldwide. Education remains one of the most frequently targeted sectors, followed by healthcare and manufacturing. Geographically, the United States suffers the highest number of attempted ransomware attacks, and mid-sized companies are the most commonly targeted organization by size.

Probability of Being Targeted

According to NordLocker, California, Texas, Florida, and New York have the highest number of ransomware attacks. When adjusted for the number of active businesses in the state, Michigan takes the top spot, with 38.2 ransomware attacks per 100,000 companies. By comparison, Missouri has 1.8 ransomware attacks per 100,000 active businesses, making it the safest state in the country.

High-Risk Periods and Triggers

Control Gap reports that cybercriminals tend to act when they know offices will be understaffed. That means launching ransomware attacks during holidays, major sporting events, and at moments of civil instability or unrest. Natural disasters like hurricanes also give cybercriminals an opportunity to launch attacks that may go unnoticed — or remain under prioritized — long enough for them to exfiltrate valuable data.

Cost and Financial Impact of Ransomware

Average Ransom Demands

More than half of ransomware demands are for sums over $1 million. The average initial ransom demand is just over $4 million. This indicates that attackers may be raising their initial demands with the expectation of negotiating downwards from there. Less than a quarter of ransomware victims report paying the full sum initially requested.

Indirect Costs

The average downtime experienced by organizations as a result of ransomware is 21 days. EMA Research estimates the cost of downtime as between $14,000 and $23,750 per minute. This adds up to staggering nine-figure sums — much lower than even the boldest ransom demand. Even organizations that successfully mitigate ransomware attacks must dedicate time and resources to recovery and experience some downtime in the process.

Industry-Specific Financial Data

Sophos research shows no strong correlation between ransom payments and the use of backups among different industry sectors:

• The media and entertainment industry reported the highest rate of ransom payment to recover data (69%) and also an above average rate of backup use (74%).
• The energy, oil, and gas sector has the lowest level of backup use (51%), but also has a ransom payment rate of 61%, which is lower than four other sectors.

Recent and Notable Ransomware Attacks

High-Profile Cases

Recent ransomware attack scenarios showcase some of the tactics threat actors now leverage against their targets. Although these attacks rely on different tools and strategies, they share important details that security leaders can use to protect themselves in the future.

1. AT&T vs. ShinyHunters

In April 2024, ShinyHunters breached AT&T’s systems and stole data on more than 110 million customers. Originally, the group demanded a $1 million ransom, but AT&T was able to reduce the payment by more than one-third with the help of a ransomware negotiator. The hacking group gained access through poorly secured cloud storage accounts with Snowflake, a third-party vendor.

Lessons Learned

Snowflake is not entirely to blame for the attack. More than 150 Snowflake customers suffered similar attacks because they neglected to secure their accounts with multi-factor authentication (MFA). Analysis shows that the group hacked another Snowflake customer first, and then discovered they could access additional accounts afterwards.

Mitigation and Recovery Strategies

Cloud infrastructure is flexible, scalable, and highly interconnected. Organizations must protect their cloud computing deployments with multi-layered defenses that include both prevention and detection solutions. MFA is a must, alongside cloud security posture management and mature incident response strategies.

2. Change Healthcare vs. ALPHV (BlackCat)

In February 2024, Change Healthcare, a data processing firm owned by UnitedHealth Group was targeted by ALPHV, also known as BlackCat. As a result, hundreds of thousands of healthcare providers could no longer submit claims or receive payments. There is evidence that Change paid a $22 million ransom, but that an internal dispute between threat actors became an obstacle to immediate recovery.

Lessons Learned

Although ransomware groups appear to be well-organized, they rarely are. Loose groups of distantly affiliated cybercrime actors may cooperate when they sense a payday is coming, but that cooperation is not guaranteed. This can impact victims who realize too late that they mistakenly placed their trust in the criminal enterprise currently extorting them.

Mitigation and Recovery Strategies

Paying the ransom may seem like the only way out, but it offers no guarantees. Cybercriminals have no real incentive to delete the data they stole or dismantle the tools they used to infiltrate their victim’s systems. This is why the FBI strongly recommends never paying threat actors, regardless of the potential damage that can ensue.

3. CDK Global vs. BlackSuit

CDK Global reported that a ransomware infection took its software services offline in June 2024. The company provides software to more than 15,000 automotive dealers across North America. Customers could not complete their car transactions or have their vehicles serviced during the outage, and third-party hackers attempted to capitalize on the opportunity with phishing attacks and identity fraud.

Lessons Learned

The main attack disrupted vehicle transactions and payroll processing, providing an opportunity for unrelated hackers to step in and exacerbate the damage. Many car owners and auto dealership customers found themselves targeted by cybercriminals who already had access to their personally identifiable information thanks to the attack.

Mitigation and Recovery Strategies

At the outset of the attack, CDK Global did not keep its users updated on the status of the attack (or their data) in a centralized location. Since the company did not communicate clearly and consistently to impacted users, opportunistic threat actors seized the moment and exploited victims further. Any organization facing an active ransomware attack must take clear steps to protect its users throughout the mitigation and recovery process.

Future Projections and Preventive Measures

IT leaders that invest in multi-layered security can prevent ransomware attacks from occurring, and detect potential threats before they lead to catastrophic losses. Investing in effective prevention techniques helps reduce the risk associated with ransomware.

Effective Prevention Techniques

Secure, immutable backups are a must-have for ransomware prevention. Combined with multi-factor authentication and Zero Trust architecture, IT leaders can make their environment much harder for threat actors to navigate successfully. These prevention techniques force threat actors to slow down and increase their chances of being detected by your security team.

Strategic Planning for Cybersecurity

JumpCloud enables organizations to consolidate their endpoint device fleets and directory services, providing a single point of reference for identity and access management. Use JumpCloud to lock compromised devices with strong password policies and multi-factor authentication, and control how devices respond to requests to control access throughout your organization.

Learn more about how JumpCloud helps you implement reliable security across your organization.