Over a few short years, ransomware has become one of the most prominent cybersecurity threats IT leaders must face. Thanks to headline-making attacks against well-known organizations and the multimillion-dollar sums involved, few cybersecurity threats have captured as much attention as ransomware.<\/p>\n\n\n\n
Ransomware is a catch-all term for a wide variety of cyberattacks based on extortion. Hackers use a variety of tactics, techniques, and procedures to gain access to sensitive data, steal or encrypt it, and then demand payment for its safe return.<\/p>\n\n\n\n
Threat actors and cybersecurity vendors are in constant competition. When one side gains advantage over the other, it quickly makes changes and adapts its approach. Ransomware statistics and trends are the result of ongoing developments in this fast-moving field.<\/p>\n\n\n\n
JumpCloud\u2019s 2024 IT Trends Report<\/a> found ransomware among the top three biggest security concerns reported by IT admins. This trend remains unchanged from 2023, suggesting that threat actors retain the upper hand despite a year of advances in the cybersecurity industry. At the same time, security remains IT admins\u2019 biggest challenge overall, with 56% of respondents putting it higher than new service rollouts (45%), increased work burden (44%), and the cost of remote work solutions (42%).<\/p>\n\n\n\n According to Sophos<\/a>, 59% of organizations were hit by ransomware last year. This is a small drop from the previous two years, but still alarmingly high. Since 2020, there has only been one year where the total percentage of ransomware attacks was lower than 50%. That was in 2021, after the Colonial Pipeline attack<\/a> attracted national attention and put cybercrime groups under FBI scrutiny. <\/p>\n\n\n\n According to SonicWall<\/a>, the number of ransomware attacks attempted in 2023 rose to 7.6 trillion. That\u2019s a 20% increase from the year prior. This surge in attacks was accompanied by a significant increase in the number of novel attacks. Threat researchers published more than 28,000 new CVEs in 2023, 15% higher than the previous year, showing that cybercriminals continue to experiment with new technologies and attack strategies.<\/p>\n\n\n\n International police crackdowns have become a prominent feature of the cybercrime landscape in 2024. Wired<\/a> reports that operations against prominent cybercrime groups like LockBit have done little to stop the flood of attacks. Due to the loose organizational structure these groups use, dismantling one often leads to many others popping up in its place \u2014 which is exactly what happened after the operation against LockBit.<\/p>\n\n\n\n Ransomware does not have a uniform impact across industry sectors. Certain types of organizations face much higher risks due to a variety of factors.<\/p>\n\n\n\n Healthcare organizations consistently report facing higher numbers of ransomware attacks than others. Globally, healthcare has the second-highest attack rate<\/a> (59%) behind government agencies (68%).<\/p>\n\n\n\n However, healthcare ransomware attacks tend to be more impactful than attacks on other industries. The combination of legacy technologies and ethical priority to protect patients\u2019 lives gives cybercriminals an easy target. Despite healthcare providers\u2019 best attempts, there is evidence that shows hospital mortality rates increase by 20%<\/a> following a ransomware attack. <\/p>\n\n\n\n Verizon\u2019s 2024 Data Breach Investigations Report<\/a> found that the educational services sector faced more than three times the number of incidents than in the previous year. The amount of data disclosed in attacks against educational institutions is even higher \u2014 more than six times the volume of data was exfiltrated in the same time frame. Experts attribute this surge in ransomware activity to the MOVEit data breach<\/a> that impacted nearly 900 U.S. colleges.<\/p>\n\n\n\n Sophos<\/a> reports that 65% of financial services organizations were targeted by ransomware in 2024. In nine out of 10 of these attacks, threat actors tried to compromise the organization\u2019s backups. Just under half of these attacks resulted in successful data encryption \u2014 one of the lowest rates of encryption among all industry sectors.<\/p>\n\n\n\n According to Sophos<\/a>, state and local government agencies reported the lowest frequency of attacks (34%). However, these organizations also reported the highest rate of data encryption, with 98% of attacks resulting in this outcome. This suggests that public sector organizations are not prepared for modern ransomware attacks, and that cybercriminals will increasingly target these underprepared organizations in the future.<\/p>\n\n\n\n The energy, oil, and gas sector experiences the highest rate of disruption on individual devices from ransomware attacks, at 62%. This is nearly double the disruption experienced at IT, technology, and telecommunications firms (33%), who often have stronger cybersecurity policies in place. Healthcare also experiences a high level of device disruption (58%), suggesting that legacy infrastructure can have a major impact on an organization\u2019s overall security posture.<\/p>\n\n\n\n More than two-thirds of organizations<\/a> have been targeted by ransomware attacks worldwide. Education remains one of the most frequently targeted sectors, followed by healthcare and manufacturing<\/a>. Geographically, the United States suffers the highest number of attempted ransomware attacks, and mid-sized companies<\/a> are the most commonly targeted organization by size.<\/p>\n\n\n\n According to NordLocker<\/a>, California, Texas, Florida, and New York have the highest number of ransomware attacks. When adjusted for the number of active businesses in the state, Michigan takes the top spot, with 38.2 ransomware attacks per 100,000 companies. By comparison, Missouri has 1.8 ransomware attacks per 100,000 active businesses, making it the safest state in the country.<\/p>\n\n\n\n Control Gap<\/a> reports that cybercriminals tend to act when they know offices will be understaffed. That means launching ransomware attacks during holidays<\/a>, major sporting events, and at moments of civil instability or unrest. Natural disasters like hurricanes also give cybercriminals an opportunity to launch attacks that may go unnoticed \u2014 or remain under prioritized \u2014 long enough for them to exfiltrate valuable data.<\/p>\n\n\n\n More than half of ransomware demands are for sums over $1 million<\/a>. The average initial ransom demand is just over $4 million. This indicates that attackers may be raising their initial demands with the expectation of negotiating downwards from there. Less than a quarter of ransomware victims report paying the full sum initially requested<\/a>.<\/p>\n\n\n\n The average downtime experienced by organizations as a result of ransomware is 21 days. EMA Research<\/a> estimates the cost of downtime as between $14,000 and $23,750 per minute. This adds up to staggering nine-figure sums \u2014 much lower than even the boldest ransom demand. Even organizations that successfully mitigate ransomware attacks must dedicate time and resources to recovery and experience some downtime in the process.<\/p>\n\n\n\n Sophos research<\/a> shows no strong correlation between ransom payments and the use of backups among different industry sectors:<\/p>\n\n\n\n Recent ransomware attack scenarios showcase some of the tactics threat actors now leverage against their targets. Although these attacks rely on different tools and strategies, they share important details that security leaders can use to protect themselves in the future.<\/p>\n\n\n\n In April 2024, ShinyHunters breached AT&T\u2019s<\/a> systems and stole data on more than 110 million customers. Originally, the group demanded a $1 million ransom, but AT&T was able to reduce the payment by more than one-third with the help of a ransomware negotiator. The hacking group gained access through poorly secured cloud storage accounts with Snowflake, a third-party vendor.<\/p>\n\n\n\n Snowflake is not entirely to blame for the attack. More than 150 Snowflake customers suffered similar attacks because they neglected to secure their accounts with multi-factor authentication<\/a> (MFA). Analysis shows that the group hacked another Snowflake customer first, and then discovered they could access additional accounts afterwards.<\/p>\n\n\n\n Cloud infrastructure is flexible, scalable, and highly interconnected. Organizations must protect their cloud computing deployments with multi-layered defenses that include both prevention and detection solutions. MFA is a must, alongside cloud security posture management and mature incident response strategies.<\/p>\n\n\n\n In February 2024, Change Healthcare<\/a>, a data processing firm owned by UnitedHealth Group was targeted by ALPHV, also known as BlackCat. As a result, hundreds of thousands of healthcare providers could no longer submit claims or receive payments. There is evidence that Change paid a $22 million ransom, but that an internal dispute between threat actors became an obstacle to immediate recovery.<\/p>\n\n\n\n Although ransomware groups appear to be well-organized, they rarely are. Loose groups of distantly affiliated cybercrime actors may cooperate when they sense a payday is coming, but that cooperation is not guaranteed. This can impact victims who realize too late that they mistakenly placed their trust in the criminal enterprise currently extorting them.<\/p>\n\n\n\n Paying the ransom may seem like the only way out, but it offers no guarantees. Cybercriminals have no real incentive to delete the data they stole or dismantle the tools they used to infiltrate their victim\u2019s systems. This is why the FBI<\/a> strongly recommends never paying threat actors, regardless of the potential damage that can ensue.<\/p>\n\n\n\n CDK Global reported that a ransomware infection took its software services offline in June 2024<\/a>. The company provides software to more than 15,000 automotive dealers across North America. Customers could not complete their car transactions or have their vehicles serviced during the outage, and third-party hackers attempted to capitalize on the opportunity with phishing attacks<\/a> and identity fraud.<\/p>\n\n\n\n The main attack disrupted vehicle transactions and payroll processing, providing an opportunity for unrelated hackers to step in and exacerbate the damage. Many car owners and auto dealership customers found themselves targeted by cybercriminals who already had access to their personally identifiable information thanks to the attack.<\/p>\n\n\n\n At the outset of the attack, CDK Global did not keep its users updated on the status of the attack (or their data) in a centralized location. Since the company did not communicate clearly and consistently to impacted users, opportunistic threat actors seized the moment and exploited victims further. Any organization facing an active ransomware attack must take clear steps to protect its users throughout the mitigation and recovery process.<\/p>\n\n\n\n IT leaders that invest in multi-layered security can prevent ransomware attacks from occurring, and detect potential threats before they lead to catastrophic losses. Investing in effective prevention techniques helps reduce the risk associated with ransomware<\/a>.<\/p>\n\n\n\n Secure, immutable backups are a must-have for ransomware prevention. Combined with multi-factor authentication<\/a> and Zero Trust architecture<\/a>, IT leaders can make their environment much harder for threat actors to navigate successfully. These prevention techniques force threat actors to slow down and increase their chances of being detected by your security team.<\/p>\n\n\n\n JumpCloud enables organizations to consolidate their endpoint device fleets and directory services, providing a single point of reference for identity and access management. Use JumpCloud to lock compromised devices with strong password policies and multi-factor authentication, and control how devices respond to requests to control access throughout your organization.<\/p>\n\n\n\nHistorical Data from 2020-2024<\/h3>\n\n\n\n
Key Statistics for 2023<\/h3>\n\n\n\n
Emerging Trends in 2024 and Beyond<\/h3>\n\n\n\n
Industry-Specific Ransomware Stats<\/h2>\n\n\n\n
Healthcare Sector<\/h3>\n\n\n\n
Educational Institutions<\/h3>\n\n\n\n
Financial Services<\/h3>\n\n\n\n
Public Sector Agencies<\/h3>\n\n\n\n
Other Sectors<\/h3>\n\n\n\n
Frequency and Probability of Ransomware Attacks<\/h2>\n\n\n\n
Attack Frequency Analysis<\/h3>\n\n\n\n
Probability of Being Targeted<\/h3>\n\n\n\n
High-Risk Periods and Triggers<\/h3>\n\n\n\n
Cost and Financial Impact of Ransomware<\/h2>\n\n\n\n
Average Ransom Demands<\/h4>\n\n\n\n
Indirect Costs<\/h3>\n\n\n\n
Industry-Specific Financial Data<\/h3>\n\n\n\n
\n
Recent and Notable Ransomware Attacks<\/h2>\n\n\n\n
High-Profile Cases<\/h3>\n\n\n\n
\n
Lessons Learned<\/h3>\n\n\n\n
Mitigation and Recovery Strategies<\/h3>\n\n\n\n
\n
Lessons Learned<\/h3>\n\n\n\n
Mitigation and Recovery Strategies<\/h3>\n\n\n\n
\n
Lessons Learned<\/h3>\n\n\n\n
Mitigation and Recovery Strategies<\/h3>\n\n\n\n
Future Projections and Preventive Measures<\/h2>\n\n\n\n
Effective Prevention Techniques<\/h3>\n\n\n\n
Strategic Planning for Cybersecurity<\/h3>\n\n\n\n