50+ Ransomware Statistics for 2025

• Ransomware attacks are widespread: 59% of organizations were hit by ransomware in 2023, with a global average of 4,000 attacks daily.
• Attack frequency is high: It is projected that a ransomware attack will occur every two seconds by 2031.
• Ransomware attacks have risen 13% during the past five years.
• Large organizations are more frequently targeted: Organizations with over $5 billion in revenue experience a 67% attack rate.
• The United States is the most targeted country, accounting for 47% of ransomware attacks in 2023.
• The most common attack vectors are email phishing campaigns, RDP vulnerabilities, and software vulnerabilities.
• Windows-based executables account for 93% of ransomware.
• Phishing remains the most common entry point for ransomware attacks.
• 90% of ransomware attacks either fail or result in zero financial losses for the victim.

Although the nature of ransomware attacks depends on the kind of organization, the purpose of the attack is often financial gain. However, the cost to the victim is not solely the price of the ransom: The downtime the targeted organization suffers combined with the cost of restoring normal services can lead to substantial overall financial losses. 

• Ransomware attacks are becoming more costly: Ransomware attacks in 2023 cost an average of $1.85 million each, with average recovery costs reaching $2.73 million.
• Ransom payments are increasing: The average ransom payment increased to $2.73 million in 2024
• The highest recorded ransom payment demanded in 2024 was $70 million.
• The median ransom payment in 2024 was $2 million. (This compares with $400,000 in 2023.)
• Negotiated payments are common: 44% of victims paid less than the demanded amount, while 31% paid more.
• Downtime is significant: Companies subject to a ransomware attack endure an average of 24 days’ downtime.
• Revenue loss and brand damage are common: 60% of survey respondents revealed they had lost revenue, and 53% stated their brands were damaged following a ransomware attack.
• Cyber insurance coverage is often insufficient: 42% of companies with cyber insurance policies reported that their insurance compensated for only a small portion of the damages.
• Ransomware is a major contributor to cybercrime costs: It is predicted that cybercrime will cost the world $10.5 trillion a year from 2025, and ransomware is forecast to cost its victims around $265 billion annually by 2031.
• The average ransom demand in 2024 was $4.32M.
• 63% of 2024 demands exceeded $1M+.
• 30% of 2024 demands exceeded $5M.
• For payments that were negotiated in 2024:
  • 44% paid less than what was demanded.
  • 31% paid more than what was demanded
  • 24% paid the amount demanded.

In its simplest form, ransomware seeks to encrypt data and extort money from the victim in return for decrypting it. However, as ransomware has become more sophisticated, it may identify and extract sensitive data before going on to encrypt the files. The attacker transfers the stolen data to their own servers and may publish some of it if the victim refuses to pay the ransom.

• Data encryption is common: 70% of ransomware attacks led to data encryption in 2024.
• This has dropped from 76% in 2023.
• Data theft often accompanies encryption: 32% of attacks involving encryption also included data theft.
• For the IT industry and telecommunications, 53% of attacks involving encryption also included data theft.
• The figure is far lower for the higher education sector: 18% of attacks involving encryption also included data theft.

Recovery from ransomware is a complex process to restore and secure systems following an  attack. The first step is to identify the extent of the ransomware attack and what potential damage it might have caused. Organizations must act quickly and strategically to limit the damage and prevent further exposure.

• Recovery takes time: For 34% of organizations, recovering from a ransomware attack takes longer than a month.
• 35% of organizations took a week or less to recover from a ransomware attack in 2024. In 2023, this figure was 47%.
• Data recovery methods vary: 
  • 68% of organizations restore from backups
  • 56% pay the ransom
  • 47% use multiple methods.
• Backups are crucial for faster recovery: For organizations with uncompromised backups, 46% recover in a week or less, compared with 25% for those whose backups were compromised.
• Repeat attacks are common: 80% of victims who paid a ransom experienced another attack soon after
• Payment is no guarantee of data recovery: Just 46% of victims who paid a ransom received access to their data — and much of the data they did receive was corrupted.
• Data Recovery Methods — this is how organizations recover their data:
  • 68% restored from backups.
  • 56% paid the ransom to recover data.
  • 47% used multiple methods (up from 21% in 2023).

Not every industry is equally vulnerable to ransomware attacks. As we will see in the following statistics, some sectors are particularly susceptible. 

• Ransomware perpetrators target the healthcare sector: 30% of ransomware cases were reported in the healthcare sector in Q3 2024.
• The manufacturing industry was the most affected by ransomware in 2021, with 23% of observed attacks occurring among industries in that sector.
• 59% of manufacturing organizations were subject to a ransomware attack in the last year.
• 70% of attacks on manufacturers resulted in data encryption
• Government organizations are subject to frequent and significant ransom demands.
• The education sector also experiences frequent attacks, with over 1,000 schools affected in 2020.

Calling the police is a standard response when a crime is suspected, and this remains the case with cyber attacks. 

• Law enforcement is often involved: 97% of ransomware victims engage law enforcement or official bodies.
• More than half (59%) of organizations that engaged with law enforcement reported that the process was easy or somewhat easy. 
• Of those who did engage with law enforcement, just 10% of those surveyed described the process as very difficult.
• 61% received advice from law enforcement agencies on dealing with ransomware
• 60% received assistance with investigating the ransomware attack. 
• 58% of victims whose data was encrypted were helped by law enforcement agencies to recover their data. 
• Cyber insurance is increasingly used to fund ransom payments: 23% of ransom payments are funded by cyber insurance.

There have been some significant disruptions in the ransomware ecosystem recently, with the takedown of ALPHV/BlackCat in late 2023 and the disruption of the LockBit syndicate in 2024. However, the ransomware-as-a-service (RaaS) landscape is resilient, and established players like Play and Akira seem to be intensifying their activities, and new ones are emerging. 

• In Q2 of 2023, Akira and BlackCat were the top ransomware variants, with a combined 27% market share. ( BlackCat was taken down in late 2023).
• In 2023, Magniber Trojan topped the list of the most common ransomware Trojans — being responsible for more than 17% of encounters. Extortion Trojans typically leverage attack vectors including the Remote Desktop Protocol, phishing emails, and software vulnerabilities.
• LockBit 3.0’s activities rose 164% between 2022 and 2023. 
• AlphVM’s activities rose 72% between 2022 and 2023.
• CL0P’s activities rose 1,186% between 2022 and 2023 (30 cases to 386 cases).
• PLAY’s activities rose 1.084% between 2022 and 2023.(26 cases to 308 cases)
• BlackBasta’s activities rose 22% between 2022 and 2023 (172 cases to 210 cases).

As ransomware seems to be here to stay, what sort of patterns are emerging in the attacks and the way law enforcement is dealing with it?

• Law enforcement doxxing (publishing data online) of ransomware affiliates is increasing, disrupting some ransomware groups.
• New ransomware variants are emerging, contributing to the evolving threat landscape.
• Operational pressure on ransomware groups is rising, leading to changes in tactics and shutdowns.

Ransomware shows no sign of going anywhere anytime soon. It is likely to stalk organizations for the foreseeable future — and cost them significantly. The threat is not limited to financial losses: It can have devastating effects on operations and reputation too. Organizations must prioritize cybersecurity measures, including robust backup strategies, employee awareness training, and incident response planning to minimize the risk and impact of ransomware attacks.

Sources

• Number of ransomware attempts per year 2017-2023
• Ransomware – statistics & facts
• Annual share of organizations affected by ransomware attacks worldwide from 2018 to 2023
• The State of Ransomware 2024
• Ransomware Cases Increased by 73% in 2023 showing our actions have not been enough to thwart the threat
• Cybercrime To Cost The World $10.5 Trillion Annually By 2025
• Cybercrime To Cost The World 8 Trillion Annually In 2023
• Ransomware statistics: 102 facts and trends you need to know
• The Latest 2025 Ransomware Statistics (updated January 2025)
• Ransomware Statistics, Data, Trends, and Facts [updated 2024]
• The State of Ransomware 2024
• Ransomware Payments Exceed $1 Billion in 2023, Hitting Record High After 2022 Decline
• Must-Know Ransomware Statistics, Trends and Facts
• Law enforcement doxxing raises risk profile for threat actors
• The Top 10 Most Active Ransomware Groups of 2024