Ransomware statistics in 2020: From random barrages to targeted hits

ransomware statistics - Featured image

Ransomware attacks have come a long way from their brutish and unsophisticated beginnings as “spray-and-pray” email phishing campaigns against randomly selected targets.

The overall number of attacks has dropped, but their efficiency and success rate have risen. 

An analysis of statistics, facts and ransomware examples demonstrates that hackers have shifted their focus to business, where they find interconnected systems with security holes, a willingness to pay up so essential business functions can be restored, and – most importantly – deep pockets.

Key ransomware statistics

  • There will be ransomware attack every 11 seconds by 2021. By that time, the global cost will be $20 billion yearly.
  • Today, businesses suffer ransomware attacks every 40 seconds.
  • Phishing emails are the cause of two-thirds of ransomware infections.
  • Every year, ransomware generates an estimated $1 billion in revenue for cybercriminals.
  • About 9% of the American population has been a victim of a ransomware attack at some point.

General ransomware statistics

1. There will be a ransomware attack every 11 seconds by 2021, according to a 2018 analysis by CyberSecurity Ventures.

(CyberSecurity Ventures)

This is an increase of about 20% compared to the prediction 2019 – 14 attacks per second.


2. According to cyber attack statistics published by Symantec, ransomware frequency declined 20% in 2018, the first drop since 2013.

(Symantec)

Symantec, one of the leading internet security companies, says the drop in activity is even more noticeable when WannaCry, Petya, and other copycat worms are taken out of the equation. Then the drop is 52%.


3. Annual ransomware damages will skyrocket to $20 billion by 2021.

(CyberSecurity Ventures)

Recent security breaches are less frequent, but they are more and more lucrative for cybercriminals. This is due, in part, to the fact that ransomware operators are adopting new strategies and angles of attack against high-profile targets.


4. A staggering 638 million attacks were carried out worldwide in 2016.

(Statista)

Ransomware hackers went wild in 2016. Ransomware statistics from 2017 show that there were fewer attacks, but they were more effective.


5. Five million Americans were affected by ransomware attacks from June 2016 to June 2017.

(Stanford University)

It was the year of the ransomware cyber attack, the year of WannaCry. Cybersecurity operator Symantec blocked 405,000 consumer ransomware infections during this period.


6. How does ransomware spread? Phishing emails are the vector for two-thirds of ransomware infections.

(Statista)

Spam campaigns are a popular method of disseminating malicious code. Spear-fishing, the more targeted and personalized approach, is much more effective in infiltrating complex security networks. Insufficient user security training was present in 33% of infection cases.

Other methods of infection include drive-by downloads and malvertizing.


7. 46% of ransomware operators impersonate authority figures like the FBI. Among those attacks, 82% lock the victim’s computer without encrypting files.

(Stanford University)

To provide the illusion of authority and scare people into paying, attackers often pose as representatives of the FBI, ransomware statistics show.

“FBI – YOU HAVE BEEN WATCHING PORN OR GAMBLING OR BOTH, YOU MUST PAY $200 TO MONEYGRAM” – an actual ransom note.

A warning message appears before the victim, claiming that they have been caught partaking in illegal activity such as browsing illicit pornographic sites. This type of attack probably works best on people who actually did things of that nature.

The victim is then prompted to make a payment. Some people are so flustered and intimidated that they don’t stop to wonder why the FBI would ask for payments in cryptocurrencies or a prepaid cash voucher.


8. The search term ‘ransomware’ has seen an 877% increase in traffic since 2016.

(University of California – San Diego)

That is right around the time that ransomware became a multimillion-dollar business amid the major ransomware attacks of 2017, says Kylie McRoberts, a senior Google strategist.


Ransomware revenue statistics

9. Ransomware attack statistics reveal $1 billion in annual revenues for cybercriminals.

(Bromium)

The University of Surry’s Michael McGuire says cybercrime yields $1.5 trillion in revenues per year. The illicit and illegal online trading market for contraband such as drugs and weapons is responsible for the biggest portion, $860 billion. 

Ransomware is an excellent source of revenue for individual attackers. It doesn’t take much skill, as ransomware kits can be purchased on the dark web. Besides, it operates on a “set-and-forget” model.


10. How much money have recent cyber attacks raised?

Name of ransomwarePeriodProfit evaluation
CryptoLocker2013~$3 million
Cryptowall2014-16~$18-320 million
Locky$7.8-150 million
Cerber$6.9 million
WannaCry2016$55,000-$140,000
Petya/NotPetya$10,000

11. Revenue from ransomware had the biggest jump from February to March 2016 – from around $400,000 to almost $2.5 million.

(University of California – San Diego)

The Locky and Cerber attacks were mostly responsible for this huge spike.


12. According to ransomware statistics, in 2016 and 2017 the median ransom demanded from consumers was $250.

(Stanford University)

The average, not median, reported ransom was about $530. The highest was around $8,000.

Of course, the monetary cost is just part of the picture revealed by ransomware attacks statistics. The psychological trauma, the time it takes to remedy the situation, and the loss of valued possessions like family photos and work-related documents should all be taken into account when evaluating the total impact.


13. 42% of ransomware attackers ask for a prepaid cash voucher, consumers report.

(Stanford University)

Cryptocurrency was the ransom method of choice in just 12% of cases, the Stanford study reported.


14. 95% of profits accrued from ransomware were laundered through the BTC-e cryptocurrency exchange.

(Bromium)

Whether the ransom is paid in cryptocurrency or conventional funds, the most efficient way to launder the money is through cryptocurrency exchanges.

Before being shut down in 2017 by the American government, the cryptocurrency exchange BTC-e was the go-to place for covering the trail of dirty ransomware money.


Massive ransomware attack statistics

15. WannaCry: The 2017 ransomware attack contaminated 200,000 computers worldwide.

(Statista)

The global ransomware attack WannaCry was launched in May 2017. A security hole in Windows XP called EternalBlue provided a window that allowed North Korean attackers to infect more than 200,000 computers around the world.

Even though Microsoft had discontinued support for XP in 2014, the company quickly issued a patch to address the problem.

  • 5 days – how long the attack lasted before it was contained.
  • More than 200,000 – the number of infected devices.
  • 150 – number of countries that were included in the attack.
  • $300 – the original ransom amount. 
  • $600 – the ransom after seven days. This was low compared to other large-scale hacking campaigns. The 2016 Cerber ransomware attack had an average ransom of $1,200.

16. According to NHS ransomware statistics, the 2017 Wannacry attack put a £73 million dent in the budget of the UK’s National Health Service.

(New Statesman)

Doctors and nurses had no alternative but to cancel 19,000 appointments in 80 institutions across the country.

The attack cost around £19 million in lost fees and spent around £72 million restoring files lost in the attack.


17. CryptoLocker: The global cost of one of the first modern ransom ware examples was around $3 million.

Between September 2013 and May 2014, the world of cybercrime was changed for good – Cryptolocker ransomware hit the big time and a new business model was set to strike fear into the bones of business owners, government officials, and consumers around the globe.


18. Ryuk: The latest ransomware campaign generated more than $3.7 million in the first four months after it started in August 2018. The city of Riviera Beach, Florida, paid $600,000 in ransom.

(New Scientist)

Ransomware attacks are getting more targeted and more precise. More and more victims simply pay the ransom to restore access to precious data.

Another city in Florida, Lake City, paid $10,000 of its $530,000 ransom, with an insurance company picking up the rest of the tab for the Ryuk ransomware attack in 2019.


19. Teslacrypt: In the first two months after it was launched, hackers extorted $76,000 by locking video game-related files on victims’ computers.

(Computerworld)

This happened between February and April 2015.

This malware attack went straight for the data people hold close to their hearts – game files like saves and custom maps. That’s how the campaign started. The hackers demanded $500 from most victims.

In 2016, the team behind TeslaCrypt released a master decryption key in a text file, along with a message stating, “We are sorry.”


20. NotPetya caused about $10 billion in damages worldwide, ransomware statistics from 2017 show.

(Wired)

Security experts from Kaspersky claim that the 2017 world wide cyber attack NotPetya was not a ransomware attack in the proper sense. It did encrypt files, but a closer inspection of the malware code showed that the decryption data included in the files was random nonsense. 

That led the cyber community to the conclusion that NotPetya was a Russian act of cyber warfare against Ukraine that went global.

The Danish shipping and transport company Maersk, which handles almost a fifth of the world’s freight and has more than 85,000 employees, was among the hardest hit. The company lost about $300 million because of the attack.

Another company that was hit hard: FedEx. The ransomware attack cost the company’s Dutch subsidiary, TNT Express, $300 million.

Kaspersky named the worm after the Petya ransomware attack because of similarities in ransom demand and target selection.


21. Cerber: The creator of the ransomware software earns just under $1 million a year.

(Check Point Software Technologies)

Ransomware as a service – a great concept for malware creators. 

Cerber is essentially an affiliate program. The software’s author gives other malicious actors the ransomware kit on a sale or return basis. Forty percent of the revenue they accrue goes directly into the creator’s wallet. He just sits back and lets the money drip in through a convoluted net of address mixers that make the transactions untraceable.

As of 2018, no active cases of Cerber were detected, but in early 2017 it accounted for 26% of all ransomware infections.


22. SamSam: The highest ransom ever paid for an attack was $64,000. SamSam has accrued a total of almost $6 million in ransom payments since 2015.

(Sophos)

Among the latest ransomware attacks, SamSam is a particularly sophisticated operation. 

The attack is carried out on carefully selected targets, mostly organizations and businesses, using legitimate Windows sysadmin tools. Access to the network is gained gradually through security holes. After the ransom has been paid, no trace is left behind.

The most interesting statistic: Sophos, one of the most prominent cyber-safety companies, believes that there is just one person behind the SamSam attacks.


23. Cryptowall: One of the most lucrative ransomware families, Cryptoware generated $325 million in ransom payments since its inception.

(Cyber Threat Alliance)

The “crypt100” campaign targeted 15,000 businesses across the globe and generated roughly $5 million in profit for the CW3 group behind the attacks. US government statistics on ransomware published by the IC3 claim that CryptoWall is the most successful global cyber attack.


Statistics of ransomware victims: Business and enterprise

24. Ransomware statistics from 2018 show that businesses and enterprises accounted for 81% of ransomware targets.

(Symantec)

Enterprises remain the prime targets for these types of cyber attacks. Email, the main channels of communication for businesses, is the primary means of ransomware distribution. 

Symantec reports a 12% increase in ransomware attacks on businesses in 2018, despite an overall decline in occurrence when consumer attacks are taken into account.


25. Only 37% of American businesses are confident that they can stop a ransomware attack.

(Malwarebytes)

IT experts in America are pessimistic about their chances of thwarting a ransomware internet attack on their company. Their Canadian and German colleagues are much more confident: 67% of them say they are safe.


26. A business gets attacked by ransomware every 40 seconds, approximately.

(Kaspersky)

Recent security breaches have put heavy strain on businesses and enterprises. Withstanding such a heavy barrage of attacks requires a serious investment in cybersecurity.


27. Companies spend a total $10 billion globally on employee security training.

(Herjavec)

This is up from $1 billion in 2014.

The surface of attack for businesses is enormous – a single click on a ransomware email can compromise an entire corporation. Investing in proper employee training is the best step companies can take to increase their cybersecurity.


28. The spread of global ransomware

(Symantec)

Here is the percentage distribution for ransomware attacks by country, according to Symantec.

CountryPercent
China16.9
India14.3
USA13.0
Brazil5.0
Portugal3.9
Mexico3.5
Indonesia2.6
Japan2.1
South Africa2.1
Chile1.8

29. The ransomware payout frequency for businesses almost quadrupled from 2018 to 2019, from 4% to 15%.

(Dark Reading)

Businesses have little to no choice when a devastating ransomware attack hits – it’s a sink or swim situation.

While the frequency of attacks of businesses has dropped, according to ransomware statistics detailed in the latest Dark Reading report, the precision and effectiveness seem to be rising.

In 2018 only 4% of attacks resulted in a payoff, which is usually a last resort for an urgent situation. That percentage has risen to 15% in 2019.

Statistics of ransomware victims: Consumers

30. About 9% of Americans have been victims of a ransomware attack at some point.

(Stanford University)

There are an estimated 200 million internet users in the USA. Ransomware statistics from a 2019 Stanford study suggest that 17 million people have been ransomware victims.

More often than not, however, several people use the same computer. That means the number of ransomware victims is substantially larger than the number of households affected.


31. More than 4.2 million American mobile users suffered ransomware attacks on their phones.

(Kaspersky)

Phones are not immune to ransomware attacks. All it takes is a single dodgy download from the app store to lock up the device.

According to cyber crime statistics published by Kaspersky, 1.58% of mobile users have been victims of ransomware attack in the USA. Considering that there are 267 million mobile users, the number of individual phones under attack is in the millions.


32. Only 6.4% of consumers pay the ransom.

(Stanford University)

Research shows that victims who pay ransom get their assets back. However, paying the ransom is never advised. It perpetuates the criminal activity by providing funds to attackers. And there is no guarantee the attacker will provide the decryption key after payment. 

No More Ransom is an online service that offers free decryption tools in 36 languages.


33. Only 7.9% of consumers report ransomware to authorities.

(Stanford University)

There could be many reasons for the consumers’ general distrust of official authorities like the IC3. For example, victims may fear further retaliation from the attackers. They may doubt the aptitude of government agencies. Consumers don’t trust the FBI for ransomware assistance.


34. Restarting the computer is the first step 30% of people take when confronted with an attack.

(Stanford University)

Rebooting is a knee-jerk reaction. For sophisticated cyber threats, this doesn’t do much.


35. 22% of consumers just restore their computer from a backup.

(Stanford University)

That’s a sign of good cyberhygiene.


36. 44% of consumers purchase AV software after suffering a ransomware attack.

(Stanford University)

Security breaches are a sobering experience to be sure. People change their habits after experiencing firsthand how vulnerable they are. 

Paying more attention while browsing is the most common habit people acquire.

For 24% of consumers, enabling automatic operating system updates is part of the effort to increase cybersafety. 

Few victims start encrypting their files after an attack, malware statistics show.


Ransomware definition

Ransomware is a type of malicious software that locks the victim’s computer and holds it for ransom.

Two main types of ransomware

  1. Ransomware that encrypts the victim’s files. 
  2. Ransomware that locks up the victim’s computer.

Ransomware statistics show that more consumers report the locking type (74%).

Sources