63 Ransomware Statistics You Must Know in 2025

What Is Ransomware? 

Ransomware is a type of malicious software that blocks access to a computer system or encrypts files until a ransom is paid. Typically, attackers demand payment in cryptocurrency to preserve their anonymity and make transactions harder to trace. The goal is financial extortion—victims must either pay the ransom to regain access or face data loss and operational disruption.

The consequences of a ransomware attack can be severe, including prolonged downtime, lost revenue, reputational harm, and long-term security challenges. Even if a ransom is paid, there is no guarantee that data will be fully restored or that attackers won’t strike again. As a result, cybersecurity measures, regular backups, and incident response planning are crucial defenses against this growing threat.

This is part of a series of articles about ransomware protection

In this article we will cover the following ransomware statistics:

• Attack Volume and Frequency
• Financial Impact and Payment Trends
• Data Encryption and Theft
• Recovery and Post-Attack Outcomes
• Industry-Specific Impacts
• Law Enforcement and Cyber Insurance
• Leading Ransomware Groups
• Emerging Tactics and Trends
• Cryptocurrency and Ransom Payments

Key Ransomware Statistics

Attack Volume and Frequency

Ransomware attacks have become a regular feature of the cybersecurity threat landscape, with a steady increase in volume over recent years. Attackers continue to exploit common vulnerabilities and entry points at scale, affecting businesses of all sizes.

Statistics for attack volume and frequency:

1. 59% of organizations experienced a ransomware attack in 2023.
2. An estimated 4,000 ransomware attacks occur globally every day.
3. Ransomware attacks have risen by 13% in the past five years.
4. Projections indicate that by 2031, a ransomware attack will happen every two seconds.
5. 27% of all malware-related breaches in 2023 involved ransomware.
6. The United States is the most targeted country, accounting for 47% of global ransomware attacks in 2023.
7. 93% of ransomware is distributed as Windows-based executable files.
8. Common delivery methods include phishing emails, remote desktop protocol (RDP) exploits, and software vulnerabilities.
9. Phishing remains the single most common method used to initiate a ransomware attack.

Sources: Sophos, Verizon, Sonicwall 

Financial Impact and Payment Trends

Ransomware is financially motivated, with attackers often demanding payments to restore access to encrypted data. But the financial damage doesn’t end with the ransom. Downtime, lost productivity, reputational damage, and recovery expenses significantly increase the total cost to victims.

Statistics for financial impact and payment:

10. Average cost of a ransomware incident in 2023: $1.85 million.
11. Average recovery cost per incident: $2.73 million.
12. Average ransom payment in 2024: $2.73 million, up from $400,000 in 2023.
13. Median ransom payment in 2024: $2 million.
14. Highest ransom demand recorded in 2024: $70 million.
15. In 2024, 63% of demands exceeded $1 million; 30% exceeded $5 million.
16. 42% of organizations with cyber insurance said their policies covered only a small portion of the incurred costs.
17. Global ransomware-related cybercrime is projected to cost victims $265 billion annually by 2031.
18. Total ransomware payments in 2024 were approximately $813.55 million.

Sources: Coveware, Cybersecurity Ventures, Sophos, Chain Analysis

Data Encryption and Theft

While traditional ransomware attacks focused on encrypting files and demanding payment for decryption keys, modern variants have evolved. Many now also include data exfiltration—stealing sensitive information and using it for extortion. This dual-threat tactic allows attackers to increase pressure on victims by threatening to release stolen data if the ransom is not paid.

Statistics for data encryption and theft:

19. In 2024, 70% of ransomware attacks led to data encryption, a decrease from 76% in 2023.
20. 32% of encryption-based attacks also involved data theft.

Sources: Palo Alto Networks, Sophos 

Recovery and Post-Attack Outcomes

Recovering from a ransomware attack is a complex process that often involves restoring systems, securing infrastructure, and managing reputational fallout. Organizations use a combination of methods to recover data, including restoring from backups and paying ransoms. Despite paying, many victims fail to recover all their data.

Statistics for recovery and outcomes:

21. 34% of organizations needed more than a month to recover from an attack in 2024.
22. 35% of organizations recovered in a week or less, down from 47% in 2023.
23. 68% restored data using backups.
24. 56% paid the ransom to recover their data.
25. 47% used multiple recovery methods, up from 21% in 2023.
26. Only 46% of ransom payers recovered their data successfully, often with some data corrupted.
27. Organizations with intact backups: 46% recovered within a week.
28. Those with compromised backups: only 25% recovered within a week.
29. Nearly 80% of organizations that paid a ransom experienced a subsequent attack.

Sources: Sophos, Cybereason

Industry-Specific Impacts

Ransomware doesn’t affect all industries equally. Attackers often target sectors with sensitive data, limited security budgets, or urgent operational needs. Sectors such as healthcare, education, manufacturing, government, and finance have consistently been among the hardest hit. This section breaks down the impact of ransomware across different industries, highlighting how vulnerabilities and consequences vary by sector.

Healthcare:

30. $125 billion projected healthcare cybersecurity spend between 2020–2025.
31. Average cost of a healthcare data breach: $10.93 million.
32. Only 64.8% of encrypted data was restored after ransom payment in 2022.

Education:

33. 79% of higher education institutions were hit in the past year.
34. 66% of universities lack basic email security protections.
35. Median recovery cost in lower education in 2023: $750,000.
36. Since 2020, 1,681 higher education facilities have been affected by 84 ransomware attacks.

Manufacturing:

37. 59% of manufacturing companies were attacked in the last year.
38. 70% of these attacks resulted in data encryption.

Finance and Insurance:

39. 64% of financial service firms were hit by ransomware in 2023.
40. Average breach cost in finance: $5.90 million.
41. 81% of these attacks led to data encryption.

Government:

42. Over 330 ransomware incidents targeting U.S. government entities since 2018.
43. Estimated total downtime cost: $70 billion.
44. 72% encryption rate among state/local governments.
45. 96% of state/local entities improved defenses to meet cyber insurance requirements.

Sources: IBM, Sophos, Emisoft, Sophos  

Law Enforcement and Cyber Insurance

Involving law enforcement after a ransomware attack is now common practice, and many victims also rely on cyber insurance to fund responses or cover losses. However, the effectiveness of these interventions varies, and insurance often only partially offsets damages.

Statistics for law enforcement and insurance:

46. 97% of ransomware victims reported the incident to law enforcement.
47. 61% received advice on how to respond; 60% got help with investigations.
48. 58% of victims with encrypted data received law enforcement support in data recovery.
49. 23% of ransom payments were funded via cyber insurance.

Source: Sophos 

Leading Ransomware Groups

Ransomware attacks are often carried out by well-organized cybercriminal groups operating under a ransomware-as-a-service (RaaS) model. Some groups rise to prominence through high-profile attacks or sheer volume of operations.

Statistics for ransomware groups:

50. In Q2 2023, Akira and BlackCat represented 27% of observed ransomware activity.
51. LockBit 3.0’s activity increased by 164% between 2022 and 2023.
52. CL0P group activity rose 1,186% (30 to 386 cases).
53. Play group activity rose 1,084% (26 to 308 cases).
54. BlackBasta saw a 22% increase in activity.

Sources: Secureworks, Palo Alto Networks 

Emerging Tactics and Trends

Ransomware tactics evolve continuously, with attackers adapting strategies to increase effectiveness and evade detection. New trends such as triple extortion, supply chain attacks, and AI-assisted phishing show how ransomware campaigns are becoming more complex.

Statistics for new trends:

55. Triple extortion (encryption + data theft + threat to leak) is increasingly common.
56. Supply chain attacks (e.g., MOVEit, Kaseya, SolarWinds) affect multiple downstream victims.
57. RaaS enables widespread access to advanced ransomware kits.
58. Attackers increasingly exploit known but unpatched vulnerabilities.
59. Law enforcement doxxing of ransomware affiliates is disrupting operations.

Sources: Palo Alto Networks, CISA, Secureworks 

Cryptocurrency and Ransom Payments

Cryptocurrencies are a primary method for processing ransom payments, offering anonymity to attackers and speed of transfer. This section presents statistics about the use of crypto in ransomware operations and the scale of funds flowing through illicit crypto channels.

Statistics for crypto and ransom payments:

60. $449.1 million in crypto ransom payments were made in the first half of 2023.
61. In 2022, $20.6 billion in cryptocurrency flowed to illicit addresses.
62. One ransomware group reportedly earned $90 million in Bitcoin from a single campaign.
63. In 2019, illegal crypto transfers made up 2.1% of all crypto transaction volume.

Ransomware Protection with N2W

You can’t always stop ransomware from getting in—but you can stop it from taking you down. N2W gives you the power to recover fast, with confidence, no matter what happens.

Here’s how we’ve got your back:

• True Immutability: Your backups are locked down tight—unchangeable, undeletable, even by accident. Think digital vault, minus the dusty keys.
• Cross-Cloud Recovery: Backup AWS workloads into Azure or Wasabi. From Azure? Send them to Wasabi for added protection. It’s like a digital escape hatch.
• Automated DR Drills: Test your entire recovery process—including VPCs and network configurations—in just a few clicks. Know your recovery works before disaster hits.
• Air-Gapped Security: Create a clean DR account with zero delete permissions. Add alerts, lock it down, and sleep better knowing attackers can’t touch your backups.
• IaaS, not SaaS: Your data never leaves your cloud. N2W has no access to your workloads or data, making it much safer than a SaaS solution.

What’s next? Make sure to fill any gaps in your backup & DR plan.

🎯 Download our Disaster-Proof Backup Checklist