Ransomware Statistics

70% of global ransomware activity targets English-speaking countries.

In the second half of 2025, 40% of all ransomware attacks targeted US-based companies.

In the second half of 2025, ransomware attacks against Canada and the UK accounted for a combined 30% of attacks.

Scattered Spider accounted for 42.9% of all actor-related alerts in the second half of 2025.

44% of attacks in the Automotive and Smart Mobility ecosystem are ransomware-related, more than double the volume in 2024.

90% of ransomware incidents exploit firewalls through a CVE or a vulnerable account.

The fastest ransomware case observed, involving Akira ransomware, takes just three hours from breach to encryption.

96% of incidents involving lateral movement end with the release of ransomware.

Ransomware attacks against industrial organizations increased 64% year-over-year.

Organizations with comprehensive OT visibility detect and contain OT ransomware incidents in an average of 5 days, compared to the industry-wide average of 42 days.

The average dwell time for ransomware in OT environments is 42 days.

Manufacturing accounts for more than two-thirds of all ransomware victims.

The number of ransomware groups targeting industrial organizations increased 49% year-over-year to 119 groups, collectively impacting 3,300 organizations globally.

In 2025, 55% of Chief Information Security Officers (CISOs) in the US and UK reported that their organization experienced a cyberattack, ransomware infection, compromise, or data breach that rendered mobile, remote, or hybrid endpoint devices inoperable.

In 2025, 61% of CISOs indicated that their organization’s board and C-suite expect the cybersecurity group to guarantee zero breaches and ransomware incidents.

Nearly 40% of schools feel underprepared for ransomware in 2025

Half of school IT leaders view ransomware as a serious threat to learning continuity in 2025

66% of IT leaders view AI-generated attacks as the most significant threat to data security, surpassing ransomware at 50%.

72% of IT leaders support a ban on ransomware payments, with 51% strongly supporting it.

29% of global respondents ranked ransomware attacks and privacy breaches as their leading cyber concerns.

67% of ransomware reports that provided the communication method indicated that threat actors communicated with their intended targets via messages sent over The Onion Router protocol.

In 2024, ransomware incidents reported to FinCEN decreased to 1,476 incidents, reflecting $734 million in the aggregate value of reported payments.

Ransomware incidents reported to FinCEN reached an all-time high of 1,512 incidents in 2023, totaling $1.1 billion in payments, marking a 77% increase in total payments year-over-year from 2022 to 2023.

Between January 2022 and December 2024, FinCEN received 7,395 BSA reports related to 4,194 ransomware incidents, totaling more than $2.1 billion in ransomware payments.

The manufacturing industry accounted for 456 ransomware incidents totaling approximately $284.6 million in reported payments, while the financial services industry accounted for 432 incidents totaling approximately $365.6 million, and the healthcare industry accounted for 389 incidents totaling approximately $305.4 million.

The 10 ransomware variants with the highest cumulative payment amounts identified in BSA reports accounted for approximately $1.5 billion in payments.

There was a 264% increased surge of ransomware attacks on healthcare organizations.

52% of organizations reported being targeted by ransomware attacks on holidays or weekends.

60% of ransomware attacks occurred following an IPO, merger or acquisition, or round of layoffs.

Only 33% of cyber insurance policies cover lost revenue, and 45% cover ransomware negotiations or payment.

61% of Chief Information Security Officers believe AI has directly increased ransomware risk

There were 333 ransomware attacks detected by Trellix specifically targeting critical infrastructure sectors from April 1 to September 30, 2025.

In Q3 2025, Qilin ransomware claimed 271 posts on their public leak site.

In Q3 2025, Akira, Qilin, and INC Ransomware accounted for 65% of all ransomware cases investigated by Beazley Security.

In Q3 2025, leak site posts increased by 11% from Q2 to Q3.

In Q3 2025, the Akira ransomware group claimed 167 posts on their public leak site.

In Q3 2025, the 'Others' category of ransomware actors decreased from 40% to 16% of cases compared to the previous quarter.

In Q3 2025, Qilin ransomware accounted for approximately 18% of Beazley Security incident response cases.

In Q3 2025, INC Ransomware claimed 119 posts on their public leak site.

In Q3 2025, the Akira ransomware group accounted for approximately 39% of Beazley Security incident response cases.