Business, Insights, Ransomware

Ransomware statistics you need to know in 2026

8th December 2025
Man reviewing statistics

Ransomware continues to evolve and so does its grip on businesses, governments, and individuals around the globe. What was once a relatively rare form of cybercrime has exploded into a multibillion-dollar extortion machine.

If you are reading this because you have experienced a ransomware incident and are unsure how to deal with it, contact Zensec immediately.

In 2025, no sector is safe. From healthcare providers and manufacturers to local governments and financial institutions, ransomware gangs are expanding their reach, refining their attack vectors, and increasing their usage of malicious software.

Modern threats are defined by two key trends: Ransomware-as-a-Service (RaaS) and double extortion tactics. Attackers are also experimenting with data theft, software vulnerabilities, and more aggressive phishing attacks.

If you’re responsible for cybersecurity or digital risk in any form, understanding the current state of ransomware is non-negotiable.

The following statistics offer a comprehensive look at how ransomware trends are shaping cybersecurity in 2025.

Over 5,600 ransomware attacks were publicly disclosed worldwide in 2024

This figure highlights the scale of the ransomware problem, with thousands of known cases and likely many more that go unreported. The U.S. alone accounted for nearly half of all incidents, reinforcing its status as a high-value target for threat actors in global ransomware attacks.

72–73% of organisations globally experienced a ransomware attack in the past year

Nearly three-quarters of organisations were affected, underscoring how pervasive ransomware has become across industries and geographies. Many of these attacks involve ransomware families reusing code, exploiting known vulnerabilities, and leveraging existing cyberattacks.

Ransomware accounted for 37% of all data breaches in 2024

Ransomware isn’t just about disruption anymore, it’s one of the leading causes of data breaches, combining data encryption and data theft. That means stolen customer data, intellectual property leaks, and regulatory risks on top of operational downtime.

Global ransomware attackers extorted $813.5 million in payments in 2024

The sheer volume of ransom payments underscores the financial incentives driving this criminal economy. With so much financial gain available, ransomware groups are becoming more professional, strategic, and difficult to deter.

Global ransomware damages are projected to reach $57 billion annually by 2025

When you factor in downtime, reputational harm, customer loss, legal fees, and response costs, the financial impact adds up fast. This projection reflects the broader economic impact beyond just ransom payments.

The average ransom payment per incident was $1.0 million

Paying the ransom isn’t a minor expense, it’s often a seven-figure decision. And this doesn’t include the hidden costs of recovery, lost business, or post-breach mitigation.

Initial ransom demands averaged $2.2 million in 2024

Attackers often shoot high, expecting negotiation, but even the starting points for these ransoms are eye-popping. Critical infrastructure sectors, including government and educational institutions, usually face higher demands as attackers rely on the desperation of the victim.

The average cost to recover from a ransomware attack was $1.5 million

When ransomware attacks occur, recovery costs can be an expensive process. Restoring systems, hiring forensic experts, notifying customers, and hardening systems afterwards all carry steep price tags.

Government entities faced an average of $2.8 million in recovery costs

Public sector organisations often operate with ageing infrastructure and limited cybersecurity budgets, making recovery even more costly and prolonged.

64% of organisations affected by ransomware refused to pay ransoms in 2024

While many organisations hold the line against paying cybercriminals, a sizable portion still does. The refusal rate is a positive sign that more companies are relying on backups and contingency planning. However, some companies still resort to making ransomware payments.

47% of companies have formal policies that allow ransom payments

More companies are recognising that the decision to pay is complex, involving legal, ethical, and business continuity considerations. Formal policies help guide those choices under pressure.

84% of victims who paid the ransom did not recover all their data

Even if you pay, full data recovery is far from guaranteed. Many attackers only decrypt part of the data or deliver keys that don’t work, leaving victims in worse shape than they expected.

Manufacturing was the most attacked industry for the fourth year in a row

Manufacturers are frequently targeted due to their operational sensitivity, even minor downtime can disrupt global supply chains, creating urgent pressure to pay ransoms quickly.

70% of all cyberattacks in 2024 targeted critical infrastructure

Beyond factories, attackers increasingly target energy, transportation, and utilities, sectors where digital disruption causes real-world consequences.

66% of healthcare organisations were hit by ransomware

Healthcare remains a top target due to its sensitive data and urgent need for uptime. When lives are on the line, attackers know hospitals are more likely to pay fast.

65% of financial services firms experienced ransomware attacks

Despite being heavily regulated and tech-savvy, financial firms continue to be targeted due to their valuable data and ability to pay.

34% of local/state governments were attacked in 2024 (down from 69% in 2023)

While the numbers are trending downward, public institutions are still a regular target. Improvements in cyber hygiene and federal support may explain the decline but the threat persists.

26% of ransomware attacks started via exploited software vulnerabilities

Unpatched systems remain a major weakness. Attackers scan for known CVEs and infiltrate networks using malicious software, particularly in UK businesses, educational institutions, and critical infrastructure.

26% of ransomware infections involved compromised credentials

Weak or reused passwords, or stolen login credentials, open the door to ransomware attacks. Credential stuffing, brute force, and phishing make this a top attack vector.

22% of ransomware incidents began through phishing emails

Despite years of awareness campaigns, phishing attacks remain highly effective. Malicious links and attachments continue to trick users into launching attacks.

Only 34% of ransomware attacks involved file encryption in 2024 (down from 76% in 2023)

This sharp drop signals a shift in attacker strategy. Rather than encrypting files, more ransomware gangs now focus on stealing data and threatening to leak it, making backup-based defences less effective.

Increasing Your Defences against Cyber Attacks

With ransomware incidents rising and more victims falling victim to advanced threat actors, a strong defence strategy is key for all businesses. Organisations should take key measures to prevent them from becoming ransomware victims. These include:

Strengthen Your Defences to Avoid Falling Victim

Attackers exploit software vulnerabilities and unpatched systems as initial attack vectors. Reducing the risks of malware attacks involves:

  • Patching systems is always important, but it’s especially essential for critical infrastructure, financial institutions, and educational institutions. Attackers increasingly target these industries.
  • Conducting vulnerability scans to isolate frequently targeted applications.
  • Apply compensating controls, such as network segmentation, if legacy systems cannot be updated.

Proactive patching is a vital step in limiting the number of successful ransomware attacks.

Reduce Credential-Based Attacks

Many ransomware incidents begin with compromised credentials, obtained through phishing or password reuse across global enterprises and UK businesses.

Enforcing MFA and monitoring for unusual login patterns is vital when handling sensitive data, as it can help prevent attacks when cybercriminals deploy malicious software.

Improve Email and Phishing Resilience

Phishing remains one of the most common attack vectors, even for large enterprises like financial institutions. You can reduce the number of ransomware attacks your organisation is exposed to by:

  • Deploying advanced email filtering and sandboxing.
  • Running regular phishing simulations.
  • Training staff to recognise social engineering, suspicious attachments, and impersonation tactics.

These steps reduce vulnerability exploitation, preventing malware that enables data theft.

Build a Robust Incident Response Plan

Established incident response and business continuity plans significantly reduce operational and financial fallout when ransomware threats materialise. These plans should include procedures for handling cyber breaches and ransom payments.

It’s also a good idea to have contact details for law enforcement and cyber insurers, along with a full communications plan for stakeholders.

Prioritise Secure Backups & Recovery after Cyber Breaches

Effective backup strategies can minimise potential damage – even if data encryption occurs. Best practices include:

  • Maintaining offline and immutable backups
  • Testing restoration processes frequently
  • Storing backups across multiple locations
  • Using rapid recovery technologies to avoid prolonged downtime

Reliable backups are the last line of defence if ransomware threats break through perimeter controls. So, even if you’re affected by ransomware actors, adding a layer of protection can streamline the recovery process and help you restore data.

Enhance Monitoring & Cyber Crime Threat Detection

Cybercriminals focusing on ransomware attacks often rely on stealth, privilege escalation, credential theft, and data exfiltration, before the impact is even visible. Both small businesses and global enterprises can defend themselves against advanced tactics by prioritising:

  • Behaviour-based ransomware detection.
  • SIEM with real-time alerting.
  • EDR tools that stop malicious software from executing.
  • Network anomaly monitoring to detect ransomware families.

These tools identify early indicators so you can contain threats before encryption or extortion begins.

Sources

  • U.S. Homeland Threat Assessment 2025
  • Statista
  • Verizon Data Breach Investigations Report
  • Chainalysis
  • Cybersecurity Ventures
  • Sophos
  • Coveware
  • Halcyon
  • IBM Security X-Force