The Victimology of Ransomware: 4,200 Ransomware Victims and Counting

Looking at the overall volume trends, there have been two main spikes in ransomware activity over the last two years.
February 23, 2022

In recently released research, the threat intelligence team at Abnormal identified nearly 4,200 companies, organizations, and government institutions around the world that have been the victims of ransomware attacks starting in January 2020. We identified these victims through a combination of ransomware extortion blog monitoring on the dark web and open source intelligence collection, and this research allows us to understand ransomware trends over the course of the past two years.

While this is by no means the entire population of victims impacted by ransomware during this time period, the size is likely representative of the overall threat landscape, which allows us to make inferences about global ransomware trends.

The Recent Ransomware Explosion

Looking at the overall volume trends, there have been two main spikes in ransomware activity over the last two years. The first half of 2020 was relatively quiet; however, in August and September 2020, we observed a significant increase in ransomware victims. This surge corresponds to the arrival of two of the most prolific ransomware groups in recent years: Conti and REvil.

After this initial spike, the number of ransomware victims remained relatively consistent month-to-month until October and November 2021, when we saw our second significant surge in ransomware victims. This second increase can be attributed to a noticeable escalation in activity from a handful of top ransomware groups, including Conti, LockBit, and Pysa.

ransomware victims by monthly volume

Ransomware Victims by Industry

Ransomware is not a threat that targets only certain industries, but is what we would consider to be industry agnostic. This means that, like other financially-motivated cyber attacks, the focus of most ransomware attacks is more about the ability to quickly profit from the exploitation of a corporate network and less about the characteristics of the victim company itself.

This indifference can be seen in our data, as there isn’t one sector that clearly overshadows others in terms of attack volume. That said, one out of every five ransomware victims fell within the manufacturing industry—a sector that has also been a preferred target of business email compromise (BEC) attacks due to the frequency of large invoices and international payments. Rounding out the top five most impacted sectors were retail and wholesale, business services, construction, and healthcare.

Ransomware victims by primary industry

Note: To learn more about how ransomware is impacting your industry, email us at

Ransomware Victims by Revenue

One of the biggest misconceptions about ransomware attacks is that they primarily impact large organizations that can afford to pay substantial ransoms. After all, most of the attacks reported in the media are generally those that victimized big, notable companies. Based on our data, however, the belief that these large enterprises are the preferred targets of ransomware actors is a myth.

The median estimated annual revenue for companies victimized by ransomware was just $27 million. Nearly a third of all victims had an annual revenue of less than $10 million and just under 60% of victims generated an annual revenue of less than $50 million, meaning a majority of ransomware targets can be classified as small businesses. In fact, only 10% of ransomware victims were enterprise-sized companies with an annual revenue of more than $1 billion.

Ransomware victims by annual revenue

While this appears to run counter to the conventional wisdom that the largest entities with the choicest data and heftiest budgets are the most attractive ransomware targets, this distribution makes sense. Because smaller companies are generally unable to invest large amounts of money in cybersecurity, they’re more likely to have fewer defenses in place that may prevent ransomware attacks, making them opportunistic targets. If ransomware actors were more focused on selecting ideal targets that could deliver a higher payday, we’d expect the proportion of large enterprise victims to be much larger.

Ransomware Victims by Location

A look at the locations of ransomware victims provides a good sense of the global impact of this threat. We identified victims located in 110 countries around the world. Notably, of the top 67 counties in the world by GDP, Russia is the only country where a ransomware victim was not located. Of course, these findings aren’t exactly surprising.

It’s commonly known that a significant number of prolific ransomware actors are located in Russia, and it has been an open secret that groups actively avoid targeting Russian companies to steer clear of the attention of Russian authorities. However, when a vast majority of the world’s most developed countries are negatively affected by ransomware, it’s eye-opening that there is a massive Russian void on the map.

Ransomware victims by country location

Like most cyber attacks, the United States is the home for a majority of ransomware victims, with just over half of ransomware victims located in one of the fifty states. Interestingly, the significant focus from United States authorities on ransomware in the first half of 2021 seems to have done little to deter ransomware actors from targeting American companies. The last quarter of 2021 saw the highest number of ransomware victims in the United States in the past two years—a 43% increase from the previous quarter.

After the United States, the rest of the top 10 countries linked to ransomware victims include most of the next wealthiest countries in the world, primarily in Western Europe and North America. This list consists of Canada, the United Kingdom, France, Germany, Italy, Australia, Spain, Brazil, and India.

Who Will Be Targeted Next?

When looking at the trends amongst ransomware victims, it is clear that threat actors will take advantage of whoever they can—no matter the industry, company size, or location. As a result, all organizations should be aware, and wary, of the threat. Cybercriminals have figured out how to successfully infiltrate these companies and hold them for ransom, and with millions of organizations to target, it’s hard to say who will be next.

To learn more about ransomware victims, including the number of repeat victim targets, download the full report.

The Victimology of Ransomware: 4,200 Ransomware Victims and Counting

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B 07 22 24 MKT624 Images for Paris Olympics Blog
Threat actors are targeting French businesses ahead of the Paris 2024 Olympics. Learn how they're capitalizing on the event and how to protect your organization.
Read More
B Cross Platform ATO
Cross-platform account takeover is an attack where one compromised account is used to access other accounts. Learn about four real-world examples: compromised email passwords, hijacked GitHub accounts, stolen AWS credentials, and leaked Slack logins.
Read More
B Why MFA Alone Will No Longer Suffice
Explore why account takeover attacks pose a major threat to enterprises and why multi-factor authentication (MFA) alone isn't enough to prevent them.
Read More
Learn how Abnormal uses natural language processing or NLP to protect organizations from phishing, account takeovers, and more.
Read More
B DK Compromise 7 11 24
Discover the top five ways hackers compromise accounts, from exploiting leaked API credentials to SIM swapping partnerships, and more. Learn how these techniques enable account takeover (ATO) and pose risks to enterprises.
Read More
B Sans Recap 7 11 24
Discover trends among modern SOC teams, including misaligned budgets, increased automation, unsatisfactory AI tools, staffing issues, and more.
Read More