The Victimology of Ransomware: 4,200 Ransomware Victims and Counting

February 23, 2022

In recently released research, the threat intelligence team at Abnormal identified nearly 4,200 companies, organizations, and government institutions around the world that have been the victims of ransomware attacks starting in January 2020. We identified these victims through a combination of ransomware extortion blog monitoring on the dark web and open source intelligence collection, and this research allows us to understand ransomware trends over the course of the past two years.

While this is by no means the entire population of victims impacted by ransomware during this time period, the size is likely representative of the overall threat landscape, which allows us to make inferences about global ransomware trends.

The Recent Ransomware Explosion

Looking at the overall volume trends, there have been two main spikes in ransomware activity over the last two years. The first half of 2020 was relatively quiet; however, in August and September 2020, we observed a significant increase in ransomware victims. This surge corresponds to the arrival of two of the most prolific ransomware groups in recent years: Conti and REvil.

After this initial spike, the number of ransomware victims remained relatively consistent month-to-month until October and November 2021, when we saw our second significant surge in ransomware victims. This second increase can be attributed to a noticeable escalation in activity from a handful of top ransomware groups, including Conti, LockBit, and Pysa.

ransomware victims by monthly volume

Ransomware Victims by Industry

Ransomware is not a threat that targets only certain industries, but is what we would consider to be industry agnostic. This means that, like other financially-motivated cyber attacks, the focus of most ransomware attacks is more about the ability to quickly profit from the exploitation of a corporate network and less about the characteristics of the victim company itself.

This indifference can be seen in our data, as there isn’t one sector that clearly overshadows others in terms of attack volume. That said, one out of every five ransomware victims fell within the manufacturing industry—a sector that has also been a preferred target of business email compromise (BEC) attacks due to the frequency of large invoices and international payments. Rounding out the top five most impacted sectors were retail and wholesale, business services, construction, and healthcare.

Ransomware victims by primary industry

Note: To learn more about how ransomware is impacting your industry, email us at

Ransomware Victims by Revenue

One of the biggest misconceptions about ransomware attacks is that they primarily impact large organizations that can afford to pay substantial ransoms. After all, most of the attacks reported in the media are generally those that victimized big, notable companies. Based on our data, however, the belief that these large enterprises are the preferred targets of ransomware actors is a myth.

The median estimated annual revenue for companies victimized by ransomware was just $27 million. Nearly a third of all victims had an annual revenue of less than $10 million and just under 60% of victims generated an annual revenue of less than $50 million, meaning a majority of ransomware targets can be classified as small businesses. In fact, only 10% of ransomware victims were enterprise-sized companies with an annual revenue of more than $1 billion.

Ransomware victims by annual revenue

While this appears to run counter to the conventional wisdom that the largest entities with the choicest data and heftiest budgets are the most attractive ransomware targets, this distribution makes sense. Because smaller companies are generally unable to invest large amounts of money in cybersecurity, they’re more likely to have fewer defenses in place that may prevent ransomware attacks, making them opportunistic targets. If ransomware actors were more focused on selecting ideal targets that could deliver a higher payday, we’d expect the proportion of large enterprise victims to be much larger.

Ransomware Victims by Location

A look at the locations of ransomware victims provides a good sense of the global impact of this threat. We identified victims located in 110 countries around the world. Notably, of the top 67 counties in the world by GDP, Russia is the only country where a ransomware victim was not located. Of course, these findings aren’t exactly surprising.

It’s commonly known that a significant number of prolific ransomware actors are located in Russia, and it has been an open secret that groups actively avoid targeting Russian companies to steer clear of the attention of Russian authorities. However, when a vast majority of the world’s most developed countries are negatively affected by ransomware, it’s eye-opening that there is a massive Russian void on the map.

Ransomware victims by country location

Like most cyber attacks, the United States is the home for a majority of ransomware victims, with just over half of ransomware victims located in one of the fifty states. Interestingly, the significant focus from United States authorities on ransomware in the first half of 2021 seems to have done little to deter ransomware actors from targeting American companies. The last quarter of 2021 saw the highest number of ransomware victims in the United States in the past two years—a 43% increase from the previous quarter.

After the United States, the rest of the top 10 countries linked to ransomware victims include most of the next wealthiest countries in the world, primarily in Western Europe and North America. This list consists of Canada, the United Kingdom, France, Germany, Italy, Australia, Spain, Brazil, and India.

Who Will Be Targeted Next?

When looking at the trends amongst ransomware victims, it is clear that threat actors will take advantage of whoever they can—no matter the industry, company size, or location. As a result, all organizations should be aware, and wary, of the threat. Cybercriminals have figured out how to successfully infiltrate these companies and hold them for ransom, and with millions of organizations to target, it’s hard to say who will be next.

To learn more about ransomware victims, including the number of repeat victim targets,download the full report.


Prevent the Attacks That Matter Most

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 05 11 22 Scaling Out Redis
As we’ve scaled our customer base, the size of our datasets has also grown. With our rapid expansion, we were on track to hit the data storage limit of our Redis server in two months, so we needed to figure out a way to scale beyond this—and fast!
Read More
B 05 17 22 Impersonation Attack
See how threat actors used a single mailbox compromise and spoofed domains to subtly impersonate individuals and businesses to coerce victims to pay fraudulent vendor invoices.
Read More
B 05 14 22 Best Workplace
We are over the moon to announce Abnormal has been named one of Inc. Magazine's Best Workplaces of 2022! Learn more about our commitment to our workforce.
Read More
B 05 13 22 Spring Product Release
This quarter, the team at Abnormal launched new features to improve lateral attack detection, role-based access control (RBAC), and explainable AI. Take a deep dive into all of the latest product enhancements.
Read More
B 05 11 22 Champion Finalist
Abnormal has been selected as a Security Customer Champion finalist in the Microsoft Security Excellence Awards! Here’s a look at why.
Read More
Blog series c cover
When we raised our Series B funding 18 months ago, I promised our customers greater value, more capabilities, and better customer support. We’ve delivered on each of those promises and as we receive an even larger investment, I’m excited about how we can continue to further deliver on each of them.
Read More
B 05 09 22 Partner Community
It’s an honor to be named one of CRN’s 2022 Women of the Channel. Here’s why I appreciate the award and what I love about being a Channel Account Manager at Abnormal.
Read More
B 05 05 22 Fast Facts
Watch this short video to learn current trends and key issues in cloud email security, including how to protect your organization against modern threats.
Read More
B 05 03 22
Like all threats in the cyber threat landscape, ransomware will continue to evolve over time. This post builds on our prior research and looks at the changes we observed in the ransomware threat landscape in the first quarter of 2022.
Read More
B 04 28 22 8 Key Differences
At Abnormal, we pride ourselves on our excellent machine learning engineering team. Here are some patterns we use to distinguish between effective and ineffective ML engineers.
Read More
B 04 26 22 Webinar Re Replacing Your SEG
Learn how Microsoft 365 and Abnormal work together to provide comprehensive defense-in-depth protection in part two of our webinar recap.
Read More
Blog mitigate threats cover
Learn about the most common socially-engineered attacks and why these tactics are still so successful—despite a growing awareness from employees.
Read More