The Victimology of Ransomware: 4,200 Ransomware Victims and Counting

In recently released research, the threat intelligence team at Abnormal identified nearly 4,200 companies, organizations, and government institutions around the world that have been the victims of ransomware attacks starting in January 2020. We identified these victims through a combination of ransomware extortion blog monitoring on the dark web and open source intelligence collection, and this research allows us to understand ransomware trends over the course of the past two years.

While this is by no means the entire population of victims impacted by ransomware during this time period, the size is likely representative of the overall threat landscape, which allows us to make inferences about global ransomware trends.

Looking at the overall volume trends, there have been two main spikes in ransomware activity over the last two years. The first half of 2020 was relatively quiet; however, in August and September 2020, we observed a significant increase in ransomware victims. This surge corresponds to the arrival of two of the most prolific ransomware groups in recent years: Conti and REvil.

After this initial spike, the number of ransomware victims remained relatively consistent month-to-month until October and November 2021, when we saw our second significant surge in ransomware victims. This second increase can be attributed to a noticeable escalation in activity from a handful of top ransomware groups, including Conti, LockBit, and Pysa.

Ransomware is not a threat that targets only certain industries, but is what we would consider to be industry agnostic. This means that, like other financially-motivated cyber attacks, the focus of most ransomware attacks is more about the ability to quickly profit from the exploitation of a corporate network and less about the characteristics of the victim company itself.

This indifference can be seen in our data, as there isn’t one sector that clearly overshadows others in terms of attack volume. That said, one out of every five ransomware victims fell within the manufacturing industry—a sector that has also been a preferred target of business email compromise (BEC) attacks due to the frequency of large invoices and international payments. Rounding out the top five most impacted sectors were retail and wholesale, business services, construction, and healthcare.

Note: To learn more about how ransomware is impacting your industry, email us at ransomware@abnormalsecurity.com.

One of the biggest misconceptions about ransomware attacks is that they primarily impact large organizations that can afford to pay substantial ransoms. After all, most of the attacks reported in the media are generally those that victimized big, notable companies. Based on our data, however, the belief that these large enterprises are the preferred targets of ransomware actors is a myth.

The median estimated annual revenue for companies victimized by ransomware was just $27 million. Nearly a third of all victims had an annual revenue of less than $10 million and just under 60% of victims generated an annual revenue of less than $50 million, meaning a majority of ransomware targets can be classified as small businesses. In fact, only 10% of ransomware victims were enterprise-sized companies with an annual revenue of more than $1 billion.

While this appears to run counter to the conventional wisdom that the largest entities with the choicest data and heftiest budgets are the most attractive ransomware targets, this distribution makes sense. Because smaller companies are generally unable to invest large amounts of money in cybersecurity, they’re more likely to have fewer defenses in place that may prevent ransomware attacks, making them opportunistic targets. If ransomware actors were more focused on selecting ideal targets that could deliver a higher payday, we’d expect the proportion of large enterprise victims to be much larger.

A look at the locations of ransomware victims provides a good sense of the global impact of this threat. We identified victims located in 110 countries around the world. Notably, of the top 67 counties in the world by GDP, Russia is the only country where a ransomware victim was not located. Of course, these findings aren’t exactly surprising.

It’s commonly known that a significant number of prolific ransomware actors are located in Russia, and it has been an open secret that groups actively avoid targeting Russian companies to steer clear of the attention of Russian authorities. However, when a vast majority of the world’s most developed countries are negatively affected by ransomware, it’s eye-opening that there is a massive Russian void on the map.

Like most cyber attacks, the United States is the home for a majority of ransomware victims, with just over half of ransomware victims located in one of the fifty states. Interestingly, the significant focus from United States authorities on ransomware in the first half of 2021 seems to have done little to deter ransomware actors from targeting American companies. The last quarter of 2021 saw the highest number of ransomware victims in the United States in the past two years—a 43% increase from the previous quarter.

After the United States, the rest of the top 10 countries linked to ransomware victims include most of the next wealthiest countries in the world, primarily in Western Europe and North America. This list consists of Canada, the United Kingdom, France, Germany, Italy, Australia, Spain, Brazil, and India.

When looking at the trends amongst ransomware victims, it is clear that threat actors will take advantage of whoever they can—no matter the industry, company size, or location. As a result, all organizations should be aware, and wary, of the threat. Cybercriminals have figured out how to successfully infiltrate these companies and hold them for ransom, and with millions of organizations to target, it’s hard to say who will be next.

To learn more about ransomware victims, including the number of repeat victim targets, download the full report.