US Ransomware Statistics and Trends: Annual Data and Analysis

Ransomware incidents against US organizations generate measurable, publicly reported data across federal law enforcement, sector regulators, and independent research bodies. This page consolidates annual complaint volumes, financial loss figures, sector targeting patterns, and ransom payment trends drawn from named government and institutional sources. The data shapes how regulators, insurers, and security professionals assess organizational risk exposure and informs the service landscape documented throughout the ransomware providers on this platform.

Definition and scope

For statistical tracking purposes, ransomware is classified by the FBI's Internet Crime Complaint Center (IC3) as a discrete subset of extortion-based cybercrime — incidents in which malware encrypts, locks, or threatens to expose victim data pending payment. The IC3 maintains the most authoritative publicly available US-specific complaint dataset, though federal reporting acknowledges that logged complaints represent a fraction of actual incident volume due to systematic underreporting by both private-sector and public-sector victims.

The Cybersecurity and Infrastructure Security Agency (CISA) tracks ransomware at the infrastructure level, issuing alerts tied to specific threat actor groups and sectors. The Department of Health and Human Services Office for Civil Rights (HHS OCR) separately tracks ransomware as a subset of healthcare data breaches subject to HIPAA notification requirements under 45 CFR Part 164. These three reporting streams — IC3 complaint data, CISA threat intelligence, and HHS OCR breach reports — represent the primary public statistical channels covering US ransomware activity.

Scope boundaries matter for data interpretation: IC3 figures count complaints lodged by US victims, not all attacks targeting US infrastructure. CISA advisories count confirmed threat actor campaigns, not individual victim organizations. HHS OCR counts covered-entity breaches involving protected health information, a sector-specific subset of the broader national picture described in the ransomware provider network purpose and scope.

How it works

Ransomware statistical reporting follows a consistent lifecycle that mirrors the technical attack phases documented by CISA's Stop Ransomware program. Understanding how statistics are generated requires mapping each reporting trigger to the corresponding attack stage:

1. Initial access — Phishing emails, exposed Remote Desktop Protocol (RDP) ports, and unpatched vulnerabilities account for the dominant initial access vectors. The IC3's 2023 Internet Crime Report identified phishing as the most-reported cybercrime type by complaint volume, with 298,878 phishing complaints logged, providing context for ransomware's primary delivery mechanism (IC3 2023 Internet Crime Report).
2. Lateral movement and staging — Attackers escalate privileges and identify high-value data repositories before deploying encryption payloads. This phase is typically invisible to statistical reporting until discovery.
3. Encryption and extortion demand — The event that triggers victim awareness and, in regulated sectors, mandatory notification timelines. HIPAA's 60-day breach notification requirement (45 CFR §164.412) creates a compliance deadline that feeds HHS OCR's reportable dataset.
4. Ransom payment or recovery — The Financial Crimes Enforcement Network (FinCEN) tracks ransom payments processed through financial institutions. FinCEN's 2021 ransomware-related Suspicious Activity Reports (SARs) totaled $590 million in the first half of 2021 alone, surpassing the $416 million recorded for all of 2020 (FinCEN Financial Trend Analysis, October 2021).
5. Post-incident reporting — Voluntary IC3 complaints, mandatory sector notifications, and law enforcement referrals generate the statistical record that analysts and researchers subsequently publish.

Common scenarios

Three dominant targeting patterns emerge consistently across annual federal reporting cycles:

Critical infrastructure and healthcare. HHS OCR reported that ransomware was identified as the cause of a substantial share of large healthcare data breaches affecting 500 or more individuals — a threshold that triggers public posting on the HHS "Wall of Shame" breach portal. The healthcare sector logged 725 large breaches in calendar year 2023 (HHS OCR Breach Portal), with ransomware and hacking representing the dominant breach category by records affected.

State and local government. CISA has documented repeated targeting of municipal networks, school districts, and county governments. These entities frequently operate with smaller security budgets than federal agencies while managing sensitive citizen data and critical operational systems. IC3 data does not disaggregate government-sector complaints from overall ransomware totals, but CISA's sector-specific advisories — including joint advisories co-authored with the NSA and MS-ISAC — consistently identify K-12 education and local government as high-frequency targets.

Financial services and professional services. FinCEN's SAR data reveals that financial sector entities are both direct ransomware targets and the institutions processing ransom payments. The $590 million in ransomware-related SARs for the first half of 2021 reflected activity across 635 SARs — an average value per SAR of approximately $930,000 (FinCEN Financial Trend Analysis, October 2021).

Double extortion versus encryption-only attacks represent the key structural distinction in current ransomware statistics. Encryption-only attacks generate costs primarily through downtime and recovery. Double extortion attacks — where operators exfiltrate data before encrypting it — add regulatory notification costs, potential HIPAA penalties, and reputational liability that make their aggregate financial impact substantially higher per incident than single-vector attacks. CISA's Stop Ransomware advisories explicitly distinguish these two categories when profiling named threat actor groups. Organizations navigating this threat landscape can reference how to use this ransomware resource to identify relevant service categories.

Decision boundaries

Interpreting US ransomware statistics requires applying clear methodological boundaries to avoid conflating incompatible datasets:

IC3 complaint volume vs. estimated incident volume. The IC3 itself acknowledges in annual reports that complaints represent a portion of actual crime. The 2,825 ransomware complaints in 2023 (IC3 2023 Internet Crime Report) should not be read as total US incidents — they represent self-reported filings by victims who chose to engage with the IC3 reporting portal.

Financial losses reported vs. total economic impact. IC3-reported losses capture only damages disclosed in complaints. They exclude regulatory fines, litigation costs, insurance premium increases, and long-term reputational damage. The $59.6 million in ransomware-specific losses reported to IC3 in 2023 (IC3 2023 Internet Crime Report) is therefore a floor figure, not a comprehensive economic measure.

Sector-specific reporting obligations shape data availability. Healthcare organizations face the most stringent public reporting requirements under HIPAA, producing the most granular sector dataset. Financial institutions report through FinCEN's SAR system, which is not fully public. Other critical infrastructure sectors operate under varying notification frameworks established by sector-specific regulators — the Transportation Security Administration (TSA) for pipelines and aviation, the Federal Energy Regulatory Commission (FERC) for bulk electric systems — creating fragmented statistical visibility across the national threat landscape.

Ransom payment statistics and OFAC compliance. FinCEN and the Treasury Department's Office of Foreign Assets Control (OFAC) jointly govern the legal boundaries of ransom payments. OFAC's September 2021 advisory explicitly warned that payments to sanctioned threat actors may violate the International Emergency Economic Powers Act (IEEPA), creating a compliance decision boundary that affects both victim organizations and their cyber insurers (OFAC Ransomware Advisory, September 2021). This regulatory constraint means ransom payment statistics systematically undercount actual payment activity, as organizations weigh legal exposure against operational recovery timelines.