US Ransomware Statistics and Trends: Annual Data and Analysis

Ransomware has become one of the most quantified threat categories in US cybersecurity reporting, with federal agencies, sector-specific regulators, and independent research organizations tracking incident volume, financial impact, sectoral targeting, and attack methodology across annual reporting cycles. This page maps the primary data sources, defines the measurement categories used across those sources, explains how ransomware statistics are generated and what they measure, describes the most frequently documented attack scenarios, and establishes the classification boundaries that determine how incidents are counted, categorized, and compared year over year.

Definition and scope

Ransomware statistics, as a measurement category, capture the reported frequency, financial cost, sectoral distribution, and operational impact of ransomware incidents affecting US organizations. The Cybersecurity and Infrastructure Security Agency (CISA) classifies ransomware as a national critical infrastructure threat, and its Shields Up guidance frames ransomware measurement as essential to understanding systemic risk across 16 designated critical infrastructure sectors.

The primary federal data source is the FBI Internet Crime Complaint Center (IC3), which publishes annual Internet Crime Reports compiling ransomware complaints submitted by US victims. The IC3 recorded 2,825 ransomware complaints in 2023, with adjusted losses exceeding $59.6 million for that reported subset (FBI IC3 2023 Internet Crime Report). The IC3 consistently notes that its figures represent a fraction of actual incident volume because most ransomware incidents go unreported to federal authorities.

Three measurement categories structure ransomware statistics across published sources:

1. Incident count — the number of discrete ransomware events reported to a named body (FBI IC3, CISA, HHS, sector regulators) within a calendar year.
2. Financial impact — ransom demands paid, recovery costs, downtime losses, and forensic expenditures, typically aggregated from victim surveys or insurance claims data.
3. Sectoral distribution — the proportion of incidents attributable to specific industries, mapped against CISA's critical infrastructure sector taxonomy or equivalent classification frameworks.

A persistent methodological gap separates reported from actual incident totals. Underreporting is structural: organizations facing reputational risk, active negotiations, or uncertainty about legal disclosure thresholds frequently do not file complaints with the IC3 or CISA. Ransomware reporting requirements in the US vary by sector and incident type, which contributes directly to inconsistent aggregation across datasets.

How it works

Ransomware statistics are generated through three distinct collection mechanisms, each producing data with different scope, lag time, and reliability characteristics.

Federal complaint intake operates through the FBI IC3, which accepts voluntary submissions from individuals and organizations. Submissions are logged, categorized by crime type, and published in the annual IC3 Internet Crime Report. CISA operates a separate intake through its Stop Ransomware portal and shares threat intelligence with sector-specific partners under its Joint Cyber Defense Collaborative (JCDC) framework.

Sector-specific regulatory reporting generates a parallel data stream. The Department of Health and Human Services Office for Civil Rights (HHS OCR) maintains a public breach portal — commonly called the "Wall of Shame" — that tracks HIPAA-covered breaches affecting 500 or more individuals, including ransomware events classified as breaches under the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414). Financial sector regulators including the Office of the Comptroller of the Currency (OCC) and the Financial Industry Regulatory Authority (FINRA) receive incident notifications under their own frameworks, though these are not always publicly aggregated.

Third-party research surveys — published by organizations such as Sophos, Verizon, and Chainalysis — collect self-reported data from organizational respondents or analyze on-chain cryptocurrency transaction patterns. The Chainalysis 2024 Crypto Crime Report tracks ransomware payments denominated in cryptocurrency, identifying on-chain flows to known ransomware-affiliated wallets. These figures capture confirmed payment activity rather than incident frequency. Understanding ransomware cryptocurrency payments is central to interpreting payment-based statistics, which systematically undercount incidents where victims did not pay.

The interaction between these three mechanisms produces a fragmented statistical landscape. A single incident may generate an IC3 complaint, an HHS OCR breach report, an insurance claim, and a Chainalysis-tracked payment — or none of those — depending on victim choices and applicable regulatory obligations.

Common scenarios

Ransomware statistics reveal consistent patterns in how attacks are distributed across sectors, organization sizes, and geographic concentrations.

Healthcare accounts for a disproportionate share of publicly documented incidents. HHS OCR breach portal data shows ransomware appearing as the cause or suspected cause in a substantial fraction of large-scale healthcare data breaches annually. The sector's dependence on real-time system availability — patient records, clinical systems, pharmacy operations — makes it a high-leverage target. The healthcare ransomware sector profile maps the regulatory and operational dimensions of this exposure.

Government and education appear consistently in CISA advisories and IC3 sector breakdowns. State and local governments represent a distinct target category because they operate legacy infrastructure, face constrained IT budgets, and provide essential public services that create pressure to restore operations quickly. The government sector profile covers the federal, state, and municipal dimensions of this exposure.

Critical infrastructure at large — including energy, water, and manufacturing — is tracked by CISA through its Known Exploited Vulnerabilities (KEV) catalog and sector-specific advisories. The critical infrastructure ransomware profile addresses the operational technology (OT) and industrial control system dimensions that complicate both statistics collection and incident response.

Small and mid-sized businesses (SMBs) represent the largest numerical category of victims in IC3 data, though individual incident costs are typically lower than enterprise-level events. The structural vulnerabilities affecting SMBs — limited security staff, constrained backup infrastructure, reliance on remote desktop protocol (RDP) — are documented in the SMB ransomware risk profile.

Decision boundaries

Interpreting ransomware statistics requires applying explicit classification boundaries that distinguish what is and is not captured by any given dataset.

Reported vs. actual incident volume. No federal dataset claims to represent total ransomware incident volume. IC3 figures are self-reported complaints; CISA intake is voluntary for most sectors outside mandatory reporting frameworks. Actual incident volume is higher than any single source reflects.

Ransom paid vs. ransom demanded. Payment statistics from sources like Chainalysis track confirmed on-chain transactions. Demanded amounts — which appear in negotiation communications and are sometimes disclosed publicly — are frequently not reflected in payment data because victims either recover without paying or negotiate reductions. Ransomware payment considerations and OFAC's sanctions framework under 31 CFR Part 510 govern the legal boundaries around payment decisions and affect whether payments are reportable.

Encryption-only vs. double-extortion incidents. Earlier ransomware statistics primarily tracked encryption events. The emergence of double-extortion ransomware — in which operators exfiltrate data before encrypting and threaten public release — expands the scope of what constitutes a reportable incident under breach notification statutes. An encryption event that also constitutes a breach of protected health information (PHI) or personally identifiable information (PII) triggers separate legal obligations that affect both reporting rates and publicly available statistics.

Ransomware-as-a-service (RaaS) attribution. RaaS platforms distribute attack execution across affiliate networks, complicating attribution in statistical reporting. A single RaaS platform may be responsible for incidents counted under dozens of different affiliate identifiers in IC3 data, inflating apparent diversity of threat actors while obscuring the concentration of infrastructure behind a small number of operators.

The ransomware cost and impact page examines the financial measurement methodologies in greater depth, including the distinction between direct ransom payments and total incident costs, which consistently exceed payment figures by a significant multiple when downtime, remediation, legal fees, and regulatory penalties are included.

References

• FBI Internet Crime Complaint Center (IC3) — 2023 Internet Crime Report
• CISA Stop Ransomware
• HHS Office for Civil Rights — Breach Portal
• HIPAA Breach Notification Rule, 45 CFR §§ 164.400–414
• NIST SP 800-61 Rev. 2 — Computer Security Incident Handling Guide
• OFAC Sanctions — 31 CFR Part 510
• Chainalysis Crypto Crime Report
• CISA Known Exploited Vulnerabilities Catalog
• [OCC: Sound Practices to