How many ransomware are there?

Ransomware is a growing threat that affects individuals, businesses, and governments around the world. Some key questions about the scope of the ransomware problem include:

What is ransomware?

Ransomware is a form of malicious software that encrypts files on a device or network. The attackers demand a ransom payment in cryptocurrency to provide the victim with the decryption key. Ransomware is a lucrative criminal business that extorts billions of dollars from victims each year.

How many ransomware strains are there?

There are thousands of ransomware strains in existence. In 2021, researchers identified over 2,400 new ransomware variants. Some strains like Conti or Ryuk have caused widespread damage. The criminal developers continuously evolve ransomware to evade security measures.

How many ransomware attacks occur?

Ransomware attacks increased exponentially in recent years. In 2020, there were around 304 million ransomware attack attempts globally. This rose to 318.6 million ransomware attack attempts in 2021. Attacks on critical infrastructure and corporations have caused major disruptions.

The Evolution of Ransomware

Ransomware emerged in the late 1980s with early strains like AIDS or PC Cyborg. These early ransomwares used simple techniques to lock access to files or the system. Ransomware began growing more advanced in the 2000s and early 2010s with ransomware-as-service enabling wider campaigns.

Some key developments in the evolution of ransomware include:

  • 1989: The AIDS ransomware is considered the first ransomware. It targeted the healthcare industry.
  • Mid 2000s: Archive-based ransomwares emerge that encrypt files stored in archives or documents.
  • 2012: Reveton ransomware performs police ransomware scam claiming the user committed illegal activities.
  • 2013: CryptoLocker ransomware pioneers use of strong encryption to lock files.
  • 2016: Cerber ransomware offers ransomware-as-a-service to affiliates.
  • 2017: WannaCry and NotPetya ransomwares cause widespread damage globally.
  • 2019-2020: Maze, Sodinokibi, and other ransomware cartels professionalize attacks on corporations.
  • 2021: Ransomware shifts to double extortion tactics to pressure victims into paying.

Ransomware developers continually enhance capabilities in areas like encryption, obfuscation, delivery and infrastructure to increase infections. They are likely to increase adoption of techniques like triple extortion campaigns, supply chain attacks, and targeting of OT and IoT networks.

CryptoLocker – Pioneered Cryptography Usage

Cryptography has played a key role in enabling modern ransomware. In 2013, the CryptoLocker ransomware strain utilized RSA-2048 and AES-256 encryption to robustly lock files. Victims found files were permanently irretrievable without the key.

CryptoLocker infections spread rapidly through phishing emails containing malicious attachments. The operators raked in around $3 million in Bitcoin before a takedown operation in 2014. CryptoLocker inspired many subsequent ransomwares to use cryptographic file encryption.

Cerber – Ransomware-as-a-Service

The Cerber ransomware which emerged in early 2016 featured another innovation – ransomware-as-a-service (RaaS). Cerber’s developers earned commissions by selling the malware toolkit to affiliates who conducted attacks.

The Cerber authors continuously updated the malware with new features like offline encryption. Cerber accounted for 90% of ransomware infections for a period. The RaaS model fueled ransomware growth by allowing non-technical criminals to execute attacks.

Recent Major Ransomware Campaigns

Some major ransomware incidents include:

WannaCry (2017)

The WannaCry ransomware outbreak caused chaos worldwide in 2017. It infiltrated hundreds of thousands of computers across 150 countries. Damage was estimated between hundreds of millions to billions of dollars.

WannaCry exploited the EternalBlue vulnerability. It crippled hospitals, corporations, government agencies, and other critical systems through rapid worm-like spreading.

NotPetya (2017)

Petya ransomware was first seen in 2016. NotPetya emerged in 2017 as a destructive form disguised as ransomware. It caused over $10 billion in damages across shipping, logistics, and technology firms globally.

Experts tied NotPetya to nation-state actors. It erased master boot records irreversibly while masquerading as ransomware. Many affected firms like Maersk had to completely rebuild systems.

Ryuk (2018 – Current)

The Ryuk ransomware first appeared in 2018 targeting larger enterprises. Ryuk actors extensively study the victim network and perform tailored, stealthy attacks on each target. Ryuk brought in over $150 million in cryptocurrency ransom payments.

Crippling Ryuk attacks have hit organizations like Universal Health Systems, causing hospitals to turn away patients or resort to pen and paper. Ryuk often lurks in networks for weeks to escalate access before deploying across entire domains.

Conti Leaks (2022)

The Russia-based Conti ransomware gang was among the most successful, raking in over $180 million until a leak exposed its inner workings in February 2022. Researchers gained access to thousands of internal chats and files.

The leak revealed Conti’s organizational structure, attack playbook, and relationships with other cybercrime groups. Conti scrambled to restructure its operations in response. The Conti gang continues attacks despite diminished capacity.

Ransomware Targets

Ransomware gangs pursue a range of targets including:

  • Healthcare organizations
  • Schools and universities
  • State and local government agencies
  • Law firms
  • Insurance companies
  • Retail and ecommerce companies
  • Technology providers
  • Financial services organizations
  • Critical manufacturing and transportation

Any organization that is dependent on IT systems and data is at risk. With double extortion tactics, ransomware groups also threaten to leak stolen data, raising stakes for victims. Government agencies, hospitals, and critical infrastructure are often targeted due to high disruption impact.

Ransomware Protection Challenges for Healthcare

Healthcare organizations face unique challenges in ransomware protection:

  • Critical need for constant system availability due to life-endangering impacts of downtime
  • Highly distributed environments spanning legacy and modern IT systems
  • Data privacy regulations like HIPAA complicate data recovery after an incident
  • Understaffed security teams with limited budgets are outpaced by threats
  • Medical devices like MRI machines with outdated OSes are difficult to patch and encrypt

Despite healthcare being a prime ransomware target, healthcare cybersecurity severely lags other industries. Hospitals are often left with no option but to pay ransoms to restore access to patient records and imaging files.

Manufacturing: Operations Technology Challenges

For manufacturers, ransomware can impact both IT and operations technology (OT) systems:

  • Legacy industrial control systems and sensors lack monitoring and are difficult to update
  • OT networks are often interconnected with business IT networks
  • Downtime of manufacturing operations can have cascading business impacts
  • Many devices like PLCs or SCADA lack native security capabilities

Protecting both IT and OT infrastructure requires tailored strategies by manufacturers. Hybrid environments, distrust of automation, and resource constraints make ransomware defense challenging.

Global Impact of Ransomware

Ransomware has far-reaching global impacts across multiple dimensions:

Financial Costs

Cybersecurity Ventures estimates global ransomware costs will reach $265 billion by 2031, up from $20 billion in 2021. US organizations had average ransomware recovery costs of around $1.27 million per incident in 2021.

Business Operations

Ransomware can severely disrupt business operations by blocking access to critical systems for extended periods. Around 80% of companies hit by ransomware faced significant business disruption. Lost productivity, customer losses, and business closure are common.

Data Loss

Half of ransomware victims never recover their data even after paying ransom. Permanent data loss can put companies out of business. Ransomware gangs also increasingly threaten to publish sensitive stolen data if ransoms are not paid.

Critical Infrastructure

Widespread ransomware campaigns could paralyze hospitals, transportation networks, utilities, and other critical infrastructure. Attacks against providers like Colonial Pipeline show far-reaching real-world impacts of ransomware hitting critical services.


Ransomware is becoming a national security threat as certain campaigns are attributed to enemy nation-states. Russia is allegedly harboring many ransomware groups conducting indiscriminate global attacks in return for a cut of the profits.

Major Active Ransomware Groups

Some currently active major ransomware groups include:

Group Notable Activity
Conti Over 1,000 victims before leaks exposed inner workings in early 2022
Hive Damaging attacks against healthcare providers amid pandemic
LockBit Innovative triple extortion campaigns hitting major corporations
Black Basta Emerging in 2022 and quickly hit 50+ victims
REvil Hit JBS Foods and Kaseya MSP, demanding $70 million
BlackCat Initial Linux version shows focus on versatility
AvosLocker Frequent healthcare targets and expansive breach data leaks
Quantum Traceably associated with sophisticated Russian cybergang
Vice Society Smaller player growing quickly by targeting US K-12 schools

These groups consistently enhance capabilities and invent new extortion tactics. They exploit security gaps, hide within systems, and pressure victims relentlessly to maximize payments.

Ransomware-as-a-Service Empowering Smaller Groups

The ransomware-as-a-service model empowers smaller, newer groups without advanced technical skills to conduct damaging attacks. RaaS kits available on the dark web lower the barrier to entry for wannabe cybercriminals.

Groups like Black Basta and AvosLocker acquired RaaS tools then aggressively targeted victims. RaaS enables ransomware developers to scale more rapidly by creating affiliate programs. Authorities will need to crack down on RaaS to combat growth of attacks.

Combating the Ransomware Threat

With ransomware attacks escalating, governments and organizations are pursuing strategies to counter ransomware groups:

Improved Cyber Defenses

Adopting security best practices can improve resilience against ransomware. Measures like endpoint detection, patch management, backups, segmentation, and user education help protect networks.

Managed service providers (MSPs) should follow standards like the Ransomware Task Force’s CSF to protect clients. Cloud, AI, deception tech, and threat intel sharing help detect and mitigate ransomware.

Focused Law Enforcement Operations

Transnational law enforcement is conducting more operations targeting ransomware operations. Efforts like Operation GoldDust revealed close ties between ransomware groups and nation states.

Authorities target money laundering, cryptocurrency exchanges, RaaS hosts, and other ransomware ecosystem elements. But prosecution remains challenging due to groups hiding abroad.

Geopolitical Pressure

Diplomatic and economic pressure on countries harboring ransomware gangs aims to compel crackdowns and extraditions. But relations with regimes like Russia or North Korea complicate negotiations.

Imposing financial sanctions on countries that enable cybercrime could incentivize political action. But global cooperation is difficult to achieve.

Cyberattack Bans for Insurance Coverage

Insurers are pressing customers to meet cybersecurity standards to qualify for coverage against ransomware payments. This motivates organizations to elevate IT practices and controls.

Governments may follow suit in banning cyber insurance that financially fuels attacks. But organizations may still pay without coverage to mitigate damage if defenses fail.

Outlook on the Ransomware Threat Landscape

Ransomware will likely continue evolving with innovations like:

  • Ransomware gangs forming cartels for mutual benefit
  • Focus on encrypting cloud data and backups to maximize leverage
  • Stealing and auctioning data to third parties for additional income streams
  • Developing worm-like features for rapid lateral movement across networks
  • Moving from Windows to multi-platform malware also targeting Linux and macOS
  • Increasing threats towards industrial control systems and critical infrastructure

Defenders will struggle to keep pace with ransomware groups unless fundamental IT security practices mature. With millions of attacks annually and over 2,400 new variants appearing yearly, stemming the tide of ransomware threats will require coordinated global efforts between policy makers, law enforcement, insurers, and technologists.


Ransomware remains a serious threat with thousands of strains infecting countless victims each year. Major incidents have disrupted critical infrastructure like hospitals, fuel supplies, and transportation networks. While high profile attacks on large corporations draw attention, ransomware also impacts small businesses, non-profits, and individuals.

Despite growing law enforcement and policy efforts to curb attacks, ransomware developers relentlessly enhance techniques and arsenals. Ransomware-as-a-service empowers non-technical criminals to readily execute attacks for profit. Ultimately, improving hygiene around IT and data security offers the best defense for organizations. But global cooperation is needed between public and private entities to disrupt the ransomware ecosystem and threat actors enabling this continuously escalating crimeware.