Skip to content

Reports of ransomware attacks are declining, but don’t start celebrating yet


Ransomware tactics are evolving. So are companies' perspectives on the best strategies to prepare and respond. As ransomware spreads, security, IT, and business leaders grapple with tough decisions on cyber controls, incident response, and ransomware payouts.

In our second annual ransomware research survey, we look beyond the latest ransomware attack statistics to explore changing attitudes and learn about the experiences of companies battling ransomware in 2022. We surveyed over 300 decision-makers across the United States from various industries to get insights from the folks in the trenches. We compared year-over-year ransomware statistics to see how things have changed. What we learned provides a glimpse into the future of ransomware in 2023 and beyond.

A key question we asked is: Are ransomware attacks getting worse? The answer depends on how you look at it.

Here’s what we learned from the survey:

Only 25% of respondents in this year’s survey said they were victims of ransomware over the past 12 months. This is a sharp decrease from last year’s overall ransomware attack rate of 64%.

That said, the larger the company, the more likely they were to experience a ransomware attack. Companies with 100 or more employees experienced ransomware attacks at a rate of 56% in 2022, compared with 70% in 2021 (a decrease of 14 percentage points).

Meanwhile, 13% of companies with less than 100 employees said they were victims of ransomware this past year, compared with 34% in the previous survey (a decrease of 21 percentage points ).

Ransomware Statistics

These findings support primary cyber industry research measuring the number of ransomware attacks. GuidePoint Research, for example, reported a 35% slowdown in ransomware attacks in the second quarter of 2022 compared to the first quarter. Digital Shadows, which conducts daily monitoring of ransomware groups, reported a 10% decline from the second quarter of 2022 to the third.

The cybersecurity community is keeping a close eye on this trend, as ransomware attack statistics change frequently.

We see many possible causes for the recent decrease in ransomware attack volume. Likely the ransomware decline is due to a combination of these five factors.

1. Prominent ransomware group Conti disbanded

The ransomware supply chain involves gangs of criminals who pool their skills and share in the profits. A gang typically includes encryption specialists, black hat cybercriminals who gain access and sell it, hands-on keyboard attackers who abuse stolen access, and the criminal who negotiates the ransom and manages the payment distribution.

One of the most prominent ransomware-as-a-service cartels, Conti, was responsible for many ransomware attacks in recent years. They disbanded in May 2022, shutting down their website.

While this may have caused a temporary decrease in ransomware incidents, splinter groups and other gangs have popped up. Today, all a cybercriminal needs to launch a successful ransomware attack is an internet connection and the correct affiliations, so this impact may be short-lived.

2. Ransomware-preventing security controls are working

Companies are investing in new tools and security controls for ransomware detection and containment.

For many organizations, these implementations have successfully deterred or blocked attacks. Cybercriminals are less likely to attack a network that sets off alarm bells and exposes them. Instead, attackers will move on to a more vulnerable victim.

Ransomware Defense Toolkit

6-in-1 Toolkit for Ransomware Defense

Get everything you need to know to prepare, prevent, and contain ransomware in one place.

3. Self-reporting doesn’t reflect attack incidence

The cynics among us might say that the number of companies that admit to ransomware attacks is declining.

Public companies and organizations bound by regulations must report cyber incidents that put consumers’ personal and other sensitive data at risk, but not all have compliance requirements. They may quietly pay a ransom and sweep it under the rug. In some organizations, not all employees would even know if a ransomware attack happened.

4. Increases and decreases in ransomware volume are seasonal

This period of decline may represent a gap in activity as ransomware groups gather their resources.

The fourth quarter of the year is historically a peak period of ransomware activity, as cybercriminals take advantage of the increase in e-commerce activity around the holidays, so companies of all industries and sizes need to stay on guard.

5. Ransomware payouts are increasing, so criminals get more results with less risk

The statistics show that while the volume of ransomware attacks appears to be decreasing, the average ransomware payment is increasing. The payments in cases worked by Unit 42 incident responders were nearly $1 million in the first five months of 2022, a 71% increase over the same period the previous year. On top of payments, companies are also paying for remediation expenses, downtime, and reputational harm.

If you’re a cybercriminal, you’d much rather have one big payday than put in the work and risk getting caught in multiple capers that yield lower rewards. Perhaps ransomware attacks are simply getting more efficient.

Where does that leave us?

Ultimately, it doesn’t matter if you know whether ransomware is increasing or decreasing in volume or cost. It would be best if you still assumed that the next incident might be directed at you. Taking steps to reduce the impact of ransomware and having a plan to respond to an attack is critical to cyber resilience and business continuity.

Get the full report for more key takeaways from the latest ransomware study:

  • Diverse ransomware motivations make every organization a potential victim
  • More companies are saying no to ransomware payments, even as business suffers
  • Companies are stagnating or backsliding in the ransomware fight
  • Support for making ransomware payments illegal has steeply declined

Download the Ransomware Survey Report 

Please take a look at how your peers are adjusting their behaviors, so you can benchmark your ransomware strategies. What you learn will help you prioritize your cybersecurity, incident response, and crisis management plans.