Global Impact of Ransomware

Ransomware by the numbers: Reassessing the threat’s global impact

Ransomware isn’t gone; it has undergone a major shift. The ransomware has been replaced by targeted destructive attacks often targeting large companies. Additionally, attackers seem to be more focused on exfiltrating data and encrypting it. This means that they siphon off confidential information and threaten to make it public if victims refuse to pay. This is all done to launch fewer attacks and each one with a much larger payout than to collect smaller amounts from large numbers of victims.

This report will examine the numbers that underlie the ransomware threat in 2019 and 2020. It will also discuss what these numbers mean, and what they can tell us about the future of ransomware.

The key findings

  • In 2020, the number of unique users who encountered ransomware was 1,091,454. This is a decrease from 1,537.465 in 2019.
  • The 2019 ransomware share among all users who encountered malware was 3.31%. This dropped slightly to 2.67% in 2020.
  • Ransomware detections accounted for 1.49% of all malware detections in 2019, and 1.08% in 2020.
  • WannaCry was the most commonly encountered crypto-ransomware on Windows systems in both 2019 and 2020.
  • 72,258 people were able to find ransomware on their smartphones in 2019. In 2020, this number fell to 33 502.
  • The share of ransomware-infected users on mobile devices remained stable at 0.56% between 2019 and 2020.
  • The number of ransomware families that targeted unique users increased by 767 percent between 2019 and 2020
  • Engineering and manufacturing accounted for 25.63% of all targeted ransomware attacks.


This report was created using Kaspersky Security Network (KSN) depersonalized data.

Two main metrics are used. The first is unique users. This refers to the number and type of Kaspersky users who have encountered ransomware at a minimum once during a period. The second, detections, refers to the number of ransomware attacks that Kaspersky products have blocked in a given period.

Kaspersky experts also researched the threat landscape in the report.

Kaspersky products can detect different types of ransomware. These include crypto-ransomware, which encrypts your files, screen lockers, and browser lockers. Statistics can refer to any type of ransomware unless otherwise noted.

Ransomware on all platforms

Kaspersky previously pointed out that ransomware detections have been decreasing steadily since 2017. This trend has been evident through 2019 and 2020.

In 2019, 1,537.465 was the number of ransomware victims across all platforms. That number dropped to 1,091,454 in 2020 — a 29% decrease.

Comparison of ransomware cases on KSN users, 2019-2020 ( download)

Actually, in 2020, the total number of ransomware-infected users across all devices was less than in the prior year. The number of ransomware-infected users was stable in both years — it hovered between 100,000 and 170,000 in 2020, and between 150,000 to 190,000. In 2019, the numbers were slightly higher than in 2019. July 2019 was the exception. Two ransomware families increased their numbers. Bluff is a browser locker that presents victims with a fake tab. If they don’t pay a certain amount, it can lead to dire consequences. Rakhni was a crypto-ransomware first appearing in 2013. It was distributed via spam with malicious attachments.

The percentage of ransomware-infected users out of all malware encountered on their devices decreased from 3.311% in 2019 down to 2.677% in 2020. The share of ransomware detected among the total number has been relatively stable, decreasing only slightly between 2019 and 2020 from 1.49% to.

These are the most active crypto-ransomware family

WannaCry remains the most active crypto-ransomware group three years after its first public appearance. WannaCry has caused at least $4 billion in ransomware infections across 150 countries. WannaCry was encountered by 21.85% of users who encountered crypto-ransomware in 2019.

Top Five Crypto-ransomware Families, 2019, Download

GandCrab was another active ransomware family in 2019, and it followed the RaS model. STOP/DJVU and PolyRansom/VirLock were also among them. Although Shade, widely-used crypto, first appeared in 2014. It was active in 2019 but has been declining in activity for many years. Kaspersky released a decryptor in 2020 for all Shade strains — it was no longer among the top five ransomware families that Kaspersky products detected.

Top Five Crypto-ransomware Families, 2020 ( Download)

WannaCry remained the most commonly encountered family in 2020 with 16% (80,207 users) having encountered this malware. A new strain, Crysis/Dharma, also entered the top five most active families. Crysis can use multiple attack vectors but has recently primarily used unsecured RDP access. First discovered in 2016, the malware has continued to evolve and is now following the ransomware-as-a-service model.

The trend of consolidation of ransomware organizations was evident in 2019 and 2020. This trend was first observed in 2018. A few families are still prominent in the threat landscape. The rest of the ransomware Trojans’ attacks are not carried out by any particular family. There are always new families, such as STOP and GandCrab.

Geography of a ransomware attack

We take into account the geographical distribution of Kaspersky customers when analyzing the geographic attack users. When analyzing the geographic distribution of attacks, we consider the percentage of ransomware users as a measure of the number of Kaspersky customers in the region.

All percentages represent the percent of ransomware-infected users who encountered it at least once, based on the total number of users who encountered malware during the period.