Ransomware: 2022's top attacks and need-to-know stats

by Egress
Published on 17th Sep 2021
Money Ransom 1003X250 47Kb

As the barriers to entry for ransomware actors continue to lower, the number of ransomware attacks is rising. In addition to the number of attacks rising, the methods of deployment for these attacks are becoming increasingly sophisticated and increasingly targeted. 

While ransomware attacks once focused on removing users’ access to data through editing usernames and passwords and encrypting data, it has become common for hackers to threaten to publish sensitive material online. A single ransomware attack can now lead to years of reputational damage.

In this article, we take a look at some of the biggest ransomware attacks of 2022 so far:

Red Cross

In January 2022, a ransomware attack on a third-party contractor of the Red Cross led to the records of over half a million people classified as “highly vulnerable” being compromised. The breach included the data of people who had been separated from their families due to conflict, migration and disaster, as well as people in detention. 

The Red Cross took its servers offline in order to stop the attack and investigate the breach. However, no culprit was identified.


In February 2022, leading global chipmaking giant Nvidia was compromised by a major ransomware attack. Hacking group “Lapsus$”, which has also breached other global tech companies including Microsoft and Samsung, claimed responsibility for this breach. 

Hackers stole 1 terabyte of data – including sensitive information such as the usernames and passwords of over 71,000 employees, the designs of Nvidia graphics cards, and the source code for an Nvidia AI rendering system called DLSS – from its networks, and leaked it online. The system was offline for two days as a result.


Manufacturers hold lots of valuable data. This makes them popular targets for attackers, who typically hold this data hostage in exchange for a ransom. Between February and March 2022, hackers targeted three Toyota suppliers – Kojima Industries, Denso, and Bridgestone. 

The attack on Kojima industries led to Toyota having to temporarily stop operations in 14 of its Japanese plants, which led to a 5% dip in the company’s monthly production capacity. Meanwhile, the Bridgestone attack led to computer network and production facility shutdowns in the US. 

Costa Rica

Major ransomware attacks that started in April 2022 have been wreaking havoc on Costa Rica’s essential services. According to officials, thousands of medical appointments have had to be rescheduled, and tax payments have also been disrupted. Some organizations have had to abandon technology and turn back to pen and paper to fulfill their obligations. 

In May, the situation got so bad that Costa Rica declared a state of emergency – a measure usually reserved to deal with national disasters, or Covid-19. This is the first time that a country has declared a national emergency due to a ransomware attack. 

The Costa Rican government has identified Conti ransomware, thought to be led by the  Russia-linked cybercrime gang ‘Wizard Spider’, as the cause of these attacks. In May 2022, The United States government offered a reward of up to $10 million for information on the group. 


In June, Africa’s largest supermarket chain, Shoprite Holdings, suffered a ransomware attack. The company has over 3,000 stores across multiple companies, almost 150,000 employees, and a revenue of $5.8 billion. 

Threat actor RansomHouse took responsibility for the attack. The gang took to Telegram to criticize Shoprite, claiming: “Their staff was keeping enormous amounts of personal data in plain text, completely unprotected.” They claimed to have obtained 600GB of data from Shoprite, which they said was “in plain text/raw photos packed in archived files, completely unprotected.”

Important ransomware statistics for 2022

Who are the most active ransomware gangs?

  • Russia-based cybercrime group Conti and Ransomware-as-a-Service (RaaS) group Lockbit 2.0 were the two most active ransomware gangs in Q1 2022. 
  • Together, the gangs accounted for 57.8% of all incidents reported. Since Q3 2021, Lockbit has leaked more than 200 victims per quarter. 

Which countries are being targeted by ransomware groups?

  • The US is still by far the most targeted country, accounting for 38.5% of ransomware attacks. This is likely because of the perceived wealth of US organizations, in addition to the success of ransomware groups receiving payments from US companies in the past.The most targeted geographies after the US are the UK, Italy, Germany, France, and Spain. 

Cost of ransomware attacks

  • In Q2 2022, the average ransom payment increased by 8% from Q1 to $228,125. However, the median ransom payment fell by 51% from Q1 to $36,360. This suggests that attackers are focusing more on mid-market attacks, which are more consistent and less risky than high-profile attacks. 
  • This year, innovations in preventative policy have evolved. In April 2022, North Carolina became the first US state to prohibit public entities from paying ransoms. In June, Florida followed suit

Worried about ransomware? Learn how the rising epidemic can be stopped here.

Unless you've been living underneath a rock, you’ll know ransomware attacks have been running rampant in recent months. Phishing emails are the primary method for delivering ransomware, as hackers can target ordinary, vulnerable users instead of trying to bypass security systems. It only takes one employee to click on one malicious link or email to breach an entire system.

The rise of Ransomware-as-a-Service, where ransomware developers outsource their operations to affiliates that execute the attack, has made it easier than ever for wannabe-cybercriminals to get hold of the malware. 

Ransomware can affect organizations of all sizes – let’s take a look at some of the biggest from the past year.

Top ransomware attacks of 2021

Colonial Pipeline

The DarkSide group deployed ransomware to Colonial Pipeline's network equipment on May 7, 2021. The attack vector was a compromised password to a VPN account that was no longer in use, which companies can easily prevent by implementing multi-factor authentication.

The attack impacted the oil infrastructure along the US East Coast, resulting in panic buying and fuel shortages. The company paid the requested ransom of $4.4 million with the assistance of the FBI, of which $2.3 million was recovered a month later.


There was an attack on this prominent Taiwanese computer manufacturer in March 2021. Threat actors gained access to the company's network via a Microsoft Exchange vulnerability. 

Data exposed might include client lists, payment information, and financial documents. Acer allegedly paid a ransom of $50 million — the highest ransomware payment reported to date.

Kia Motors America

The automaker allegedly suffered a DoppelPaymer ransomware attack that caused an extensive system outage in February 2021. The incident impacted the company's mobile apps, payment services, phone services, owner portal, and dealerships' systems.

The criminals demanded a $20 million ransom to decrypt the files and not leak the stolen data online. Kia's parent company, Hyundai, might also have been attacked since it experienced similar outages.

DC Police Department

Ransomware doesn't spare law enforcement agencies. The attack aimed at the Metropolitan Police Department in DC in April 2021 resulted in a massive exposure of the department's internal information because it refused to pay the $4 million ransom.

The Babuk group, a Russian ransomware syndicate, was responsible for the attack. This incident is the most damaging ransomware attack to hit a US police department to date.


The REvil ransomware group attacked the global beef manufacturer on May 30, 2021. The company had to shut down its operations until June 3, 2021. JBS later revealed that it paid an $11 million ransom after the attack forced it to halt cattle-slaughtering operations at 13 meat processing plants.

After the incident, both the White House and the US Attorney General expressed concern over ransomware attacks becoming national security threats.

But what was the biggest ransomware attack?

Kaseya, a software provider that offers remote management monitoring to managed service providers (MSPs), was attacked on July 2, 2021. Threat actors exploited the company's platform to deploy ransomware to the networks of its end customers.

This incident underscores the increasing risks in software supply chains. More cybercriminals are targeting software providers, sneaking malicious codes into software updates that get pushed out to thousands of organizations so they can infiltrate numerous targets all at once.

Get report

Phishing As A Service Gated Widget Cropped

Get report

Phishing-as-a-service: How cybercrime went commercial

Get your copy

Important ransomware statistics for 2021

Although we only hear about high-profile incidents, ransomware attacks are more prevalent than many people assume.

How many ransomware attacks occur each year?

In 2020, 304 million ransomware attacks occurred worldwide. The number has increased rapidly in 2021, with 115.8 million attacks reported in Q1 and 188.9 million in Q2.

How much have ransomware attacks increased?

The number of ransomware attacks increased by 62% between 2019 and 2020. Meanwhile, the global attack volume jumped by 151% during the first six months of 2021 compared to the same period in 2020.

Frequency of ransomware

How ransomware attacks are delivered

  • The most common ransomware delivery mechanisms are phishing emails and drive-by downloading when users visit an infected website.
  • Over 90% of ransomware attacks are delivered via email phishing 
  • Companies experience an average downtime of 21 days after a ransomware attack.

Cost of ransomware attacks

  • The total recovery cost from a ransomware attack has increased from $761,106 in 2020 to $1.85 million in 2021.
  • In a recent survey:
    • 66% of respondents suffer significant revenue loss after a ransomware attack
    • 53% said their brand images were negatively impacted
    • 29% were forced to cut jobs
Seven New Phishing Scams Gated Widget Cropped 2

Seven new (and convincing!) phishing scams you need to know about

Read now

You might also be interested in ...

What is phishing?: The Ultimate Guide

Everything you need to know about phishing in one place

Infographic: How to spot a phishing email?

Check out our latest infographic for a 101 on the different types of phishing emails and how to spot one when it lands in your inbox.

Impersonating executives: A dangerous phishing tactic

Cybercriminals are impersonating executives to get into your inbox. Learn more about how CEO fraud works.