Top 3 ransomware attack vectors and how to avoid them 3 ransomware detection techniques to catch an attack

Top 13 ransomware targets in 2024 and beyond

Two in three organizations suffered ransomware attacks in a single year, according to recent research. And, while some sectors bear the brunt, no one is safe.

When a public community college in the state of Washington suffered a ransomware attack, the effects were catastrophic.

"They lost every server. Everything -- email, coursework, lectures -- everything was gone," said Steve Garcia, information security officer at Wenatchee Valley College (WVC) in Wenatchee, Wash., which is part of the same educational system as the targeted school. "It was pretty devastating."

The breach occurred several years ago when an IT employee logged into a server from a home computer to perform routine weekend maintenance, according to Garcia. The employee then checked their email and accidentally clicked on a phishing link that initiated the attack.

The malware infected and encrypted the backup server, requiring the college to rebuild its entire IT environment from scratch. The rebuilding process took months and caused student enrollment to plummet. "It was an eye-opener," Garcia said. "You read about it, you hear about it, but it's typically a private sector company, far away. It's different when it hits that close."

That college isn't alone. According to a 2023 global survey of 3,000 IT professionals by cybersecurity vendor Sophos, around two in three organizations suffered a ransomware incident in the previous 12 months. The education sector took the hardest hit, with about four in five of those organizations fielding attacks.

But experts cautioned that, while some organizations might be at higher risk of becoming ransomware targets than others, no single industry shoulders all, or even most, of the risk. To that point, ransomware attacks struck at least half of organizations across all industries represented in the Sophos survey. The takeaway: No one is safe.

That said, ransomware incidents in certain industries, such as critical infrastructure and healthcare, tend to garner the most attention. Incidents involving lower-profile targets -- local governments and small businesses, for example -- typically attract less notice, sometimes leading to the misperception they are not particularly attractive ransomware targets. Unfortunately, that's far from the case.

"Whether a 500-person company or a 50,000-person company, everybody's a target," said Chris Silva, analyst at Gartner. Why? Ransomware gangs are businesses. "What attackers really seem to be looking at is where they can expect the maximum financial impact," he explained. That might mean a single, massive attack on a natural gas pipeline or many attacks spread across dozens of smaller organizations.

Bearing all of that in mind, what follows are 13 of the top -- but by no means the only -- ransomware targets by sector, based on the Sophos survey and other data.

1. Education

The education sector had the highest ransomware attack rate as of 2023, according to Sophos' most recent "State of Ransomware" report. Eighty percent of elementary, middle and high schools and 79% of higher education institutions reported sustaining attacks in the year leading up to the survey. Additionally, lower education organizations were the most likely -- across all sectors -- to report losing business or revenue due to ransomware incidents.

In one recent example, the ransomware gang Vice Society struck the Los Angeles Unified School District, California's largest public school system. When the district refused to pay the ransom demand, the operators leaked 500 GB of stolen data on the dark web.

Higher education victims include the Savannah College of Art and Design in Savannah, Ga.; William Carey University in Hattiesburg, Miss.; and North Carolina Agricultural and Technical State University in Greensboro, N.C.

Top ransomware targets by industry chart
The education sector reported the highest attack rate in the 2023 Sophos survey.

2. Construction and property

In early 2023, 71% of businesses dealing in construction and property told Sophos they had experienced recent ransomware attacks -- a 129% increase in two years. These organizations were also overwhelmingly likely to report losing business and revenue as a result of the incidents, second only to lower education.

Publicly traded real estate investment firm Marcus & Millichap disclosed in late 2021 that it had experienced a cybersecurity attack, which TechTarget found might have been the work of the BlackMatter ransomware gang.

3. Central and federal government

Of the central government organizations from around the globe surveyed by Sophos, 70% said they had experienced ransomware attacks in the 12 months leading up to the report.

In one example, the Conti gang waged a ransomware attack on the central government of Costa Rica, prompting the country's president to declare a national state of emergency. The government refused to pay the ransom, and the cybercriminals leaked nearly all the stolen data.

In another high-profile incident, Ireland's national health service fell victim to a ransomware attack that forced the government to shut down all hospital IT systems, seriously disrupting patient care.

4. Media, entertainment and leisure

Businesses in the media, entertainment and leisure sectors remained among the top ransomware targets in 2023, with a 70% attack rate. In more than half of those incidents, the root cause was an exploited vulnerability, which Sophos analysts suggested points to particularly widespread security gaps.

According to Publishers Weekly, when Macmillan Publishers experienced a cyber attack involving "the encryption of certain files" -- almost certainly a ransomware incident -- it had to take all of its IT systems offline, halting book orders. Confirmed ransomware attacks have also hit Cox Media Group and Sinclair Broadcast Group, causing operational disruptions.

5. Local and state government

Local and state government organizations experienced a similar attack rate to central government agencies, with 69% getting hit in the months leading up to the 2023 Sophos survey.

In September 2022, for instance, a massive ransomware attack forced Suffolk County, N.Y., to take all its systems offline, seriously compromising emergency services and forcing county employees to work without the internet.

More recently, a May 2023 ransomware attack on the City of Dallas disrupted multiple services, including 911 emergency response, municipal courts, animal services and the police department website.

Notably, North Carolina and Florida have banned their state agencies and local governments from making ransom payments, a move other states have also considered.

6. Retail

The retail sector tied with local and state governments in the Sophos 2023 survey, with 69% reporting recent ransomware attacks. While that figure is high, it does represent an 8 percentage-point improvement over the sector's attack rate the previous year.

In one example of a ransomware attack on a retail company, Computer Weekly learned in 2021 that British retailer FatFace had paid the Conti ransomware gang $2 million to return company data.

Several months later, an unprecedented ransomware supply chain attack on software provider Kaseya ultimately infected as many as 1,500 businesses. Among them was Swedish grocery store chain Coop, which had to temporarily close the majority of its 800 retail stores in response. The retailer said the malware prevented many of its cash registers from working.

7. Energy and utilities infrastructure

Ransomware struck 67% of the oil, gas and utilities organizations that Sophos surveyed in 2023, a slight decline over the previous year. These attacks can cause particularly catastrophic damage and disruption, making the sector of perennial interest to cybercriminals.

"They are quite good at understanding where critical infrastructure pieces exist, how they can hit them and how they can use that to really put the heat on their victims," Gartner's Silva said.

One of the most infamous ransomware attacks to date happened when the DarkSide gang reportedly infiltrated Colonial Pipeline Co. via a legacy VPN account, shutting down operations and disrupting the U.S. East Coast's fuel supply for days. Although the ransomware operators successfully collected $4.4 million, the Department of Justice said it later recovered half of that payment using a private key.

REvIl ransomware demand screenshot
Today's ransom demands, such as this one from REvil, often threaten to exfiltrate and expose stolen data if victims don't pay.

8. Distribution and transport

Cybercriminals have long viewed organizations in the logistics sector as attractive ransomware targets. Almost a decade ago, for example, a still-infamous NotPetya attack cost Danish shipping giant Maersk up to $300 million in lost revenue.

As of 2023, two out of three distribution and transport companies told Sophos they had recently experienced ransomware incidents. In one such attack, ransomware hit German fuel logistics firm OilTanking, disrupting deliveries at around 200 gas stations.

9. Financial services

Sophos' "State of Ransomware 2023" report found good news and bad news for financial services: While the sector's attack rate increased year over year -- from 55% to 64% -- it still had a lower attack rate than many other sectors.

Ransomware's impact on the financial services sector has the potential to be widespread and catastrophic. New York's Department of Financial Services has warned that a major ransomware attack could cause "the next great financial crisis" by crippling key organizations and causing a loss of consumer confidence.

10. Business, professional and legal services

Unit 42, Palo Alto Networks' threat research and consulting group, considers professional and legal services to be one of today's most targeted sectors, second only to manufacturing. The researchers based their conclusion on data they found on ransomware leak sites, where criminals post victims' stolen data.

Unit 42 researchers speculated these companies -- which include accounting, advertising, consulting, engineering, marketing and law firms -- might make attractive ransomware targets for the following two reasons:

  1. They often rely on outdated and unpatched systems and software, making it easier for criminals to gain access to their networks.
  2. They cannot provide their products and services without functional IT, incentivizing them to pay ransoms quickly or experience significant business fallout.

In the Sophos 2023 survey, three in five business and professional services organizations said they had suffered ransomware attacks over the previous year.

11. Healthcare

Medical centers' high-stakes work and widespread security vulnerabilities make them a favorite target of cybercriminals, according to the Ransomware Task Force, a group of tech executives that makes recommendations to the White House. The good news: The percentage of healthcare organizations that told Sophos researchers they had recently experienced ransomware attacks fell from 66% in 2022 to 60% in 2023.

Still, the effects of ransomware incidents in this sector can be particularly disastrous. An attack on a hospital in Düsseldorf, Germany, forced healthcare workers to send a patient with a life-threatening condition to another hospital 20 miles away. The patient later died, with German prosecutors saying it might have been one of the first ransomware-related fatalities. Investigators opened a negligent homicide case but abandoned it when they couldn't prove the breach directly caused the woman's death.

Although officials haven't yet successfully held cybercriminals accountable for negative patient outcomes, research strongly suggests ransomware attacks have already contributed to unnecessary deaths.

12. Manufacturing and production

Sophos researchers found more than half of manufacturers had fielded recent ransomware attacks in the 12 months leading up to the survey. For instance, operators hit a number of big corporations in early 2023, including major produce company Dole. The attack affected the company's systems throughout North America, according to an email shared by one of Dole's Texas-based retail partners on Facebook.

In a particularly notorious example of an attack on this sector, the REvil ransomware gang brought operations to a total halt at beef manufacturer JBS USA, one of the United States' largest meat suppliers. Although the company said it was back up and running within four days, thanks to its backup servers, JBS USA later confirmed paying $11 million to the hackers to stop data exfiltration and leaks.

13. IT, technology and telecoms

One in two organizations in the IT, technology and telecommunications industries dealt with ransomware attacks between January 2022 and March 2023, Sophos researchers found. They attributed this relatively low attack rate to greater cyber-readiness and better cyberdefenses. Organizations from this sector were also the only ones who saw their data encrypted in fewer than half of ransomware attacks. Across the other industries, malicious actors successfully encrypted data in more than two-thirds of attacks.

Recent ransomware targets in the IT, technology and telecoms sector include Taiwan-based PC manufacturer Acer, which received one of the largest ransom demands on record at the time -- $50 million -- from the REvil gang. Whether the company paid the ransom is unknown.

MSPs are also ransomware targets -- and not just the major players. For example, the owner of ITRMS, a small MSP based in Riverside, Calif., has described fielding multiple such attacks over the years, against both his own firm and his clients.

Everyone is a potential ransomware target

While research suggested organizations across these 13 industries are among the top ransomware targets, experts emphasized that no organization -- regardless of size or sector -- is immune.

That reality -- and memories of the attack on his nearby peer institution -- keep WVC's Garcia up at night. The information security officer said that, after learning of the ransomware incident at WVC's sister college, he immediately dropped everything he was working on to assess his own organization's network infrastructure and cybersecurity posture.

Garcia reviewed server access, application activity, data classification and retention policies, endpoint security and more. His team also deployed a new air-gapped backup system using technology from Veeam and ExaGrid, going over every account setting with a fine-toothed comb. "If our entire infrastructure is compromised, I want to know my backup data is going to be secure," he said.

His counterparts at other schools in the Washington community college system went through similar exercises after the attack, Garcia added, describing a sudden "flurry of awareness" in the region. He and other college security leaders even held a series of emergency meetings to share knowledge, brainstorm and engage in ransomware tabletop exercises.

Garcia said his goal is not to dodge a ransomware attack altogether, which experts and statistics suggest is next to impossible. Rather, it's to survive it.

"Maybe we lose half our servers and some specific subnets, and we're restoring from backup," he said. "But at least it's a survivable scenario, versus having everything gone, like what happened to that other community college."

Alissa Irei is senior site editor of TechTarget Security.

Next Steps

Tips to find cyber insurance coverage

Best practices for reporting ransomware attacks

Steps to preventing ransomware

How to remove ransomware, step by step

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
  • Understanding how GPOs and Intune interact

    Group Policy and Microsoft Intune are both mature device management technologies with enterprise use cases. IT should know how to...

  • Comparing MSI vs. MSIX

    While MSI was the preferred method for distributing enterprise applications for decades, the MSIX format promises to improve upon...

  • How to install MSIX and msixbundle

    IT admins should know that one of the simplest ways to deploy Windows applications across a fleet of managed desktops is with an ...

Cloud Computing