Top 10 ransomware targets by industry
In any given year, certain industries seem to make more attractive targets for ransomware groups. But no single sector shoulders all -- or even most -- of the risk.
More than half of all organizations -- 59% -- suffered a ransomware incident between January 2023 and February 2024, according to a global survey by cybersecurity vendor Sophos. The hardest hit included organizations from the following sectors: central and federal government; healthcare; energy, oil and utilities; and higher education.
Consistent with the so-called big-game hunting trend that sees ransomware operators targeting organizations with deep pockets, Sophos' "The State of Ransomware 2024" report also found a correlation between revenue and ransomware infections. On the high end, enterprises with more than $5 billion in annual revenue had a 67% attack rate. But nearly one in two of the smallest organizations surveyed also experienced recent ransomware incidents, underscoring a fundamental truth: When it comes to ransomware, everyone is a target.
Ransomware gangs, after all, are businesses. As such, their strategies constantly evolve to maximize profits and adapt to changing market conditions. From year to year, Sophos' annual survey shows shifting attack rates across industries, perhaps as defensive mechanisms and the propensity to pay fees wax or wane.
With that in mind, what follows are 10 of the top -- but by no means the only -- ransomware targets by sector, according to the most recent Sophos survey.
This article is part of
What is ransomware? Definition and complete guide
1. Central and federal government
Of the central government organizations from around the globe that Sophos surveyed in 2024, 68% said they experienced ransomware attacks in the previous 12-month period. Researchers speculated the high attack rate reflects a chaotic geopolitical climate, with more politically motivated incidents. This sector also saw the highest median ransom demand, at $7.7 million.
In a particularly infamous example of a ransomware attack on a central government, Costa Rica fell victim to the Conti gang in 2022. Multiple federal agencies lost digital services, prompting the country's president to declare a national state of emergency. The government refused to pay a ransom, and the cybercriminals leaked nearly all of the stolen data.
2. Healthcare
Medical centers' high-stakes work and widespread security vulnerabilities make them a favorite target of cybercriminals. In 2024, two in three healthcare organizations told Sophos researchers they had recently experienced ransomware attacks. Healthcare was also among the most likely sectors to ultimately pay higher ransom fees than operators originally demanded (57%), second only to higher education institutions (67%).
Ransomware incidents in this sector can be deadly. An attack on a hospital in Düsseldorf, Germany, once forced healthcare workers to send a patient with a life-threatening condition to another hospital 20 miles away. The patient later died, with German prosecutors saying it might have been one of the first ransomware-related fatalities. Investigators opened a negligent homicide case but abandoned it when they couldn't prove the breach directly caused the woman's death.
Although officials haven't yet successfully held cybercriminals accountable for negative patient outcomes, research strongly suggests ransomware attacks have already contributed to unnecessary deaths.
3. Energy and utilities infrastructure
The energy, oil, gas and utility sector's attack rate held steady at 67% between Sophos' 2023 and 2024 surveys, with nearly half of recently occurring ransomware incidents stemming from exploited vulnerabilities.
Attacks on critical infrastructure in this industry can cause particularly high-profile damage and disruption, making it of perennial interest to cybercriminals. One of the worst ransomware attacks in history happened when the DarkSide gang infiltrated Colonial Pipeline Co. using a legacy VPN account, shutting down operations and disrupting the U.S. East Coast's fuel supply for days. Although the ransomware operators successfully collected $4.4 million, the Department of Justice said it later recovered half of that payment using a private key.
4. Higher education
With a 66% attack rate, higher education institutions remained among the top ransomware targets, Sophos found. This sector was also the most likely to pay higher ransom fees than attackers originally demanded. Researchers speculated this might be due to both a commitment to recovering sensitive data regardless of cost and less ready access to professional negotiation services.
In 2022, 157-year-old Lincoln College became the first American college to attribute its permanent closure in part to a ransomware attack. The school also pointed to the COVID-19 pandemic as a contributing factor. More recent targets include Texas Tech University's Health Sciences Centers, the Colorado Department of Higher Education and Bunker Hill Community College in Boston.
5. Financial services
In the months leading up to the 2024 Sophos report, ransomware attacks struck 65% of financial services organizations surveyed. This sector also reported the lowest rates of data encryption. Financial organizations were also the most likely to successfully negotiate for lower ransom fees -- down to 75% of the initial demand, on average.
A major ransomware attack on this industry could have widespread, catastrophic effects on the economy and society at large. New York's Department of Financial Services has warned it could cause "the next great financial crisis" by crippling key organizations and causing a loss of consumer confidence.
6. Manufacturing and production
Manufacturers saw the greatest year-over-year increase in ransomware attack rates in 2024, with 65% of survey respondents reporting attacks, up from 56% in 2023. But among organizations that negotiated for lower ransom fees, manufacturers also saw the greatest overall reduction in ransom payments -- 30% less, on average, than initial demands.
In one of the most notorious ransomware incidents of all time, the REvil ransomware gang brought operations to a total halt at beef manufacturer JBS USA, one of the United States' largest meat suppliers. Although the company said it was operational within four days, thanks to its backup servers, JBS USA later confirmed paying $11 million to the hackers to stop data exfiltration and leaks.
7. Lower education
Lower education's ransomware attack rate fell from 80% in 2023 to 63% in 2024, among the survey's biggest year-over-year drops. In less positive news, victims in this sector were among the most likely to see their data backups compromised by malware and also among the most likely to pay higher ransom fees than threat actors initially demanded.
In one recent example of an attack on lower education, the Chambersburg Area School District in Pennsylvania had to shut down for several days after a ransomware attack took down its computer systems. The closure affected more than 9,000 students and their families.
8. Media, entertainment and leisure
The media, entertainment and leisure sector saw its attack rate fall from 70% in 2023 to 62% in 2024. While they had one of the highest rates of backup use (74%), these organizations were also the most likely to pay ransoms to recover data (69%).
According to Publishers Weekly, when Macmillan Publishers experienced a cyberattack involving "the encryption of certain files" -- almost certainly a ransomware incident -- it had to take all of its IT systems offline, halting book orders. Confirmed ransomware attacks have also hit Cox Media Group and Sinclair Broadcast Group, causing operational disruptions.
9. Construction and property
Sixty-two percent of businesses in construction and property told Sophos they had experienced recent ransomware attacks as of early 2024. While this sector had one of the lowest median ransom demands, that number was still considerable -- $1.1 million.
Publicly traded real estate investment firm Marcus & Millichap disclosed in late 2021 that it had experienced a cybersecurity attack, which Informa TechTarget found might have been the work of the BlackMatter ransomware gang.
10. Distribution and transport
Ransomware hit three out of five distribution and transport companies Sophos surveyed in 2024. Thirty-six percent of these incidents stemmed from exploited vulnerabilities, while nearly one in four resulted from phishing emails.
Cybercriminals have long viewed organizations in the logistics sector as attractive ransomware targets. Almost a decade ago, for example, a still-infamous NotPetya attack cost Danish shipping giant Maersk up to $300 million in lost revenue.
Additional ransomware targets
Attack rates in state and local government fell dramatically year over year, from 69% to 34%. Attack rates in both retail and business and professional services also fell, from 69% to 45% and 60% to 50%, respectively. Fifty-five percent of IT, technology and telecom companies saw ransomware attacks, up five percentage points from 2023.
Alissa Irei is senior site editor of Informa TechTarget's SearchSecurity site.
