Ransomware Trends Shift: Report Highlights Changes in Targeted Industries

June 20, 2023

As the consensus is that ransomware attacks will only increase in the coming years, it is helpful to look at the ransomware trends that vary from year to year. The latest ransomware report from NordLocker shows the global ransomware landscape is changing significantly.

001 Ransomware Trends Shift  Report Highlights Changes in Targeted Industries and Countries

As the consensus is that ransomware attacks will only increase in the coming years, it is helpful to look at the ransomware trends that vary from year to year. The latest ransomware report from NordLocker shows the global ransomware landscape is changing significantly. 

The US, the UK, and Germany suffered the most ransomware attacks in 2022

As has been the trend, US businesses continue to be the most affected by ransomware attacks year after year. In 2022 American businesses suffered 876 attacks, while in 2021 there were 1,237 reported incidents. Although the number decreased last year, US companies still bore the brunt of these malicious cyber activities.

However, the shifting focus toward other countries, notably the United Kingdom and Germany, is an interesting development in the ransomware landscape. Both nations experienced a significant percentage increase in ransomware attacks in 2022 compared to the previous year. 

In 2021, the UK experienced 4% of all global ransomware attacks, which rose to nearly 6% in 2022. Similarly, Germany saw an increase from 3.7% in attacks in 2021 to 4.1% in 2022.

The top five most attacked countries also changed between the two years. In 2022, the ranking shifted to the US (38.8%), the UK (5.6%), Germany (4.2%), Canada (3.9%), and Italy (3.3%) from the US (45.8%), Canada (4.6%), France (4.5%), the UK (4.4%), and Germany (3.7%) in 2021. 

Immense attacks on the financial sector 

The number of ransomware attacks worldwide decreased slightly between 2021 and 2022. In 2022, the number of reported attacks dropped to 2,257 (from 2,702 in 2021).

Last year, the top three most attacked industries shifted to construction (142 attacks), finance (120 attacks), and manufacturing (119 attacks). In 2021, manufacturing (223 attacks), construction (214 attacks), and transportation (181 attacks) companies were the most affected by ransomware attacks. 

"This change may suggest that threat actors concentrate their efforts on specific regions or industries. We've noticed that finance companies have become increasingly worried about their cybersecurity. Companies are noticing an increase in cyberattacks in this sector," says Aivaras Vencevičius, head of product for NordLocker. 

The most notable change in this evolving landscape is the increased targeting of the financial sector. In 2021, financial companies were only the sixth most attacked sector. By 2022, they had become the second most attacked sector. Vencevičius says this dramatic shift highlights the growing threat to financial institutions and emphasizes the need for increased security measures within the industry.

Top profit-generating companies under ransomware attacks

The largest companies (in terms of revenue) are facing significant ransomware threats all the time. 

Largest companies attacked in 2022 (in terms of revenue):

  • The largest company attacked was a US wholesale drug firm, generating $238 million in revenue and employing 43,000 individuals. The Lorenz ransomware group targeted this organization. 

  • The second-largest company affected was a Japanese manufacturing business, with a revenue of $66 million and a workforce of 240,000, which fell prey to the notorious Conti ransomware group.

  • Last, another Japanese automotive company, with a revenue of nearly $60 million and 170,000 employees, experienced a ransomware attack carried out by the Pandora group.

Largest companies attacked in 2021:

  • The largest among these was a Switzerland-based insurance company with a revenue of nearly $70 million and 56,000 employees, targeted by the CoomingProject ransomware group. 

  • The second-largest company attacked was a Japanese automotive business, boasting almost $60 million in revenue and employing 170,000 people. This company fell victim to the Rook ransomware group. 

  • Additionally, an Ireland-based public healthcare company with an unknown revenue and a massive workforce of 674,000 was targeted by the LockBit ransomware group.

Fewer attacks in 2022: More companies improving their cybersecurity

Another interesting observation is the decrease in the number of countries targeted by ransomware attacks. While in 2022, the number dropped to 91 countries, 102 countries were affected in 2021.

In 2021, the Conti ransomware group was the most active, carrying out 445 attacks worldwide. However, in 2022, a different group took the lead, with LockBit emerging as the most active ransomware group responsible for an alarming 723 attacks worldwide. 

“The NordLocker ransomware report shows that ransomware attacks have declined in the past year, indicating that companies are increasingly concerned about cybersecurity and implementing cybersecurity measures,” says Vencevičius. The head of product at NordLocker adds that if more companies are safe against cyberattacks, the rest are at a much higher risk of being attacked. 

The best actions to start with implementing practices to protect businesses from ransomware are:  

  • Encourage proper file hygiene, encryption, and backups. File hygiene and backups can't stop cyberattacks, but they give the company leverage. Even if a company becomes a target for ransomware, the ability to restore data immediately will guarantee business continuity. And if the company keeps the files encrypted, the information will be unreadable to hackers. 

  • Encourage cybersecurity training. Investing in your employee's knowledge is the most cost-effective way to protect your organization from ransomware because 82% of cyberattacks happen due to human error. It should be organized regularly and have a holistic approach that includes every employee.

  • Keep software up to date. Most cyberattacks either use social engineering to exploit the flaws in human nature or malware utilizing outdated software. Ensure everyone at the company understands the importance of keeping software up to date.

  • Adopt zero-trust network access, meaning that every access request to digital resources by a staff member should be granted only after their identity has been appropriately verified.

Methodology: Data was collected from publicly available blogs where ransomware gangs post the names of their victims and their demands. The ransomware attacks under investigation all happened during the period between 01/01/2020 to 30/04/2023.  


NordLocker is the world's first end-to-end file encryption tool with a private cloud. It was created by the cybersecurity experts behind NordVPN – one of the world's most advanced VPN service providers. NordLocker is available for Windows and macOS, supports all file types, offers a fast and intuitive interface, and guarantees secure sync between devices. NordLocker protects files from hacking, surveillance, and data collection. For more information: https://nordlocker.com/ 

Share this listing