A study of 2,700 IT professionals across the globe has revealed that 54% of organizations suffered a ransomware attack in the last year, and most organizations were hit more than twice, with the average number of ransomware per attacks being two.

On average, every ransomware attack costs companies $133,000, but some infections were more widespread than others, and 5% of respondents said they dealt with ransomware incidents that cost between $1.3 to $6.6 million.

These estimations did not include just the cost of the ransom fee, but also lost work hours, equipment downtime, device and network costs, and lost business opportunities.

Healthcare sector hit the most


Ransomware victims were also not spread equally across the globe and across industry verticals. India had the highest level of infection, followed by Mexico, the US, Canada, and South Africa.

As for verticals, there were some industries hit more than others, above the 54% median. The most hit was the healthcare sector, with 76% of respondents saying they suffered a ransomware attack in the past 12 months. Second came energy, oil, gas, and utilities with 65%, services with 59%, retail, distribution, and transport with 58%, and IT, technology, and telecoms with 55%.

Sophos ransomware charts

“Although both healthcare and financial services hold high-value data, healthcare is often perceived as a soft target, leading to increased frequency of attack,” said Sophos, the cyber-security company behind the survey.

“That assumption is not without merit – healthcare tends to have an aging IT infrastructure, leaving security holes, as well as restricted resources for improving IT security,” experts said. “Healthcare organizations are also considered to be more likely to pay a ransom.”

Attackers don’t care about organization size


“Interestingly, hackers are not discriminating by organization size,” Sophos added. “The likelihood to suffer an attack is about the same for both smaller and larger companies responding to the survey.”



Numbers showed that 50% of the organizations with 100 to 1,000 employees fell victim to ransomware attacks, which is comparable to 58% of companies in the 1,001-5,000 employee range.

“Big or small, everyone is a target,” Sophos said.