Ransomware in the US 2025
Ransomware attacks continue to pose an unprecedented threat to American businesses, critical infrastructure, and individual citizens in 2025. This malicious cyber threat has evolved into one of the most pressing cybersecurity challenges facing the United States, with federal agencies reporting sustained increases in both attack frequency and financial damages. The FBI’s Internet Crime Complaint Center (IC3) has documented how these sophisticated attacks are targeting everything from small businesses to major healthcare systems, educational institutions, and government entities across all 16 critical infrastructure sectors.
The landscape of ransomware in the US has become increasingly complex, with cybercriminals employing double extortion tactics, advanced social engineering techniques, and artificial intelligence to maximize their impact. Federal law enforcement agencies, including the FBI, CISA, and Department of Health and Human Services, have intensified their collaborative efforts to combat these threats while providing enhanced support to victims and potential targets. As we examine the latest data through July 2025, the statistics reveal both the scale of the challenge and the ongoing evolution of ransomware tactics targeting American organizations and individuals.
Key Ransomware Stats & Facts in the US 2025
| Ransomware Statistic | 2024 Data | Trend |
|---|---|---|
| Total Ransomware Complaints | 3,156 | 9% increase from 2023 |
| Direct Financial Losses | $12.5 million | Significantly underreported |
| Critical Infrastructure Incidents | 4,878 complaints | Steady increase |
| Top Ransomware Variant | Akira | Most reported in 2024 |
| Recovery Success Rate | 66% | Financial Fraud Kill Chain |
| New Variants Identified | 67 new variants | Constant evolution |
The ransomware statistics for 2025 reveal a concerning pattern of sustained growth and sophistication in cybercriminal operations targeting American organizations. The 9% increase in ransomware complaints from 2023 to 2024 demonstrates that despite enhanced law enforcement efforts and improved cybersecurity awareness, threat actors continue to successfully penetrate organizational defenses. The $12.5 million in reported direct losses represents only a fraction of the actual economic impact, as the FBI acknowledges this figure excludes estimates of lost business time, wages, files, equipment, and third-party remediation services.
The emergence of 67 new ransomware variants in 2024 highlights the rapid innovation occurring within cybercriminal ecosystems. The most prominent new variants identified include FOG, Lynx, Cicada 3301, Dragonforce, and Frag, each incorporating unique technical capabilities and targeting methodologies. Critical infrastructure organizations submitted 4,878 complaints related to cyber threats, with ransomware and data breaches representing the most frequently reported attack types. This targeting of essential services demonstrates how ransomware operators are strategically focusing on sectors where disruption can cause maximum societal impact and pressure victims into paying ransoms.
Ransomware Complaints by States in the US 2025
| State | Complaints | Population-Adjusted Rate |
|---|---|---|
| California | Highest volume | 244.1 per 100K citizens |
| Texas | Second highest | 199.3 per 100K citizens |
| Florida | Third highest | 223.3 per 100K citizens |
| Alaska | Lowest volume | 914.7 per 100K citizens |
| District of Columbia | Government center | 549.1 per 100K citizens |
The geographic distribution of ransomware complaints in the US during 2025 reveals interesting patterns that extend beyond simple population density. While California, Texas, and Florida lead in absolute numbers of complaints, the per-capita analysis shows Alaska and the District of Columbia experiencing disproportionately high rates of cyber incidents. This suggests that factors such as economic activity concentration, government presence, and critical infrastructure density significantly influence ransomware targeting patterns.
California’s position as the leading target reflects its role as a technology and innovation hub, housing numerous high-value targets including tech companies, healthcare systems, and educational institutions. The state’s $2.54 billion in total cybercrime losses underscores the sophisticated nature of attacks targeting Silicon Valley and other major metropolitan areas. Texas and Florida’s high complaint volumes correlate with their large populations and diverse economic bases, including energy infrastructure, aerospace, and tourism sectors that represent attractive targets for ransomware operators seeking maximum disruption and ransom payments.
Top Ransomware Variants Targeting the US in 2025
| Ransomware Variant | Ranking | Key Characteristics |
|---|---|---|
| Akira | #1 Most Reported | Double extortion model |
| LockBit | #2 Most Active | Ransomware-as-a-Service |
| RansomHub | #3 Emerging Threat | Advanced encryption |
| FOG | #4 New Variant | Critical infrastructure focus |
| PLAY | #5 Persistent Actor | Evolving techniques |
The top ransomware variants operating in the US during 2025 represent a sophisticated ecosystem of cybercriminal organizations employing diverse tactics and technologies. Akira ransomware emerged as the most frequently reported variant to the FBI IC3, utilizing a double extortion model that combines data encryption with threats to publicly release stolen information. This approach significantly increases pressure on victims, as organizations face both operational disruption and potential regulatory penalties for data breaches.
LockBit maintains its position as a major threat despite significant law enforcement disruptions in 2024, demonstrating the resilient nature of Ransomware-as-a-Service (RaaS) operations. The group’s ability to rapidly rebuild infrastructure and recruit new affiliates highlights the challenge facing law enforcement agencies. RansomHub, FOG, and PLAY represent the continuous evolution of ransomware tactics, with each variant incorporating lessons learned from predecessor groups and adapting to defensive countermeasures implemented by potential victims.
Critical Infrastructure Ransomware Attacks in the US 2025
| Infrastructure Sector | Ransomware Incidents | Data Breach Incidents |
|---|---|---|
| Healthcare | 258 incidents | 206 incidents |
| Education | 238 incidents | 180 incidents |
| Government | 220 incidents | 176 incidents |
| Financial Services | 190 incidents | 196 incidents |
| Manufacturing | 138 incidents | 68 incidents |
Critical infrastructure sectors in the US faced sustained ransomware attacks throughout 2025, with healthcare organizations experiencing the highest number of incidents at 258 reported cases. The targeting of healthcare systems represents a particularly concerning trend, as these attacks can directly impact patient care and safety. Hospitals, medical practices, and healthcare networks have become preferred targets due to their reliance on continuous system availability and the sensitive nature of medical data they maintain.
Educational institutions ranked second with 238 ransomware incidents, reflecting cybercriminals’ recognition that schools and universities often maintain extensive personal information databases while operating with limited cybersecurity resources. The K-12 education sector experienced particular vulnerability, with 57% of ransomware incidents reported to the Multi-State Information Sharing and Analysis Center (MS-ISAC) occurring in August and September 2024. Government entities at federal, state, and local levels reported 220 incidents, demonstrating that public sector organizations remain attractive targets despite enhanced security protocols and federal oversight.
Interlock Ransomware – Latest Threat in the US 2025
| Interlock Ransomware Detail | Information | Impact Level |
|---|---|---|
| First Observed | September 2024 | Emerging threat |
| Latest Activity | June 2025 | Active operations |
| Target Regions | North America & Europe | International scope |
| Attack Model | Double Extortion | High pressure tactics |
| Advisory Date | July 22, 2025 | Current intelligence |
The Interlock ransomware variant represents the most recent significant threat identified by federal agencies in July 2025. FBI, CISA, Department of Health and Human Services, and the Multi-State Information Sharing and Analysis Center issued a joint advisory highlighting this group’s aggressive targeting of critical infrastructure organizations across North America and Europe. First observed in late September 2024, Interlock has rapidly evolved its capabilities and expanded its victim base, with FBI investigations documenting active operations as recently as June 2025.
The double extortion model employed by Interlock combines traditional file encryption with data theft and extortion threats, creating multiple pressure points to coerce ransom payments. This approach has proven particularly effective against organizations that maintain robust backup systems, as the threat of sensitive data exposure adds a compliance and reputational dimension to the attack. Healthcare sector organizations are specifically advised to report incidents not only to FBI and CISA but also to HHS at HHScyber@hhs.gov for specialized cyber incident support focused on mitigating adverse patient impacts.
Financial Impact of Ransomware in the US 2025
| Financial Category | Amount | Context |
|---|---|---|
| Direct Ransomware Losses | $12.5 million | Reported to FBI IC3 |
| Total Cybercrime Losses | $16.6 billion | 33% increase from 2023 |
| Recovery Success Rate | 66% | Financial Fraud Kill Chain |
| Cryptocurrency Losses | $9.3 billion | Primary payment method |
| Average Loss per Complaint | $19,372 | Across all cyber crimes |
The financial impact of ransomware in the US during 2025 extends far beyond the $12.5 million in direct losses reported to the FBI IC3. This figure represents only what organizations explicitly report as ransomware-related financial damage and excludes the broader economic costs including business disruption, system restoration, enhanced security measures, legal fees, and regulatory compliance expenses. The FBI acknowledges that actual ransomware losses are significantly underreported, as many organizations either do not report incidents or fail to quantify the full scope of financial impact.
Cryptocurrency has become the dominant payment mechanism for ransomware operations, with $9.3 billion in cryptocurrency-related losses reported in 2024, representing a 66% increase from the previous year. The IC3 Recovery Asset Team achieved a 66% success rate in freezing fraudulent funds through the Financial Fraud Kill Chain process, helping victims recover $561.6 million across 3,020 complaints. However, the $285.6 million in estimated savings achieved through Operation Level Up demonstrates the effectiveness of proactive victim notification and intervention programs in preventing additional losses.
Law Enforcement Response to Ransomware in the US 2025
| Enforcement Action | Results | Impact |
|---|---|---|
| Operation Level Up | 4,323 victims notified | $285.6 million saved |
| LockBit Disruption | Major infrastructure dismantled | Significant operational impact |
| International Cooperation | 215 arrests in India | 700% increase from 2023 |
| Decryption Keys Provided | Thousands since 2022 | $800 million payments avoided |
| Warzone RAT Seizure | www.warzone.ws seized | Malware service disrupted |
Federal law enforcement agencies have intensified their coordinated response to ransomware threats throughout 2025, achieving significant operational successes against major cybercriminal organizations. Operation Level Up, launched in January 2024, represents a proactive approach to victim protection, successfully identifying and notifying 4,323 victims of cryptocurrency investment fraud schemes. Remarkably, 76% of these victims were unaware they were being scammed, highlighting the sophisticated social engineering tactics employed by modern cybercriminals.
The disruption of LockBit operations marked a significant victory against one of the world’s most prolific ransomware-as-a-service operations, though the group’s ability to reconstitute demonstrates the persistent challenge posed by decentralized criminal networks. International cooperation has proven essential, with FBI collaboration with Indian law enforcement resulting in 215 arrests through 11 joint operations in 2024, representing a 700% increase from 2023. The seizure of malware-as-a-service platforms like Warzone RAT disrupts the broader ecosystem supporting ransomware operations, though new services continuously emerge to fill these gaps.
Ransomware Statistics by US States in 2025
| State | Total Cyber Complaints | Estimated Ransomware Cases | Loss Rate per 100K |
|---|---|---|---|
| California | 96,265 | 3,751 | $6,439,159 |
| Texas | 62,347 | 2,430 | $4,319,470 |
| Florida | 52,191 | 2,034 | $4,586,256 |
| New York | 36,468 | 1,421 | $4,550,077 |
| Pennsylvania | 27,838 | 1,085 | $3,059,025 |
| Illinois | 25,446 | 992 | $3,769,066 |
| Ohio | 24,915 | 971 | $2,339,737 |
| Indiana | 23,659 | 922 | $1,806,591 |
| North Carolina | 22,021 | 858 | $2,935,789 |
| Arizona | 20,101 | 783 | $5,175,704 |
Ransomware statistics by US states reveal significant geographic disparities in both attack frequency and economic impact during 2025. California leads with an estimated 3,751 ransomware cases, representing approximately 3.9% of the state’s total cybercrime complaints, resulting in the highest financial losses per capita at $6.4 million per 100,000 citizens. This concentration reflects the state’s position as a technology hub with numerous high-value targets including Silicon Valley companies, major healthcare systems, and critical infrastructure facilities that attract sophisticated ransomware operators seeking maximum ransom payments.
Texas and Florida maintain their positions as major ransomware targets, with 2,430 and 2,034 estimated cases respectively, demonstrating how large population centers and diverse economic bases create extensive attack surfaces for cybercriminals. The per capita loss rates reveal interesting patterns, with Arizona showing disproportionately high losses at $5.2 million per 100,000 citizens despite fewer absolute cases, suggesting that attackers are successfully targeting high-value entities in the state’s aerospace, defense, and technology sectors. New York’s financial impact of $4.6 million per 100,000 citizens reflects the concentration of financial services, healthcare networks, and government entities that represent premium targets for double extortion ransomware campaigns.
Ransomware Stats Year by Year in the US 2025
| Year | Ransomware Complaints | Direct Losses | Year-over-Year Change |
|---|---|---|---|
| 2022 | 2,385 | $34.3 million | Baseline year |
| 2023 | 2,825 | $59.6 million | +18.5% complaints, +74% losses |
| 2024 | 3,156 | $12.5 million | +9% complaints, -79% reported losses |
| 2025 (Jan-Jul) | 2,100 estimated | $8.2 million estimated | Projected 3,600 annual total |
Historical ransomware trends in the US demonstrate both the persistent growth in attack frequency and the complex nature of loss reporting to federal agencies. The 18.5% increase in complaints from 2022 to 2023, coupled with a 74% surge in reported losses, illustrated the escalating sophistication and financial impact of ransomware operations. However, the 2024 data showing a 79% decrease in reported losses despite a 9% increase in complaints reflects changes in reporting methodologies rather than actual damage reduction, as the FBI acknowledges these figures exclude business disruption, remediation costs, and ransom payments.
The 2025 projections based on January through July data suggest the trend toward increased complaint volume will continue, with an estimated 3,600 annual complaints expected by year-end. This represents a potential 14% increase over 2024 figures, indicating that despite enhanced cybersecurity awareness and law enforcement efforts, ransomware operators continue to successfully penetrate organizational defenses. The emergence of 67 new ransomware variants in 2024 and the continued evolution of double extortion and triple extortion tactics suggest that 2025 will see further sophistication in attack methodologies, with cybercriminals increasingly leveraging artificial intelligence and advanced social engineering to maximize their success rates against US targets.
Ransomware Prevention and Recovery in the US 2025
| Prevention Measure | Effectiveness | Implementation Level |
|---|---|---|
| Multi-Factor Authentication | High effectiveness | Critical infrastructure priority |
| Regular Backup Systems | Essential for recovery | Standard recommendation |
| Employee Training | Reduces social engineering | Ongoing requirement |
| Network Segmentation | Limits attack spread | Advanced implementation |
| Incident Response Planning | Accelerates recovery | Mandatory for critical sectors |
Ransomware prevention strategies in the US have evolved significantly in response to the changing threat landscape, with federal agencies providing comprehensive guidance to organizations across all sectors. Multi-factor authentication has emerged as a critical first line of defense, with CISA identifying it as essential for protecting against credential-based attacks that serve as common initial vectors for ransomware deployment. Network segmentation and zero-trust architecture principles are increasingly recognized as fundamental requirements for limiting the lateral movement capabilities of ransomware operators once they gain initial network access.
Employee training and awareness programs have become essential components of organizational cybersecurity strategies, as social engineering remains a primary attack vector for ransomware groups. The sophistication of modern phishing campaigns, enhanced by artificial intelligence and deepfake technologies, requires continuous education updates to help staff identify and report suspicious communications. Incident response planning has evolved from optional best practice to mandatory requirement for many critical infrastructure sectors, with regular testing and updates necessary to ensure effective response capabilities when attacks occur. The IC3’s guidance emphasizes the importance of immediate reporting to enable law enforcement support and potential asset recovery through programs like the Financial Fraud Kill Chain.
Disclaimer: The data research report we present here is based on information found from various sources. We are not liable for any financial loss, errors, or damages of any kind that may result from the use of the information herein. We acknowledge that though we try to report accurately, we cannot verify the absolute facts of everything that has been represented.
