The US suffers most ransomware attacks – construction businesses most frequently targeted

US companies and global manufacturing business the target of most ransomware attacks, new data from NordLocker shows.

The US suffers most from ransomware attacks, with 2,379 attacks out of 5,212 globally recorded cases between January 2020 and July 2022 leading to $4.15trn being paid out to ransomware groups. The figures come from a new ransomware analysis carried out by NordLocker.

Ransomware, a virus that takes over a device and demands a ransom from the victims, is capable of damaging a company of any size, and can permanently stain its reputation. The attacks listed in the analysis infected more than 12 million employees worldwide. The most affected countries were:

  1. USA (2,379)
  2. Canada (276)
  3. UK (260)
  4. France (226)
  5. Germany (212)
  6. Italy (178)
  7. Brazil (94)
  8. Spain (81)
  9. Australia (75)
  10. India (61)

In the US, construction businesses suffered most with 259 hits, with manufacturing second worst affected (206) and transportation third (176). Hacked institutions included a Fortune 100 company, a multinational retail corporation and one of the top universities in the US.

Most attacks were targeted against companies in California, Texas, Florida, and New York. However, when looking on the attack rates against the number of total businesses in a state; Michigan suffered the most attacks.  

Globally, most attacks were carried out on manufacturing businesses, which experienced 436 ransomware attacks during the time frame. Construction came second with 410 hits, and transport/logistics with 356.

Canada received the second most ransomware attacks, with 276 in total. Transportation companies were targeted most with 32 attacks, then construction (27) and tech (24).

One of the hacked institutions is one of the world’s largest investment management companies, with over US $700bn of assets under management, another is North America’s fastest-growing fuel-retailing company.

The UK experienced the third highest number of attacks, 260. The most targeted businesses were in education (24), business services (23) and construction (22). UK victims included a leading university and a Fortune 500 accounting firm that advises over 100,000 private business.

Illustration: Martina Lindberg

Responsible ransomware gangs

Ransomware gangs are more likely than many other criminals to display their achievements. The three groups responsible for most cases worldwide are Lock Bit (855), Conti (796) and Pysa (311).

In the US, the Conti ransomware group is the most active, being responsible for 18% of all attacks. In Canada, Conti carried out 17% of all attacks and Lock Bit 14%. In the UK, Conti was behind 23% of the attacks.

The report did not measure the financial magnitude or impact of each ransomware group individually.

Small business targeted

But who gets targeted, and does the company size matter? Are smaller businesses targeted more because of their limited resources, or are ransomware groups seeking out the most successful ones with the biggest value?

The results from NordLocker’s analysis show, regardless of geographic location, that it’s small businesses that are at the highest risk of ransomware attacks, with nearly two-thirds of attacks targeting them.

Most attacks were against companies with a value of between $10m to $25m. The fewest attacks were directed against companies worth between $5bn and $10bn. But companies worth over $10bn experienced twice as many ransomware cases. English-speaking and other Western countries are targeted most overall.

“Ransomware gangs usually decide who their next target is based on two criteria. The first one is how likely the targeted company is to pay up, which is weighed by looking at variables such as the company’s importance in supply chains, the quantity of confidential information that it handles, and other factors that, in the case of an attack, put pressure on the company to get operations back up and running,” Tomas Smalakys, chief technology officer at NordLocker, told

“The second criteria is more straightforward and primarily deals with the depth of the company’s pockets and how lacking in cyber defenses their business is. When you look at the data through this lens, you see why certain industries are more affected than others.”

The analysis shows that companies with fewer than 200 employees suffered the most ransomware attacks. The fewest attacks were targeted against one-person businesses.

NordLocker’s analysis, which was published 28 September 2022, looked at all ransomware attacks globally between January 2020 and July 2022.