Skip to content
Since 2020 BlackFog has measured publicly disclosed attacks globally. The 2022 ransomware attack report reflects on the key findings from 2022. We have also published a blog discussing the key lessons learned from ransomware in 2022 which expands on the general trends we see going forward.
In 2022 we recorded a total of 376 attacks, a 29% increase over 2021 and 34% increase from 2020. Key take aways from these overall numbers is that 89% of all attacks now involve data exfiltration, 9% more than in 2021. From a tactical point of view we also saw an increase in the use of PowerShell, now at 87% of all attacks, a 7% increase from 2021. While the Dark Web was used in 23% of all attacks, a dramatic increase from 5% in 2021.
Geography
From a geographic perspective, the United States dominated as in previous years, representing 46% of all attacks with an overall increase of 18% over 2021. This was followed by the UK and Canada at 7% and 6% respectively. As in 2021, 2 out of every 3 attacks were perpetrated on the top 3 countries.
In terms of data exfiltration we saw significant growth in attacks from China and Russia, representing 27% and 17% respectively. This is an 11% increase in China and 5% in Russia, these 2 countries now represent 44% of all exfiltration globally. A very sobering number indeed.
Organizational
When we look at the organizational distribution in 2022 we saw some interesting trends. For the first time we saw education as the top attack target with 17% of all attacks followed closely by government and healthcare at 16% and 15% respectively. We saw the average size of organizations vary throughout the year and average 19,740 employees, on par with 2021.
A clear standout in 2022 was the significant increase in attacks on both the education and healthcare sectors, both increasing by 49% over 2021. This reflects the overall focus on sectors with the lowest investment in infrastructure and skills generally, as we have previously reported. This was following closely by government and technology with increases of 17% and 14% respectively from 2021.
Variants
The landscape on ransomware variants changed significantly during 2022 with LockBit clearly dominating successful attacks, with 16% of all attacks, followed by BlackCat at 13%, Hive at 12.1% and Conti 9.0%. Most notable is the sheer increase in attacks over 2021. LockBit was hardly even mentioned in 2021 yet saw a 600% increase in 2022. Similarly, BlackCat and Hive were virtually unheard of but they rounded out 2022 as the second and third most successful variants.
As mentioned earlier, BlackFog has also summarized the key lessons learned from 2022 and the general macro trends we are seeing that are influencing the broader market.
Share This Story, Choose Your Platform!
Related Posts
LotAI: How Attackers Weaponize AI Assistants for Data Exfiltration
What happens when attackers use your approved AI tools as a data exfiltration channel? New research reveals how the LotAI technique turns Copilot and Grok into covert C2 relays.
The State of Ransomware: February 2026
BlackFog's state of ransomware February 2026 measures publicly disclosed and non-disclosed attacks globally.
Steaelite RAT Enables Double Extortion Attacks from a Single Panel
Steaelite is a newly emerging RAT that unifies credential theft, data exfiltration, and ransomware in a single web panel, accelerating double extortion attacks.
ClawdBot and OpenClaw: When Local AI Becomes A Data Exfiltration Goldmine
ClawdBot stores API keys, chat histories, and user memories in plaintext files, and infostealers like RedLine, Lumma, and Vidar are already targeting it.
West Harlem Group Assistance Stops Ransomware and Cryptojacking with BlackFog ADX
West Harlem Group Assistance secures its community mission by preventing ransomware and cryptojacking with BlackFog ADX.
Why Traditional Security Fails To Deal With Advanced Persistent Threats
Learn why advanced persistent threats remain a growing cybersecurity risk in 2026 and where organizations must focus to address them.