State of Ransomware in the U.S.: 2019 Report for Q1 to Q3


In the first nine months of 2019, at least 621 government entities, healthcare service providers and school districts, colleges and universities were affected by ransomware. The attacks have caused massive disruption: municipal and emergency services have been interrupted, medical practices have permanently closed, ER patients have been diverted, property transactions halted, the collection of property taxes and water bills delayed, medical procedures canceled, schools closed and data lost.

State, city and county entities

At least 68 state, county and municipal entities have been impacted since the beginning of the year. Incidents include:


There were a total of at least 62 incidents involving school districts and other educational establishments, which potentially impacted operations at up to 1,051 individual schools, colleges and universities.


The healthcare sector continued to be a popular ransomware target. Cybercriminals understand that healthcare providers are often more inclined to pay the ransom as failure to do so may result in data loss that could potentially put lives at risk. From Q1 to Q3 there were a total of 491 ransomware attacks on healthcare providers, including:


Financial Impact

Due to a lack of publicly available data, it is not possible to estimate the cost of these incidents. In Baltimore, costs were estimated at $18.2 million; in Albany, NY, which was able to restore its data from backups, at $300,000; while a relatively small healthcare services provider estimated its downtime costs at between $30,000 and $50,000 per day. If the costs in every case were to be similar to Albany’s, the total combined cost of all 621 incidents would be $186,300,000. But that could be a massive underestimate. Winnebago County’s Chief Information Officer, Gus Gentner, recently stated, “Statistics let us know that the average ransomware incident costs $8.1 million and 287 days to recover.” We cannot comment on the accuracy of that statement but, if correct, it would put the total cost at more than $5 billion.

It is important to note that not all of the costs will be directly attributable to the ransomware attack. In many cases, a portion will represent catch-up spending to compensate for underinvestment in IT during previous years.


“There is no reason to believe that attacks will become less frequent in the near future,” said Fabian Wosar, CTO at Emsisoft. “Organizations have a very simple choice to make: prepare now or pay later.”

Recovery options for impacted entities

In some cases, it may be possible to reduce recovery costs. For example, we have developed workarounds for two types of ransomware commonly used in attacks on public entities. These workarounds may, in some cases, either completely eliminate the need for a ransom to be paid or enable recovery for significantly less than the amount of the ransom demand.

Whether all affected entities were aware of these workarounds is not known.

Better private-public sector cooperation needed

Improving coordination and communication channels between the private sector and law enforcement agencies would help ensure that impacted entities are aware of the availability of potential solutions and workarounds which may help minimize recovery costs.

On a positive note, there have been steps in this direction – the DHS Cyber Hunt and Incident Response Teams Act, for example, which was recently passed by the U.S. Senate.

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial


This report lists only publicly disclosed cases. As incidents are not centrally reported/recorded and data has been collected from press reports, the numbers contained in this report may be less than the actual total. This report does not include ransomware statistics relating to attacks on private companies as these incidents are too infrequently disclosed. 

Emsisoft Malware Lab

Emsisoft Malware Lab

The Lab team is a group of cybersecurity researchers whose mission is to enhance protection in Emsisoft products, help organizations respond to security incidents and create analysis that helps decision-makers understand the threat landscape.

What to read next