December 8, 2016

Malwarebytes Research Reveals Top U.S. Cities Victimized by Ransomware

  • US ranked the highest of all countries for ransomware incidents, with 26 percent of the global total
  • Las Vegas/Henderson, Nevada is the top US region for ransomware
  • Six of the top 10 cities with the highest rates of ransomware located in the Rust Belt
  • Cybercriminal gangs compete for the top ransomware spot; Cerber and Locky most prevalent, with Locky on the rise

SANTA CLARA, Calif. – December 8, 2016 – Malwarebytes™, the leading advanced malware prevention and remediation solution, today released security research findings on the prevalence and distribution of ransomware attacks in the United States. By analyzing nearly half a million ransomware incidents, Malwarebytes security researchers have identified the 10 U.S. cities most victimized by ransomware, the most frequently identified ransomware families and the incredible prevalence of malware across the U.S.

“The results of our research shows that cybercriminal gangs have already saturated both the rural and urban U.S. populace with ransomware, yet they are constantly improving their tactics, execution and business model to evade detection by current solutions,” said Adam Kujawa, Head of Malware Intelligence at Malwarebytes.

Global Ransomware Detections

During the three-month period of the study from July through October 2016, Malwarebytes detected ransomware incidents in more than 200 countries. The U.S. reported the largest percentage of ransomware of any country, with 26 percent of all incidents. This is 200 percent more ransomware detected than the number two country, Germany, and approximately 550 percent of the number three country, France.

US Ransomware Prevalence

Las Vegas/Henderson lead all U.S. cities in the number of overall ransomware detections, most detections per individual machine and most detections per population. The metropolitan Las Vegas area experienced more than 300 times more detections than Fort Wayne, Indiana, number 10 on the list, and had 500 times the average detection levels of the 40 cities with the most ransomware.

Outside of the top 10 cities, ransomware infections are both geographically consistent and consistent per capita, which leads to some surprising results. Because 82 percent of the U.S. population live in cities, towns and unincorporated areas with less than 250,000 residents, these smaller cities and towns are experiencing a large percentage of ransomware detections (more than 85 percent in the period studied). The lone regional anomaly and exception to this even distribution takes place in the American Rust Belt, which experienced higher incidents of ransomware than other areas of the country. In fact, six of the top 10 cities are located in the Rust Belt:

Top 10 U.S. Cities for Ransomware Detections

  1. Las Vegas/Henderson, Nevada
  2. Memphis, Tennessee
  3. Stockton, California
  4. Detroit, Michigan
  5. Toledo, Ohio
  6. Cleveland, Ohio
  7. Columbus, Ohio
  8. Buffalo , New York
  9. San Antonio, Texas
  10. Fort Wayne, Indiana

Organized cybercriminal gangs are continuing to update their business processes, technical support, distribution methodology and their technical prowess. Malwarebytes security researchers tracked the ransomware families most responsible for detected incidents globally and in the U.S. during this time period and throughout the year.

Top Three Ransomware Families Detected

  1. Cerber
  2. Locky                                
  3. CryptoWall

In the last quarter, Cerber was the most commonly detected family, with Locky close behind. However, immediately following the research period, Locky took the number one spot.

Ransomware families come and go and ebb and flow in popularity and in exploit kit integration, which is a primary rout of infection for many compromised computers. In addition, internal battles between cybercriminal gangs, code stealing and making public the private encryption keys of competing families are increasing in frequency.

“The evolution of ransomware has seen multiple improvements designed to evade detection by current antivirus solutions,” said Kujawa. “With millions of dollars being handed over to cybercriminals, ransomware will only increase in prevalence. It isn’t just Americans that are being victimized. Every global citizen with a computer or mobile device is increasingly at risk.”

Is Locky the ransomware of the present and future?

Unlike other top ransomware families that have come and gone, Locky may prove the exception to the rule by sticking around in the top slot. Immediately after the research period, a surge in Locky incidents made Locky the predominant ransomware family in the U.S. and all of the top U.S. cities. Released in February 2016, Locky has risen to become one of the most prolific ransomware attacks of the year. The size of Locky’s geographic footprint so soon after it was released is truly astounding:

  • On day one of its detection, the attack had already spread to 18 different countries.
  • Day two: 61 different countries
  • Day three: Locky had been detected in 85 countries
  • Week one: it was detected in 109 total countries
  • Month one: Locky had spread to 161 countries
  • In month two: Locky had reached 174 countries. Notably, Malwarebytes detected an attempted Locky infection in Antarctica, meaning Locky had made its way to every continent
  • Currently, Malwarebytes has detected Locky in nearly 200 different countries

Locky is also slightly unusual from other ransomware families, in that the malware is relatively evenly dispersed among the top 10 victim countries. Detections are not extremely biased to the U.S. as is the case for other ransomware families.

  • For example, the U.S. experienced a little more than 20 percent of Locky detections. Contrast that with:
    • CryptXXX, with more than 40 percent of detections in the U.S.
    • Chimera, with the U.S. hosting more than two-thirds of all detections
  • France and Germany also have a significant percentage of Locky detections, each accounting for just under 10 percent of detections.

“Whether Locky maintains its status as the top ransomware family, or another family takes its place, it doesn’t matter to a victim,” said Kujawa. “If traditional security measures continue to allow the scourge of ransomware, millions of dollars will continue to funnel to the criminals that hold these users and their computers hostage. Ultimately, this is why Malwarebytes has focused on including unprecedented Anti-Ransomware tools in our software.”

Malwarebytes today also announced the release of Malwarebytes 3.0, a next generation antivirus replacement. The solution replaces antivirus with superior technology designed to block malware, ransomware, exploits, and other advanced threats that antivirus isn’t smart enough to stop. Malwarebytes 3.0 is the first of its kind, employing four independent technology modules—anti-malware, anti-ransomware, anti-exploit, and malicious website protection—to block and remove both known and unknown threats. The anti-ransomware and anti-exploit modules employ signature-less technology so users are protected from advanced threats that are not yet known to traditional antivirus research labs.


About Malwarebytes

Malwarebytes is the next-gen cybersecurity company that millions worldwide trust. Malwarebytes proactively protects people and businesses against dangerous threats such as malware, ransomware, and exploits that escape detection by traditional antivirus solutions. The company’s flagship product combines advanced heuristic threat detection with signature-less technologies to detect and stop a cyberattack before damage occurs. More than 10,000 businesses worldwide use, trust, and recommend Malwarebytes. Founded in 2008, the company is headquartered in California, with offices in Europe and Asia, and a global team of threat researchers and security experts. For more information, please visit us at


Malwarebytes founder and CEO Marcin Kleczynski started the company to create the best disinfection and protection solutions to combat the world’s most harmful Internet threats. Marcin was recently named “CEO of the Year” in the Global Excellence awards and has been named to the Forbes 30 Under 30 Rising Stars of Enterprise Technology list and the Silicon Valley Business Journal’s 40 Under 40 award, adding those to an Ernst & Young Entrepreneur of the Year Award.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.