Roughly 2,000 ransomware attacks were launched over the past decade against critical infrastructure organizations in the United States and other countries, according to data collected as part of a project maintained at Temple University in Philadelphia.

SecurityWeek first wrote about the project in 2020, when it covered more than 680 ransomware attacks targeting critical infrastructure. By February 2022, the number of entries exceeded 1,100, and it has now reached just over 2,000.

The project is maintained by Aunshul Rege, professor in the Department of Criminal Justice at Temple University, and Rachel Bleiman, PhD candidate and graduate research assistant.

The Critical Infrastructure Ransomware Attacks (CIRA) database currently covers more than 2,000 attacks documented since 2013, and includes nearly 300 entries for incidents that came to light in 2024. 

It contains information such as name of the victim, date of the incident, country or US state, targeted critical infrastructure sector, name of the attacking threat group, duration of the incident, MITRE ATT&CK mapping, and — if known — the amount of money that was demanded by the attacker and the ransom paid by the victim.

The data shows that the three most targeted critical infrastructure sectors/subsectors from two years ago remain popular today: government facilities, healthcare and public health, and education facilities. The least targeted continue to be nuclear reactors, materials and waste; defense industrial base; chemical; and water and wastewater. 

While it’s often difficult to find information on ransom payments made by victims, the CIRA data shows an increase in larger ransom demands compared to two years ago. 

“More than USD 5 million went up from a frequency count of 49 to 70. The ransom amount of USD 1 million went up from 45 to 71. The ransom amount of USD 5 million or less went up from 30 to 45,” Rege and Bleiman explained. 

The database is available for free upon request. To date it has been requested more than 1,500 times, mainly by researchers and other members of the cybersecurity industry (61%), as well as students, government entities, educators, and reporters. 

The CIRA data has been cited in several reports and research papers over the past years. According to Rege and Bleiman, it has been shared at training sessions or listed as a useful resource by several entities. 

Members of the cybersecurity industry have used it for a wide range of purposes, including research and training of internal teams, education and awareness, incident response planning, threat assessment and modeling, trend analysis, and risk analysis.

In the government sector, it has been useful for developing training classes and exercise scenarios for staff and operators, identifying trends and patterns, assessing incident response efforts, detection and defense strategies, obtaining funding and resources for staff, and developing risk assessment policies.

As for the future of the project, Rege and Bleiman told SecurityWeek that they are considering making several changes and improvements. These include expanding MITRE ATT&CK data (adding threat group ID), capturing the individual phases/types of extortion, and enhancing and expanding the coverage of incidents outside of the Western world (currently only 11% of the entries are from other parts of the globe).

The maintainers of the project are also considering running an annual OSINT challenge around the dataset in an effort to obtain information that may be more difficult to collect.  

“This contributes to creating a more complete dataset with relevant source information. Additionally, it may help identify new variables, such as points of entry, recovery costs and leaked data bidding costs,” Rege explained. “This event would make the CIRA dataset truly community-driven and a fun event/challenge.”

“It would be lovely if we could secure a good set of judges/advisory board members to check for the quality of submissions. So if anyone is interested in this event, please reach out to help plan the event!” Rege noted.

Related: IT Giant Atos Responds to Ransomware Group’s Data Theft Claims

Related: New York Hospital Says Ransomware Attack Data Breach Impacts 670,000