Black Kite is a finalist in the 2026 SC Awards for continued innovation and leadership in third-party cyber risk intelligence.Learn more

Ransomware Report April 2024

An In-Depth Analysis of the Latest Ransomware Trends and Threat Landscape

Dive into the constantly shifting world of ransomware, as we uncover the latest tactics, dissect the most prolific actors, and offer insights to keep your organization one step ahead.

Welcome to the April 2024 ransomware update, highlighting the latest trends, threat actors, and significant developments shaping the ransomware landscape. The Black Kite Research & Intelligence Team (BRITE) tracked 346 ransomware incidents this month, reflecting the continued threat posed by well-organized cybercriminal groups.

Unlike previous months, ransomware activity was more evenly distributed, with no single group dominating the scene. Hunters led with the highest number of victims, while LockBit 3.0, Play, RansomHub, Black Basta, Medusa, and 8Base followed closely behind.

Geographically, the United States remained the primary target with 181 attacks, followed by the United Kingdom, Germany, Canada, Brazil, and Italy. The increasing number of emerging ransomware groups signals a shifting landscape, demanding continued vigilance from organizations worldwide.

At least one record found in stealer logs
72
Open RDP or SMB ports publicly visible
145
Use of out-of-date services/products with possible vulnerabilities of high exploitability
180
At least one possible phishing domain
164
At least one credential leaked in the last 90 days
215
MX and DNS misconfiguration that may allow spoofing and phishing attacks
264

01Threat Actor Distribution

  • Other accounted for 45 victims, representing 12.8% of total activity.
  • Hunters followed with 29 disclosures.
  • Play and LockBit 3.0 remained consistently active.

02Geographic Distribution

  • USA represented 51.4% of all tracked victims.
  • Others was among the next most impacted countries.
  • UK and Germany also saw notable activity.

03Industry Distribution

  • Manufacturing remained the most targeted sector.
  • Professional Services followed as a heavily impacted sector.
  • Health Care and Retail Trade continued to be operationally critical targets.

04Threat Actor × Country Matrix

The matrix below shows how leading ransomware groups distributed their activity geographically.

Others
Red Ransomware
BianLian
INC Ransom
Hunters
Akira
8Base
RansomHub
Medusa
Black Basta
LockBit 3.0
darkvault
Play
USA
41
4
12
11
18
6
10
7
21
13
15
UK
4
1
1
1
4
7
1
3
Canada
4
1
2
2
1
1
1
3
Germany
8
1
1
3
1
2
Italy
5
1
1
2
4
Australia
4
2
1
1
1
Brazil
9
1
1
3
2
India
2
1
3
France
5
1
2
1
Spain
3
3
1
Others
31
1
3
2
8
4
1
2
4
4
2
  • USA activity was heavily concentrated in Others.
  • Some actors demonstrated narrow targeting patterns.

05Threat Actor × Industry Matrix

This view highlights sector specialization across leading ransomware groups.

Others
Play
Hunters
BianLian
Akira
RansomHub
Black Basta
LockBit 3.0
8Base
INC Ransom
Medusa
darkvault
Agriculture & Fishing
1
1
Mining
1
1
1
2
3
1
Utilities
1
1
Construction
8
3
1
1
1
1
3
1
1
1
Manufacturing
32
6
10
2
2
6
5
12
1
4
Wholesale Trade
1
4
Retail Trade
7
2
3
2
2
1
1
1
2
Transportation
6
1
1
2
1
1
Information
4
1
1
3
1
1
3
Finance and Insurance
7
1
2
2
1
1
1
Real Estate
4
1
1
1
1
1
Professional Services
15
7
2
4
5
4
4
8
7
3
1
8
Company Management
3
2
Administrative
2
1
2
2
1
2
1
Educational Services
3
2
2
1
Health Care
8
1
2
3
1
4
5
Arts & Entertainment
1
1
2
Accommodation
4
2
1
3
Other
8
1
2
1
1
2
3
Public Administration
3
1
1
3
1
3
  • Manufacturing activity was heavily concentrated in Others.
  • Professional Services showed broader spread across sectors.
  • Some actors demonstrated narrow targeting patterns.

06Six Month Trend Context

07Key Takeaways

  • 352 ransomware disclosures were observed in April 2024.
  • Other led activity with 45 victims.
  • USA accounted for 51.4% of disclosures.
  • Manufacturing remained the most targeted industry.

08Data Methodology and Sources

  • Victim counts are based on publicly disclosed ransomware leak site postings tracked during the reporting period.
  • Each victim is attributed to a single threat actor based on disclosure source.
  • Industry classification is assigned using standardized sector mapping.
  • Country attribution is based on headquarters location where identifiable.

Accelerate Risk Decisions, Cut the Noise.

Join leading teams using Black Kite to slash assessment timelines, eliminate manual reviews, and onboard vendors with confidence.