Black Kite is a finalist in the 2026 SC Awards for continued innovation and leadership in third-party cyber risk intelligence.Learn more

Ransomware Report August 2023

An In-Depth Analysis of the Latest Ransomware Trends and Threat Landscape

Dive into the constantly shifting world of ransomware, as we uncover the latest tactics, dissect the most prolific actors, and offer insights to keep your organization one step ahead.

At least one IP address that was part of a botnet, malware propagation, or spam propagation
13
Use of out-of-date services/products with possible vulnerabilities of high exploitability
177
At least one possible phishing domain
78
Open RDP or SMB ports publicly visible
176
At least one credential leaked in the last 90 days
243
MX and DNS misconfiguration that may allow spoofing and phishing attacks
308

01Threat Actor Distribution

  • LockBit 3.0 accounted for 111 victims, representing 29.5% of total activity.
  • AlphaVM (BlackCat) followed with 37 disclosures.
  • 8Base and Akira remained consistently active.

02Geographic Distribution

  • USA represented 42.6% of all tracked victims.
  • Other was among the next most impacted countries.
  • Germany and UK also saw notable activity.

03Industry Distribution

  • Manufacturing remained the most targeted sector.
  • Professional Services followed as a heavily impacted sector.
  • Education and Information continued to be operationally critical targets.

04Threat Actor × Country Matrix

The matrix below shows how leading ransomware groups distributed their activity geographically.

Others
Metaencryptor
Medusa
Noescape
Black Basta
Play
Cloak
Akira
8Base
AlphaVM (BlackCat)
LockBit 3.0
USA
26
2
3
5
12
10
2
22
16
21
43
Germany
1
5
1
6
1
4
1
6
UK
1
1
1
5
3
6
France
1
2
1
2
9
Canada
2
1
3
1
2
1
3
Italy
1
1
2
1
1
3
1
3
Iran
11
Australia
1
1
2
3
1
1
Spain
2
1
2
2
Brazil
1
1
4
Austria
2
1
2
India
1
1
2
1
Japan
2
1
1
1
Netherlands
1
1
3
Thailand
1
4
Turkey
2
3
United Arab Emirates
1
1
2
Other countries
9
1
2
5
3
10
3
7
5
19
  • USA activity was heavily concentrated in LockBit 3.0.
  • Some actors demonstrated narrow targeting patterns.

05Threat Actor × Industry Matrix

This view highlights sector specialization across leading ransomware groups.

Metaencryptor
Cloak
Noescape
AlphaVM (BlackCat)
Others
LockBit 3.0
8Base
Akira
Play
Black Basta
Medusa
Agriculture and Fishing
1
1
Mining
1
1
Management of Companies
1
1
Utilities
1
2
1
1
Arts and Entertainment
2
2
1
Accommodation
1
2
3
1
Real Estate
1
1
2
2
1
1
Healthcare
1
1
3
3
3
Wholesale
1
3
5
1
1
1
1
Remediation Services
1
2
3
3
3
1
Transportation
1
2
6
1
1
2
1
Finance and Insurance
1
1
2
3
2
1
1
2
2
Retail Trade
2
1
1
1
2
5
1
1
2
Public Administration
1
5
7
1
1
3
Construction
1
2
8
2
2
2
2
Other Services
9
1
4
7
1
2
Information
2
2
2
5
5
1
4
1
2
1
Education
1
3
1
4
11
1
5
2
Professional Services
6
5
15
18
10
4
6
2
Manufacturing
5
2
2
10
13
23
7
1
5
4
3
  • Manufacturing activity was heavily concentrated in LockBit 3.0.
  • Some actors demonstrated narrow targeting patterns.

06Six Month Trend Context

07Key Takeaways

  • 376 ransomware disclosures were observed in August 2023.
  • LockBit 3.0 led activity with 111 victims.
  • USA accounted for 42.6% of disclosures.
  • Manufacturing remained the most targeted industry.

08Data Methodology and Sources

  • Victim counts are based on publicly disclosed ransomware leak site postings tracked during the reporting period.
  • Each victim is attributed to a single threat actor based on disclosure source.
  • Industry classification is assigned using standardized sector mapping.
  • Country attribution is based on headquarters location where identifiable.

Accelerate Risk Decisions, Cut the Noise.

Join leading teams using Black Kite to slash assessment timelines, eliminate manual reviews, and onboard vendors with confidence.