Black Kite is a finalist in the 2026 SC Awards for continued innovation and leadership in third-party cyber risk intelligence.Learn more

Ransomware Report December 2023

An In-Depth Analysis of the Latest Ransomware Trends and Threat Landscape

Dive into the constantly shifting world of ransomware, as we uncover the latest tactics, dissect the most prolific actors, and offer insights to keep your organization one step ahead.

The number of victims dropped to 360+, a hundred short compared to November.

Lockbit is still the top player. FBI operation that seized AlphV/Black Cat’s website seriously crippled AlphV’s operations, but they are still active. However, they are no longer in the top three.

A new group called WereWolves entered the top three. The WereWolves ransomware group has been active since fall 2023 and has targeted 26 victims, including companies in Russia, the USA, and several European countries. The group is unusual because it has a full-fledged website that recruits new members and offers a bounty program for security vulnerabilities. It is unusual to see ransomware groups targeting Russian companies. We only witnessed that before from short-lived ransomware groups.

At least one IP address that was part of a botnet, malware propagation, or spam propagation
9
Use of out-of-date services/products with possible vulnerabilities of high exploitability
223
At least one possible phishing domain
162
Open RDP or SMB ports publicly visible
178
At least one credential leaked in the last 90 days
234
MX and DNS misconfiguration that may allow spoofing and phishing attacks
266

01Threat Actor Distribution

  • LockBit 3.0 accounted for 83 victims, representing 22.9% of total activity.
  • Play followed with 32 disclosures.
  • WereWolves Group and AlphaVM (BlackCat) remained consistently active.

02Geographic Distribution

  • USA represented 45.4% of all tracked victims.
  • Others was among the next most impacted countries.
  • UK and Russian Federation also saw notable activity.

03Industry Distribution

  • Manufacturing remained the most targeted sector.
  • Professional Services followed as a heavily impacted sector.
  • HealthCare and Information continued to be operationally critical targets.

04Threat Actor × Country Matrix

The matrix below shows how leading ransomware groups distributed their activity geographically.

Others
BianLian
Akira
Black Basta
Cactus
DragonForce
8Base
AlphaVM (BlackCat)
WereWolves Group
Play
LockBit 3.0
USA
51
8
5
12
6
11
7
13
3
21
27
UK
2
1
4
2
2
2
2
7
Russian Federation
17
Germany
3
1
1
1
2
1
2
4
Canada
2
1
2
1
3
2
2
Australia
2
2
2
2
1
3
France
3
1
5
Netherlands
1
1
1
2
2
Israel
3
1
2
Italy
3
2
1
Argentina
1
2
2
China
1
3
India
1
3
Mexico
1
3
Spain
1
1
2
Others
2
28
2
3
4
6
3
3
22
  • USA activity was heavily concentrated in Others.
  • Some actors demonstrated narrow targeting patterns.

05Threat Actor × Industry Matrix

This view highlights sector specialization across leading ransomware groups.

Others
Akira
Play
LockBit 3.0
Black Basta
AlphaVM (BlackCat)
WereWolves Group
DragonForce
Cactus
8Base
BianLian
Agriculture & Fishing
1
1
1
Mining
1
1
1
Company Management
1
1
2
Utilities
2
1
1
1
1
Wholesale Trade
1
4
1
Accommodation
2
1
1
3
Arts & Entertainment
2
1
1
1
1
1
2
Transportation and Warehousing
3
1
1
3
2
Retail Trade
2
1
1
2
1
1
2
1
Public Administration
5
4
1
1
Construction
2
1
2
1
2
2
2
Real Estate
1
1
1
3
1
1
1
1
2
Finance and Insurance
5
1
2
1
3
1
2
Remediation Services
2
3
1
1
2
4
2
Other
2
7
3
2
3
Educational Services
15
1
5
1
1
Information
9
1
2
3
2
4
1
2
HealthCare
14
7
1
2
3
Professional Services
12
5
8
15
3
8
4
2
2
4
2
Manufacturing
14
1
9
18
8
5
6
6
6
7
1
  • Manufacturing activity was heavily concentrated in LockBit 3.0.
  • Some actors demonstrated narrow targeting patterns.

06Six Month Trend Context

07Key Takeaways

  • 362 ransomware disclosures were observed in December 2023.
  • LockBit 3.0 led activity with 83 victims.
  • USA accounted for 45.4% of disclosures.
  • Manufacturing remained the most targeted industry.

08Data Methodology and Sources

  • Victim counts are based on publicly disclosed ransomware leak site postings tracked during the reporting period.
  • Each victim is attributed to a single threat actor based on disclosure source.
  • Industry classification is assigned using standardized sector mapping.
  • Country attribution is based on headquarters location where identifiable.

Accelerate Risk Decisions, Cut the Noise.

Join leading teams using Black Kite to slash assessment timelines, eliminate manual reviews, and onboard vendors with confidence.