Black Kite is a finalist in the 2026 SC Awards for continued innovation and leadership in third-party cyber risk intelligence.Learn more

Ransomware Report February 2024

An In-Depth Analysis of the Latest Ransomware Trends and Threat Landscape

Dive into the constantly shifting world of ransomware, as we uncover the latest tactics, dissect the most prolific actors, and offer insights to keep your organization one step ahead.

The healthcare industry has seen a rise in ransomware attacks, with the Change Healthcare incidents being the most critical. We have provided additional details regarding this incident in our latest Focus Friday blog post.

The group responsible for the attack, AlphV/BlackCat, is looking to exit with a final jackpot. They have already placed their source code up for sale and shut down their website. Two possible outcomes could result from this exit: either they will develop a new ransomware and re-emerge under a different name, or we will see new variants of AlphV ransomware operated by others. We have provided a detailed analysis of their exit in our blog post, and I have also shared my thoughts on this with DarkReading.

Law enforcement has dealt a significant blow to Lockbit through Operation Cronos, damaging their infrastructure and reputation. While they remain operational, they are not as effective as they were previously. They have begun to attack countries such as Turkey due to the involvement of agencies or cybersecurity companies in Operation Cronos. We have also conducted a thorough analysis of this operation in our blog, and I have shared my thoughts on this with InformationWeekly.

With AlphV exiting the stage and Lockbit recovering from the hit, new ransomware groups such as Hunters are on the rise. Play, 8Base, Akira, and BianLian continue to be among the top ranks.

targeted by them in the coming months. Akira and 8base are now in second and third place, respectively, while Lockbit remains the dominant player.

Lockbit appears to be less strict about their ground rules regarding not attacking NGOs and hospitals.

Although the number of victims is similar to that of last month, the educational sector has become the third most attacked sector this month, having been in fifth place last month.

At least one IP address that was part of a botnet, malware propagation, or spam propagation
6
Use of out-of-date services/products with possible vulnerabilities of high exploitability
198
At least one possible phishing domain
184
Open RDP or SMB ports publicly visible
161
At least one credential leaked in the last 90 days
251
MX and DNS misconfiguration that may allow spoofing and phishing attacks
289

01Threat Actor Distribution

  • LockBit 3.0 accounted for 100 victims, representing 24.4% of total activity.
  • Hunters followed with 29 disclosures.
  • Play and AlphaVM (BlackCat) remained consistently active.

02Geographic Distribution

  • USA represented 51.4% of all tracked victims.
  • Others was among the next most impacted countries.
  • UK and France also saw notable activity.

03Industry Distribution

  • Manufacturing remained the most targeted sector.
  • Professional Services followed as a heavily impacted sector.
  • Health Care and Construction continued to be operationally critical targets.

04Threat Actor × Country Matrix

The matrix below shows how leading ransomware groups distributed their activity geographically.

Others
Qilin
Medusa
Akira
BianLian
8Base
Black Basta
AlphaVM (BlackCat)
Play
Hunters
LockBit 3.0
USA
48
3
10
6
16
6
13
17
21
11
37
UK
4
1
2
3
3
2
8
France
4
1
3
2
5
Canada
2
1
4
4
2
Italy
3
1
2
1
5
Germany
2
1
2
1
1
1
3
Spain
3
2
2
2
Switzerland
1
1
3
2
Australia
1
1
1
1
2
Netherlands
3
1
1
1
United Arab Emirates
2
4
Argentina
2
1
2
Sweden
1
1
1
1
1
Others
18
4
2
5
1
6
1
2
4
26
  • USA activity was heavily concentrated in Others.
  • Some actors demonstrated narrow targeting patterns.

05Threat Actor × Industry Matrix

This view highlights sector specialization across leading ransomware groups.

8Base
LockBit 3.0
Others
Play
AlphaVM (BlackCat)
Hunters
Black Basta
Medusa
Qilin
Akira
BianLian
Company Management
1
1
Agriculture & Fishing
1
1
1
Utilities
2
1
1
Arts & Entertainment
1
1
1
1
1
Mining
2
2
1
1
Accommodation
1
1
2
1
1
Administrative
2
1
1
1
3
Wholesale Trade
1
2
2
1
2
1
Finance and Insurance
7
1
1
1
1
Real Estate
2
4
1
2
1
1
Educational Services
6
5
1
Information
4
3
1
1
1
2
1
Public Administration
4
4
4
1
Retail Trade
3
5
5
1
1
1
1
1
Transportation
1
5
6
2
1
2
1
Other
1
11
4
1
1
1
3
1
1
Construction
3
5
2
3
2
4
2
1
1
2
Health Care
5
7
7
2
2
3
Professional Services
2
16
19
6
6
3
7
1
3
5
10
Manufacturing
10
22
23
8
2
2
3
6
1
6
1
  • Manufacturing activity was heavily concentrated in Others.
  • Some actors demonstrated narrow targeting patterns.

06Six Month Trend Context

07Key Takeaways

  • 409 ransomware disclosures were observed in February 2024.
  • LockBit 3.0 led activity with 100 victims.
  • USA accounted for 51.4% of disclosures.
  • Manufacturing remained the most targeted industry.

08Data Methodology and Sources

  • Victim counts are based on publicly disclosed ransomware leak site postings tracked during the reporting period.
  • Each victim is attributed to a single threat actor based on disclosure source.
  • Industry classification is assigned using standardized sector mapping.
  • Country attribution is based on headquarters location where identifiable.

Accelerate Risk Decisions, Cut the Noise.

Join leading teams using Black Kite to slash assessment timelines, eliminate manual reviews, and onboard vendors with confidence.