Black Kite is a finalist in the 2026 SC Awards for continued innovation and leadership in third-party cyber risk intelligence.Learn more

Ransomware Report July 2023

An In-Depth Analysis of the Latest Ransomware Trends and Threat Landscape

Dive into the constantly shifting world of ransomware, as we uncover the latest tactics, dissect the most prolific actors, and offer insights to keep your organization one step ahead.

At least one IP address that was part of a botnet, malware propagation, or spam propagation
26
Use of out-of-date services/products with possible vulnerabilities of high exploitability
141
At least one possible phishing domain
87
Open RDP or SMB ports publicly visible
159
At least one credential leaked in the last 90 days
263
MX and DNS misconfiguration that may allow spoofing and phishing attacks
236

01Threat Actor Distribution

  • Clop accounted for 171 victims, representing 36.7% of total activity.
  • LockBit 3.0 followed with 46 disclosures.
  • 8Base and Other remained consistently active.

02Geographic Distribution

  • USA represented 51.7% of all tracked victims.
  • Other was among the next most impacted countries.
  • UK and Italy also saw notable activity.

03Industry Distribution

  • Manufacturing remained the most targeted sector.
  • Professional Services followed as a heavily impacted sector.
  • Finance and Insurance and Information continued to be operationally critical targets.

04Threat Actor × Country Matrix

The matrix below shows how leading ransomware groups distributed their activity geographically.

Others
Akira
Rhysida
Cactus
BianLian
Play
AlphaVM (BlackCat)
8Base
LockBit 3.0
Clop
Noescape
USA
28
16
3
7
12
17
14
15
13
112
UK
4
3
3
2
1
3
6
10
3
Italy
1
3
4
1
1
3
2
1
2
Canada
1
1
1
3
2
5
1
Germany
1
1
1
1
3
8
Spain
1
1
1
1
2
2
1
1
Australia
1
3
2
2
France
1
1
1
1
1
3
Netherlands
1
1
1
6
Switzerland
2
6
India
1
2
1
1
Turkey
2
2
Belgium
1
1
1
1
Japan
1
1
1
1
Mexico
1
1
1
1
Portugal
1
1
1
Other countries
16
3
7
10
12
16
3
  • USA activity was heavily concentrated in Clop.
  • Some actors demonstrated narrow targeting patterns.

05Threat Actor × Industry Matrix

This view highlights sector specialization across leading ransomware groups.

Others
Noescape
Akira
Rhysida
Cactus
BianLian
Play
AlphaVM (BlackCat)
8Base
LockBit 3.0
Clop
Manufacturing
12
16
5
2
5
7
8
4
5
7
33
Professional Services
6
1
5
2
5
3
3
10
8
7
28
Information
3
1
2
2
4
2
26
Finance and Insurance
3
1
1
1
3
6
4
24
Educational Services
2
2
1
8
3
9
Mining
1
1
1
8
Administrative Services
5
1
1
1
3
7
Retail Trade
4
2
1
1
1
3
7
Transportation and Warehousing
4
2
2
7
Healthcare and Social Assistance
12
1
3
2
3
3
6
Wholesale Trade
4
2
1
3
3
2
3
Arts, Entertainment, and Recreation
3
Accommodation and Food Services
3
2
1
2
3
Public Administration
7
1
3
1
2
2
Utilities
1
1
2
1
Real Estate Rental and Leasing
1
1
3
1
1
Agriculture, Forestry, Fishing and Hunting
1
1
Construction
3
1
1
3
3
1
4
Other Services
2
2
1
2
1
4
1
  • Manufacturing activity was heavily concentrated in Clop.
  • Some actors demonstrated narrow targeting patterns.

06Six Month Trend Context

07Key Takeaways

  • 466 ransomware disclosures were observed in July 2023.
  • Clop led activity with 171 victims.
  • USA accounted for 51.7% of disclosures.
  • Manufacturing remained the most targeted industry.

08Data Methodology and Sources

  • Victim counts are based on publicly disclosed ransomware leak site postings tracked during the reporting period.
  • Each victim is attributed to a single threat actor based on disclosure source.
  • Industry classification is assigned using standardized sector mapping.
  • Country attribution is based on headquarters location where identifiable.

Accelerate Risk Decisions, Cut the Noise.

Join leading teams using Black Kite to slash assessment timelines, eliminate manual reviews, and onboard vendors with confidence.