Black Kite is a finalist in the 2026 SC Awards for continued innovation and leadership in third-party cyber risk intelligence.Learn more

Ransomware Report July 2024

An In-Depth Analysis of the Latest Ransomware Trends and Threat Landscape

Dive into the constantly shifting world of ransomware, as we uncover the latest tactics, dissect the most prolific actors, and offer insights to keep your organization one step ahead.

Welcome to the July 2024 ransomware update, highlighting the latest trends, threat actors, and significant developments shaping the ransomware landscape. The Black Kite Research & Intelligence Team (BRITE) tracked 377 ransomware incidents this month, showing a slight increase compared to June.

RansomHub took the lead with 48 victims, making it the most active ransomware group this month. Akira maintained its steady attack rate with 30 victims, while LockBit 3.0, following a new admin announcement, continued its activity with 29 victims, potentially signaling an attempt to regain its foothold. Play and Hunters remained active but did not display any major surges.

The United States was once again the most affected country, with 193 incidents, while Canada, the United Kingdom, Italy, Germany, and Brazil each recorded similar victim counts. As ransomware trends fluctuate, continuous monitoring and precise data validation remain crucial in assessing the true impact of these threats.

At least one IP address that was part of a botnet, malware propagation, or spam propagation
3
At least one record found in stealer logs
81
At least one possible phishing domain
158
Open RDP or SMB ports publicly visible
159
At least one credential leaked in the last 90 days
195
Use of out-of-date services/products with possible vulnerabilities of high exploitability
200
MX and DNS misconfiguration that may allow spoofing and phishing attacks
253

01Threat Actor Distribution

  • RansomHub accounted for 48 victims, representing 12.7% of total activity.
  • Akira followed with 30 disclosures.
  • LockBit 3.0 and Hunters remained consistently active.

02Geographic Distribution

  • USA represented 51.2% of all tracked victims.
  • Others was among the next most impacted countries.
  • Canada and UK also saw notable activity.

03Industry Distribution

  • Public Administration remained the most targeted sector.
  • Other followed as a heavily impacted sector.
  • Accommodation Services and Entertainment continued to be operationally critical targets.

04Threat Actor × Country Matrix

The matrix below shows how leading ransomware groups distributed their activity geographically.

Others
BianLian
Dispossessor
DragonForce
Medusa
Meow
Play
Hunters
LockBit 3.0
Akira
RansomHub
USA
71
10
9
8
6
11
19
13
12
13
21
Canada
8
2
1
1
1
3
1
(blank)
8
1
1
1
1
1
2
1
1
Brazil
3
2
1
3
4
Germany
4
1
1
1
2
1
4
Italy
6
1
1
2
3
UK
6
1
2
1
1
2
Australia
2
1
1
2
1
1
Spain
6
1
France
4
1
1
Belgium
2
1
1
India
3
1
1
Netherlands
2
1
2
Romania
2
1
2
Indonesia
1
1
1
Singapore
3
1
Taiwan
1
1
Others
30
1
2
2
1
3
4
7
5
8
  • USA activity was heavily concentrated in Others.
  • Some actors demonstrated narrow targeting patterns.

05Threat Actor × Industry Matrix

This view highlights sector specialization across leading ransomware groups.

Others
Dispossessor
BianLian
Medusa
DragonForce
Meow
Play
Hunters
LockBit 3.0
Akira
RansomHub
Manufacturing
28
2
4
5
4
6
9
6
10
12
Professional, Scientific, and Technical Services
37
1
2
3
2
4
1
3
6
6
8
Health Care and Social Assistance
15
4
2
1
2
4
1
4
Other
13
1
1
2
1
1
2
2
1
7
Public Administration
10
1
1
2
3
3
2
Construction
7
2
1
1
4
1
2
4
Information
7
1
1
1
3
1
1
2
2
Educational Services
9
2
1
3
1
1
Finance and Insurance
7
2
1
1
1
1
1
Administrative, Support, Waste Management, Remediation Services
1
1
1
2
3
2
Wholesale Trade
6
1
1
1
1
1
Transportation and Warehousing
5
1
3
Retail Trade
2
1
1
1
2
Real Estate Rental and Leasing
3
1
1
1
Accommodation and Food Services
1
1
1
2
Arts, Entertainment, and Recreation
1
2
2
Management of Companies and Enterprises
1
1
1
Utilities
1
1
1
Mining
1
1
1
  • Professional, Scientific, and Technical Services activity was heavily concentrated in Others.
  • Some actors demonstrated narrow targeting patterns.

06Six Month Trend Context

07Key Takeaways

  • 377 ransomware disclosures were observed in July 2024.
  • RansomHub led activity with 48 victims.
  • USA accounted for 51.2% of disclosures.
  • Public Administration remained the most targeted industry.

08Data Methodology and Sources

  • Victim counts are based on publicly disclosed ransomware leak site postings tracked during the reporting period.
  • Each victim is attributed to a single threat actor based on disclosure source.
  • Industry classification is assigned using standardized sector mapping.
  • Country attribution is based on headquarters location where identifiable.

Accelerate Risk Decisions, Cut the Noise.

Join leading teams using Black Kite to slash assessment timelines, eliminate manual reviews, and onboard vendors with confidence.