Black Kite is a finalist in the 2026 SC Awards for continued innovation and leadership in third-party cyber risk intelligence.Learn more

Ransomware Report June 2024

An In-Depth Analysis of the Latest Ransomware Trends and Threat Landscape

Dive into the constantly shifting world of ransomware, as we uncover the latest tactics, dissect the most prolific actors, and offer insights to keep your organization one step ahead.

Welcome to the June 2024 ransomware update, highlighting the latest trends, threat actors, and significant developments shaping the ransomware landscape. The Black Kite Research & Intelligence Team (BRITE) tracked 342 ransomware incidents this month, reflecting a notable decline from May. Unlike previous months, no single ransomware group dominated, with multiple actors contributing to the overall numbers.

LockBit 3.0 was absent from the top 10, marking a significant shift in the ransomware ecosystem. Instead, Play, RansomHub, Akira, Medusa, INC Ransom, Qilin, Cactus, and Black Suit emerged as the most active groups.

Geographically, the United States remained the most targeted country with 169 incidents, followed by the United Kingdom, Canada, Italy, and Germany. As always, our focus on data accuracy ensures a more precise and reliable representation of ransomware activity, minimizing the impact of inflated or duplicated victim reports.

At least one record found in stealer logs
63
Open RDP or SMB ports publicly visible
150
Use of out-of-date services/products with possible vulnerabilities of high exploitability
177
At least one possible phishing domain
152
At least one credential leaked in the last 90 days
170
MX and DNS misconfiguration that may allow spoofing and phishing attacks
249

01Threat Actor Distribution

  • Other accounted for 59 victims, representing 17.8% of total activity.
  • Play followed with 36 disclosures.
  • RansomHub and Akira remained consistently active.

02Geographic Distribution

  • USA represented 52.5% of all tracked victims.
  • Others was among the next most impacted countries.
  • UK and Canada also saw notable activity.

03Industry Distribution

  • Manufacturing remained the most targeted sector.
  • Professional Services followed as a heavily impacted sector.
  • Construction and Health Care continued to be operationally critical targets.

04Threat Actor × Country Matrix

The matrix below shows how leading ransomware groups distributed their activity geographically.

Others
Arcus Media
El Dorado
Black Suit
Cactus
Qilin
INC Ransom
Medusa
Akira
RansomHub
Play
USA
59
4
11
12
6
13
14
12
7
5
26
UK
8
2
3
2
2
2
1
Canada
7
2
1
3
2
4
Germany
3
1
3
2
1
Italy
7
1
2
1
4
Brazil
2
1
4
India
2
2
Spain
4
1
1
France
4
1
Japan
5
1
1
Argentina
2
1
1
Australia
1
2
1
Ireland
1
1
2
Others
29
6
2
1
2
1
2
5
6
4
  • USA activity was heavily concentrated in Others.
  • Some actors demonstrated narrow targeting patterns.

05Threat Actor × Industry Matrix

This view highlights sector specialization across leading ransomware groups.

Others
RansomHub
Arcus Media
Black Suit
Akira
Play
El Dorado
Qilin
Cactus
Medusa
INC Ransom
Agriculture & Fishing
1
1
Mining
2
1
2
1
Utilities
1
2
Construction
7
1
1
2
8
3
3
3
1
Manufacturing
32
8
2
1
9
7
1
2
6
3
4
Wholesale Trade
1
1
1
4
1
1
1
Retail Trade
7
1
1
1
1
Transportation
11
3
1
1
1
2
1
2
Information
6
3
1
2
1
3
1
3
Finance and Insurance
6
3
1
1
1
Real Estate
3
1
Professional Services
19
5
3
4
8
2
4
1
4
2
Administrative
3
2
Educational Services
4
1
1
2
2
1
1
4
Health Care
11
1
3
1
4
3
2
Arts & Entertainment
1
1
2
Accommodation
1
1
Other
14
1
1
2
2
2
1
Public Administration
6
1
1
3
  • Manufacturing activity was heavily concentrated in Others.
  • Some actors demonstrated narrow targeting patterns.

06Six Month Trend Context

07Key Takeaways

  • 332 ransomware disclosures were observed in June 2024.
  • Other led activity with 59 victims.
  • USA accounted for 52.5% of disclosures.
  • Manufacturing remained the most targeted industry.

08Data Methodology and Sources

  • Victim counts are based on publicly disclosed ransomware leak site postings tracked during the reporting period.
  • Each victim is attributed to a single threat actor based on disclosure source.
  • Industry classification is assigned using standardized sector mapping.
  • Country attribution is based on headquarters location where identifiable.

Accelerate Risk Decisions, Cut the Noise.

Join leading teams using Black Kite to slash assessment timelines, eliminate manual reviews, and onboard vendors with confidence.