Black Kite is a finalist in the 2026 SC Awards for continued innovation and leadership in third-party cyber risk intelligence.Learn more

Ransomware Report March 2024

An In-Depth Analysis of the Latest Ransomware Trends and Threat Landscape

Dive into the constantly shifting world of ransomware, as we uncover the latest tactics, dissect the most prolific actors, and offer insights to keep your organization one step ahead.

AlphV has exited the scene. Although they announced some victims at the beginning of the month, they have since been silent. Several intelligence and research reports indicate that their affiliates have moved to other ransomware groups such as Play, Akira, and Hunters. The rise of these groups supports this claim.

After more than two years, Lockbit is no longer the number one ransomware group. Despite their efforts to recover from the FBI’s disruptions and announce some ex- or made-up victims (which we excluded from our stats), it seems that they will not be able to reach their prime time anytime soon. The Play ransomware group is now at the top.

In addition to the groups attracting AlphV’s affiliates, we see BlackBasta, Medusa, and RansomHub also climbing the ranks.

Targeting healthcare organizations is increasingly prevalent in the ransomware community.

At least one record found in stealer logs
62
Open RDP or SMB ports publicly visible
115
Use of out-of-date services/products with possible vulnerabilities of high exploitability
146
At least one possible phishing domain
167
At least one credential leaked in the last 90 days
210
MX and DNS misconfiguration that may allow spoofing and phishing attacks
252

01Threat Actor Distribution

  • Play accounted for 45 victims, representing 13.5% of total activity.
  • LockBit 3.0 followed with 43 disclosures.
  • Other and Black Basta remained consistently active.

02Geographic Distribution

  • USA represented 50.9% of all tracked victims.
  • Others was among the next most impacted countries.
  • Canada and UK also saw notable activity.

03Industry Distribution

  • Manufacturing remained the most targeted sector.
  • Professional Services followed as a heavily impacted sector.
  • Other and Health Care continued to be operationally critical targets.

04Threat Actor × Country Matrix

The matrix below shows how leading ransomware groups distributed their activity geographically.

Others
Red Ransomware
BianLian
INC Ransom
Hunters
Akira
8Base
RansomHub
Medusa
Black Basta
LockBit 3.0
Play
USA
23
4
11
9
6
9
3
4
14
26
19
UK
5
1
1
1
1
1
2
4
1
Canada
7
1
1
6
1
6
6
Germany
4
1
3
2
3
Italy
3
1
1
1
1
Australia
1
1
2
1
Brazil
1
1
3
India
3
2
Mexico
3
1
1
Spain
3
1
1
Others
23
4
1
1
4
5
8
8
3
3
9
2
  • USA activity was heavily concentrated in Black Basta.
  • Others showed broader spread geographically.
  • Some actors demonstrated narrow targeting patterns.

05Threat Actor × Industry Matrix

This view highlights sector specialization across leading ransomware groups.

Others
Akira
Black Basta
LockBit 3.0
Play
INC Ransom
Hunters
Red Ransomware
BianLian
Medusa
RansomHub
8Base
Agriculture & Fishing
2
1
Mining
1
1
1
1
Utilities
3
1
1
Construction
6
1
3
4
1
2
2
Manufacturing
15
6
18
12
14
1
3
1
1
4
1
4
Wholesale Trade
5
1
2
1
Retail Trade
5
2
1
2
1
2
Transportation
1
1
2
4
1
1
Information
5
2
2
3
2
1
Finance and Insurance
4
1
2
2
1
3
1
Real Estate
3
1
2
1
1
Professional Services
15
2
7
8
8
3
2
2
2
5
8
4
Company Management
2
1
1
1
Administrative
1
1
2
1
1
1
2
Educational Services
6
2
1
1
1
1
Health Care
4
4
4
4
5
Arts & Entertainment
1
1
1
1
1
Accommodation
1
1
1
1
1
1
2
Other
6
1
1
1
1
1
4
2
Public Administration
5
1
1
1
  • Manufacturing activity was heavily concentrated in Black Basta.
  • Some actors demonstrated narrow targeting patterns.

06Six Month Trend Context

07Key Takeaways

  • 334 ransomware disclosures were observed in March 2024.
  • Play led activity with 45 victims.
  • USA accounted for 50.9% of disclosures.
  • Manufacturing remained the most targeted industry.

08Data Methodology and Sources

  • Victim counts are based on publicly disclosed ransomware leak site postings tracked during the reporting period.
  • Each victim is attributed to a single threat actor based on disclosure source.
  • Industry classification is assigned using standardized sector mapping.
  • Country attribution is based on headquarters location where identifiable.

Accelerate Risk Decisions, Cut the Noise.

Join leading teams using Black Kite to slash assessment timelines, eliminate manual reviews, and onboard vendors with confidence.