Black Kite is a finalist in the 2026 SC Awards for continued innovation and leadership in third-party cyber risk intelligence.Learn more

Ransomware Report May 2023

An In-Depth Analysis of the Latest Ransomware Trends and Threat Landscape

Dive into the constantly shifting world of ransomware, as we uncover the latest tactics, dissect the most prolific actors, and offer insights to keep your organization one step ahead.

At least one IP address that was part of a botnet, malware propagation, or spam propagation
18
Use of out-of-date services/products with possible vulnerabilities of high exploitability
144
At least one possible phishing domain
106
Open RDP or SMB ports publicly visible
188
At least one credential leaked in the last 90 days
292
MX and DNS misconfiguration that may allow spoofing and phishing attacks
279

01Threat Actor Distribution

  • Malas accounted for 173 victims, representing 41.7% of total activity.
  • LockBit followed with 70 disclosures.
  • AlphaVM and Royal remained consistently active.

02Geographic Distribution

  • United States of America represented 43.5% of all tracked victims.
  • Italy was among the next most impacted countries.
  • Russian Federation and United Kingdom also saw notable activity.

03Industry Distribution

  • Other remained the most targeted sector.
  • Public Administration followed as a heavily impacted sector.
  • Transportation and Warehousing and Real Estate, Rental, and Leasing continued to be operationally critical targets.

04Threat Actor × Country Matrix

The matrix below shows how leading ransomware groups distributed their activity geographically.

Others
Black Basta
Akira
BianLian
Play
Royal
AlphaVM (BlackCat)
LockBit 3.0
Malas
USA
44
15
18
17
11
30
26
35
19
Russian Federation
54
Italy
5
1
1
1
42
United Kingdom
10
2
3
4
1
4
4
Canada
6
1
4
2
2
1
4
4
Germany
2
4
5
1
3
7
Spain
1
2
3
6
France
2
1
1
2
3
Austria
3
4
Mexico
2
1
4
  • Russian Federation activity was heavily concentrated in Malas.
  • USA showed broader spread geographically.
  • Some actors demonstrated narrow targeting patterns.

05Threat Actor × Industry Matrix

This view highlights sector specialization across leading ransomware groups.

Others
Black Basta
Akira
BianLian
Play
Royal
AlphaVM (BlackCat)
LockBit 3.0
Malas
Professional, Technical, and Scientific Services
17
4
7
5
10
3
8
8
41
Manufacturing
9
5
2
3
3
3
14
20
20
Information
7
2
1
3
2
5
6
14
Educational Services
14
3
4
5
8
1
Finance and Insurance
9
1
2
1
3
1
3
7
3
Wholesale Trade
3
3
3
2
6
5
Healthcare and Social Assistance
11
6
2
2
1
Administrative, Waste Management and Remediation Services
3
1
5
5
7
Retail Trade
2
1
2
1
14
  • Professional, Technical, and Scientific Services activity was heavily concentrated in Malas.
  • Some actors demonstrated narrow targeting patterns.

06Key Takeaways

  • 415 ransomware disclosures were observed in May 2023.
  • Malas led activity with 173 victims.
  • United States of America accounted for 43.5% of disclosures.
  • Other remained the most targeted industry.

07Data Methodology and Sources

  • Victim counts are based on publicly disclosed ransomware leak site postings tracked during the reporting period.
  • Each victim is attributed to a single threat actor based on disclosure source.
  • Industry classification is assigned using standardized sector mapping.
  • Country attribution is based on headquarters location where identifiable.

Accelerate Risk Decisions, Cut the Noise.

Join leading teams using Black Kite to slash assessment timelines, eliminate manual reviews, and onboard vendors with confidence.