Black Kite is a finalist in the 2026 SC Awards for continued innovation and leadership in third-party cyber risk intelligence.Learn more

Ransomware Report May 2024

An In-Depth Analysis of the Latest Ransomware Trends and Threat Landscape

Dive into the constantly shifting world of ransomware, as we uncover the latest tactics, dissect the most prolific actors, and offer insights to keep your organization one step ahead.

Welcome to the May 2024 ransomware update, highlighting the latest trends, threat actors, and significant developments shaping the ransomware landscape. The Black Kite Research & Intelligence Team (BRITE) tracked 495 ransomware incidents this month, making it one of the highest monthly victim counts in recent years—just behind the record 515 incidents from May 2023.

LockBit 3.0 remained the most active group, with 183 confirmed victims, though they also shared duplicate data, inflating their overall numbers. Other key players this month included INC Ransom, Play, RansomHub, and 8Base, all contributing to the continued ransomware surge.

The United States was once again the most targeted country, with 221 incidents, followed by the United Kingdom, Canada, Germany, France, Spain, Italy, and Brazil. The trend of ransomware groups recycling and inflating victim data highlights the growing need for precise tracking and validation in the cybersecurity community.

At least one record found in stealer logs
105
Open RDP or SMB ports publicly visible
235
Use of out-of-date services/products with possible vulnerabilities of high exploitability
282
At least one possible phishing domain
218
At least one credential leaked in the last 90 days
254
MX and DNS misconfiguration that may allow spoofing and phishing attacks
347

01Threat Actor Distribution

  • LockBit 3.0 accounted for 183 victims, representing 34% of total activity.
  • Other followed with 66 disclosures.
  • INC Ransom and INC Ransom remained consistently active.

02Geographic Distribution

  • USA represented 46.2% of all tracked victims.
  • Others was among the next most impacted countries.
  • UK and Canada also saw notable activity.

03Industry Distribution

  • Manufacturing remained the most targeted sector.
  • Professional Services followed as a heavily impacted sector.
  • Other and Health Care continued to be operationally critical targets.

04Threat Actor × Country Matrix

The matrix below shows how leading ransomware groups distributed their activity geographically.

Others
DragonForce
BianLian
Akira
Black Basta
Qilin
8base
RansomHub
Play
INC Ransom
LockBit 3.0
USA
53
4
12
9
7
10
4
6
26
22
68
UK
9
3
1
1
3
4
9
Canada
6
1
1
2
2
1
3
2
4
Germany
7
1
1
3
7
Italy
1
2
3
1
2
1
6
Brazil
8
3
4
India
1
12
Spain
1
1
2
2
12
France
4
1
2
1
11
Belgium
2
1
1
1
2
1
1
Japan
2
4
1
1
Argentina
4
2
Czech Republic
1
1
1
1
1
Ireland
2
1
1
1
Mexico
2
3
Colombia
2
1
1
Poland
1
3
Others
23
2
3
1
1
1
9
1
37
  • USA activity was heavily concentrated in LockBit 3.0.
  • Some actors demonstrated narrow targeting patterns.

05Threat Actor × Industry Matrix

This view highlights sector specialization across leading ransomware groups.

Others
LockBit 3.0
DragonForce
BianLian
Qilin
8base
RansomHub
Play
INC Ransom
Black Basta
Akira
8Base
Agriculture & Fishing
1
Mining
2
2
Utilities
1
Construction
6
9
1
1
1
5
2
2
2
Manufacturing
26
50
4
3
4
4
4
7
4
6
5
Wholesale Trade
2
5
1
2
1
2
1
Retail Trade
4
6
1
1
1
Transportation
8
6
1
1
1
1
1
1
2
Information
7
8
1
2
2
4
3
2
Finance and Insurance
9
7
1
1
2
1
Real Estate
3
3
1
1
1
Professional Services
32
28
2
7
2
3
2
6
2
5
4
Administrative
2
1
1
1
1
2
1
2
Educational Services
5
20
1
1
Health Care
7
9
2
3
1
2
9
1
Arts & Entertainment
1
1
1
1
Accommodation
1
2
1
1
Other
8
15
4
1
1
3
1
3
Public Administration
5
8
2
1
4
1
1
  • Manufacturing activity was heavily concentrated in LockBit 3.0.
  • Some actors demonstrated narrow targeting patterns.

06Six Month Trend Context

07Key Takeaways

  • 539 ransomware disclosures were observed in May 2024.
  • LockBit 3.0 led activity with 183 victims.
  • USA accounted for 46.2% of disclosures.
  • Manufacturing remained the most targeted industry.

08Data Methodology and Sources

  • Victim counts are based on publicly disclosed ransomware leak site postings tracked during the reporting period.
  • Each victim is attributed to a single threat actor based on disclosure source.
  • Industry classification is assigned using standardized sector mapping.
  • Country attribution is based on headquarters location where identifiable.

Accelerate Risk Decisions, Cut the Noise.

Join leading teams using Black Kite to slash assessment timelines, eliminate manual reviews, and onboard vendors with confidence.