01Threat Actor Distribution
- LockBit 3.0 accounted for 109 victims, representing 23.6% of total activity.
- Play followed with 51 disclosures.
- AlphaVM (BlackCat) and Black Basta remained consistently active.
02Geographic Distribution
- USA represented 46.9% of all tracked victims.
- Others was among the next most impacted countries.
- UK and Germany also saw notable activity.
03Industry Distribution
- Manufacturing remained the most targeted sector.
- Professional Services followed as a heavily impacted sector.
- HealthCare and Finance and Insurance continued to be operationally critical targets.
04Threat Actor × Country Matrix
The matrix below shows how leading ransomware groups distributed their activity geographically.
Others
Snatch
Rhysida
Medusa
INC Ransom
Hunters
Akira
Noescape
8Base
Black Basta
AlphaVM (BlackCat)
Play
LockBit 3.0
USA
32
6
3
10
7
8
5
13
9
8
24
39
47
Germany
4
1
1
2
1
3
4
2
3
6
UK
4
4
1
1
1
1
1
2
2
5
5
Canada
3
3
1
2
1
4
6
1
1
1
France
5
1
2
5
1
1
4
Italy
1
1
1
4
2
6
Netherlands
2
5
1
2
1
Australia
2
1
1
1
1
2
1
1
Spain
1
1
1
2
1
1
2
Brazil
1
1
2
1
2
Belgium
3
1
1
1
India
2
1
3
Singapore
2
1
1
2
China
1
1
3
Denmark
1
1
3
Taiwan
1
1
1
2
Switzerland
1
1
2
Thailand
1
22
Others
12
3
1
2
3
7
2
1
1
3
22
- USA activity was heavily concentrated in LockBit 3.0.
- Some actors demonstrated narrow targeting patterns.
05Threat Actor × Industry Matrix
This view highlights sector specialization across leading ransomware groups.
Others
LockBit 3.0
8Base
Black Basta
Play
Snatch
Rhysida
Hunters
AlphaVM (BlackCat)
Noescape
Medusa
Akira
INC Ransom
Mining
1
1
Agriculture & Fishing
1
1
2
1
Arts & Entertainment
1
2
2
Utilities
2
2
1
2
Wholesale Trade
1
2
1
1
1
1
Accommodation
2
5
Real Estate
1
1
3
3
2
1
Public Administration
1
7
1
1
1
Information
1
1
3
1
1
1
2
1
1
2
Remediation Services
3
2
1
3
1
2
4
2
1
Other Services
5
5
2
1
1
1
1
3
Construction
4
4
2
2
1
5
1
2
Educational Services
5
6
1
5
1
2
1
Transportation and Warehousing
1
7
4
2
2
1
1
2
1
1
Retail Trade
4
5
5
2
6
3
1
2
2
Finance and Insurance
6
11
2
1
3
2
1
2
2
Health Care
9
5
3
3
2
3
5
1
1
Professional Services
19
18
6
7
13
2
1
8
1
2
2
1
Manufacturing
16
24
10
9
18
2
5
14
6
12
2
- Manufacturing activity was heavily concentrated in LockBit 3.0.
- Professional Services showed broader spread across sectors.
- Some actors demonstrated narrow targeting patterns.
06Six Month Trend Context
07Key Takeaways
- 462 ransomware disclosures were observed in November 2023.
- LockBit 3.0 led activity with 109 victims.
- USA accounted for 46.9% of disclosures.
- Manufacturing remained the most targeted industry.
08Data Methodology and Sources
- Victim counts are based on publicly disclosed ransomware leak site postings tracked during the reporting period.
- Each victim is attributed to a single threat actor based on disclosure source.
- Industry classification is assigned using standardized sector mapping.
- Country attribution is based on headquarters location where identifiable.