Black Kite is a finalist in the 2026 SC Awards for continued innovation and leadership in third-party cyber risk intelligence.Learn more

Ransomware Report November 2024

An In-Depth Analysis of the Latest Ransomware Trends and Threat Landscape

Dive into the constantly shifting world of ransomware, as we uncover the latest tactics, dissect the most prolific actors, and offer insights to keep your organization one step ahead.

Welcome to the November 2024 ransomware update, highlighting the latest trends, threat actors, and significant developments shaping the ransomware landscape. The Black Kite Research & Intelligence Team (BRITE) tracked 591 ransomware incidents this month, marking an all-time high in ransomware activity. Unlike previous spikes driven by dominant groups, this surge was fueled by the increasing activity of smaller ransomware groups, making this month particularly intense.

RansomHub maintained its reign at the top with 98 victims, significantly outpacing other groups. Akira (35), SafePay (32), Kill Security (32), and Qilin (31) also recorded high numbers, showing consistent and aggressive expansion. Meanwhile, Fog, Black Suit, Play, Lynx, Hunters, and INC Ransom remained active, contributing to the widespread increase in ransomware incidents.

The United States saw the highest number of attacks with 323 victims, while Canada, the United Kingdom, Germany, and Italy also experienced steady attack volumes.

This record-breaking month highlights the growing fragmentation of ransomware operations, with smaller groups continuing to disrupt organizations worldwide. As ransomware groups evolve, expand, and collaborate, staying ahead of their tactics remains critical for cybersecurity teams and businesses alike.

At least one IP address that was part of a botnet, malware propagation, or spam propagation
3
At least one record found in stealer logs
205
Open RDP or SMB ports publicly visible
270
Use of out-of-date services/products with possible vulnerabilities of high exploitability
275
At least one possible phishing domain
276
At least one credential leaked in the last 90 days
302
MX and DNS misconfiguration that may allow spoofing and phishing attacks
439

01Threat Actor Distribution

  • RansomHub accounted for 98 victims, representing 16.6% of total activity.
  • Akira followed with 35 disclosures.
  • SafePay and Kill Security remained consistently active.

02Geographic Distribution

  • USA represented 54.7% of all tracked victims.
  • Others was among the next most impacted countries.
  • Canada and UK also saw notable activity.

03Industry Distribution

  • Public Administration remained the most targeted sector.
  • Other followed as a heavily impacted sector.
  • Accommodation Services and Entertainment continued to be operationally critical targets.

04Threat Actor × Country Matrix

The matrix below shows how leading ransomware groups distributed their activity geographically.

Others
Black Suit
Play
Lynx
Hunters
INC Ransom
Qilin
Kill Security
SafePay
Akira
RansomHub
USA
133
15
18
13
11
4
22
10
13
27
57
Canada
7
1
1
2
1
1
2
2
1
2
Germany
9
4
1
2
3
UK
5
1
1
2
4
1
2
3
Italy
12
1
2
1
1
Australia
3
3
2
2
2
2
France
9
1
1
3
Brazil
6
1
2
2
India
3
6
2
Argentina
1
1
1
2
2
Taiwan
4
1
1
1
UAE
3
1
1
1
Belgium
1
2
2
Netherlands
2
1
2
Others
52
1
2
3
4
7
3
11
7
3
20
  • USA activity was heavily concentrated in Others.
  • Some actors demonstrated narrow targeting patterns.

05Threat Actor × Industry Matrix

This view highlights sector specialization across leading ransomware groups.

Others
Black Suit
Play
Lynx
Hunters
INC Ransom
Qilin
Kill Security
SafePay
Akira
RansomHub
Professional, Scientific, and Technical Services
44
3
3
6
9
4
5
5
5
6
21
Manufacturing
43
3
10
6
6
8
6
3
8
9
11
Health Care and Social Assistance
32
2
1
3
4
2
4
Educational Services
22
4
2
1
3
5
Construction
10
1
4
1
2
2
2
1
1
3
23
Finance and Insurance
10
2
1
2
6
1
3
3
3
Information
11
1
1
1
1
5
1
3
4
4
Public Administration
11
1
2
1
1
1
4
Other Services (except Public Administration)
19
1
1
1
2
2
1
7
Wholesale Trade
7
2
1
3
2
3
2
5
Retail Trade
9
2
1
1
3
1
2
2
Transportation and Warehousing
8
2
2
1
1
2
Administrative and Support and Waste Management and Remediation Services
5
2
1
1
2
1
Real Estate Rental and Leasing
3
1
2
2
1
1
1
2
Arts, Entertainment, and Recreation
3
1
1
1
2
4
Utilities
2
3
2
1
1
Mining
4
1
Accommodation and Food Services
1
Management of Companies and Enterprises
1
1
Agriculture, Forestry, Fishing and Hunting
2
1
1
2
  • Professional, Scientific, and Technical Services activity was heavily concentrated in Others.
  • Some actors demonstrated narrow targeting patterns.

06Six Month Trend Context

07Key Takeaways

  • 591 ransomware disclosures were observed in November 2024.
  • RansomHub led activity with 98 victims.
  • USA accounted for 54.7% of disclosures.
  • Public Administration remained the most targeted industry.

08Data Methodology and Sources

  • Victim counts are based on publicly disclosed ransomware leak site postings tracked during the reporting period.
  • Each victim is attributed to a single threat actor based on disclosure source.
  • Industry classification is assigned using standardized sector mapping.
  • Country attribution is based on headquarters location where identifiable.

Accelerate Risk Decisions, Cut the Noise.

Join leading teams using Black Kite to slash assessment timelines, eliminate manual reviews, and onboard vendors with confidence.