Black Kite is a finalist in the 2026 SC Awards for continued innovation and leadership in third-party cyber risk intelligence.Learn more

Ransomware Report October 2024

An In-Depth Analysis of the Latest Ransomware Trends and Threat Landscape

Dive into the constantly shifting world of ransomware, as we uncover the latest tactics, dissect the most prolific actors, and offer insights to keep your organization one step ahead.

Welcome to the October 2024 ransomware update, highlighting the latest trends, threat actors, and significant developments shaping the ransomware landscape. The Black Kite Research & Intelligence Team (BRITE) tracked 490 ransomware incidents this month, making it the second-highest month of the year, just behind the record-breaking 534 victims in May.

RansomHub continued its dominance with 84 victims, further solidifying its position as the most active ransomware group since July.  The United States and France were its primary targets.

Play followed closely behind with 53 victims, maintaining its steady rise in the rankings. Notably, reports indicate North Korea-affiliated Jumpy Pisces has collaborated with Play, leveraging its DTrack malware to facilitate attacks and expand Play’s reach.

Another key development was Kill Security’s resurgence, with 63 victims in the past two months and the launch of its Kill Security 3.0 blog, featuring expanded offerings such as pentesting, data gathering, and Ransomware-as-a-Service (RaaS). This move mirrors LockBit’s previous strategies, highlighting the continued evolution of ransomware group infrastructures.

Sarcoma emerged as a new and rapidly growing threat actor, sharing 41 victims in its debut month. While most of its victims appear unique, connections to Royal and Cactus suggest possible affiliations.

With ransomware groups continually refining their tactics and forming new alliances, the landscape remains highly volatile. As these threats evolve, we remain committed to tracking and analyzing emerging ransomware trends to provide the most accurate insights.

At least one IP address that was part of a botnet, malware propagation, or spam propagation
5
At least one record found in stealer logs
159
Open RDP or SMB ports publicly visible
215
At least one credential leaked in the last 90 days
248
Use of out-of-date services/products with possible vulnerabilities of high exploitability
258
At least one possible phishing domain
259
MX and DNS misconfiguration that may allow spoofing and phishing attacks
345

01Threat Actor Distribution

  • RansomHub accounted for 84 victims, representing 17.1% of total activity.
  • Play followed with 53 disclosures.
  • Sarcoma Group and Kill Security remained consistently active.

02Geographic Distribution

  • USA represented 52.7% of all tracked victims.
  • Others was among the next most impacted countries.
  • Canada and India also saw notable activity.

03Industry Distribution

  • Public Administration remained the most targeted sector.
  • Other followed as a heavily impacted sector.
  • Accommodation Services and Entertainment continued to be operationally critical targets.

04Threat Actor × Country Matrix

The matrix below shows how leading ransomware groups distributed their activity geographically.

Others
Black Suit
Medusa
eraleign (APT73)
Fog
Hunters
Meow
Kill Security
Sarcoma Group
Play
RansomHub
USA
89
10
10
6
17
12
16
3
9
47
39
Canada
10
2
1
1
2
1
5
3
3
India
2
1
1
1
17
3
UK
8
6
1
2
3
1
Germany
7
1
1
1
2
1
France
5
1
1
1
4
Italy
4
1
1
1
3
1
Spain
4
1
1
1
3
Australia
4
1
4
Brazil
4
2
1
2
UAE
1
1
1
3
Belgium
1
2
2
Mexico
1
1
3
Israel
2
1
1
Japan
1
1
2
South Africa
2
2
Others
12
1
3
4
3
3
5
6
8
3
18
  • USA activity was heavily concentrated in Others.
  • Some actors demonstrated narrow targeting patterns.

05Threat Actor × Industry Matrix

This view highlights sector specialization across leading ransomware groups.

Others
Black Suit
Medusa
eraleign (APT73)
Fog
Hunters
Meow
Kill Security
Sarcoma Group
Play
RansomHub
Manufacturing
37
4
3
4
5
7
3
5
17
15
Professional, Scientific, and Technical Services
37
2
7
4
8
6
3
10
8
16
Health Care and Social Assistance
19
2
2
7
9
Administrative and Support and Waste Management and Remediation Services
9
1
2
3
2
2
Information
11
2
2
2
4
5
Wholesale Trade
7
1
2
1
1
6
3
2
Construction
5
2
7
1
2
2
1
2
10
7
Retail Trade
5
2
1
1
3
1
2
2
4
Finance and Insurance
3
1
1
1
1
5
2
4
Transportation and Warehousing
3
1
1
1
1
1
1
4
2
2
Educational Services
4
1
3
1
4
2
6
Other Services (except Public Administration)
5
1
2
5
2
4
2
6
Public Administration
6
2
3
3
Arts, Entertainment, and Recreation
1
1
1
1
1
Accommodation and Food Services
1
1
1
1
1
Real Estate Rental and Leasing
1
1
2
2
1
Utilities
1
1
1
1
Mining
1
1
Agriculture, Forestry, Fishing and Hunting
1
  • Manufacturing activity was heavily concentrated in Others.
  • Some actors demonstrated narrow targeting patterns.

06Six Month Trend Context

07Key Takeaways

  • 490 ransomware disclosures were observed in October 2024.
  • RansomHub led activity with 84 victims.
  • USA accounted for 52.7% of disclosures.
  • Public Administration remained the most targeted industry.

08Data Methodology and Sources

  • Victim counts are based on publicly disclosed ransomware leak site postings tracked during the reporting period.
  • Each victim is attributed to a single threat actor based on disclosure source.
  • Industry classification is assigned using standardized sector mapping.
  • Country attribution is based on headquarters location where identifiable.

Accelerate Risk Decisions, Cut the Noise.

Join leading teams using Black Kite to slash assessment timelines, eliminate manual reviews, and onboard vendors with confidence.