01Threat Actor Distribution
- Other accounted for 85 victims, representing 20.3% of total activity.
- LockBit 3.0 followed with 80 disclosures.
- AlphaVM (Black Cat) and Ransomed.vc remained consistently active.
02Geographic Distribution
- USA represented 22.7% of all tracked victims.
- USA was among the next most impacted countries.
- Others and Others also saw notable activity.
03Industry Distribution
- Professional Services remained the most targeted sector.
- Manufacturing followed as a heavily impacted sector.
- Retail Trade and Construction continued to be operationally critical targets.
04Threat Actor × Country Matrix
The matrix below shows how leading ransomware groups distributed their activity geographically.
Others
Akira
INC Ransom
Knight
Medusa
ThreeAM
BianLian
8Base
Noescape
Play
Cactus
Ransomed.vc
AlphaVM (BlackCat)
LockBit 3.0
Ragnar Locker
USA
42
8
6
6
4
7
8
8
9
17
16
3
20
37
UK
6
2
1
1
1
1
4
4
1
2
3
Canada
2
1
1
1
2
4
2
4
1
Bulgaria
17
France
2
1
2
1
2
2
1
3
3
Germany
3
1
1
1
3
1
4
1
Australia
2
1
1
3
1
3
2
1
Brazil
2
2
1
3
Italy
2
1
2
1
3
Israel
2
4
1
Spain
1
1
1
3
1
Mexico
1
1
1
2
Turkey
1
1
1
2
Belgium
3
1
Japan
1
1
2
Netherlands
1
1
1
1
China
1
1
1
Singapore
1
2
Sweden
1
2
Thailand
1
1
1
Other countries
13
2
2
1
3
3
3
1
1
7
11
12
- USA activity was heavily concentrated in Others.
- Some actors demonstrated narrow targeting patterns.
05Threat Actor × Industry Matrix
This view highlights sector specialization across leading ransomware groups.
LockBit 3.0
Play
Cactus
Others
Medusa
BianLian
Ransomed.vc
ThreeAM
8Base
AlphaVM (BlackCat)
Knight
Noescape
Ragnar Locker
INC Ransom
Akira
Utilities
1
Mining
1
1
Agriculture and Fishing
2
2
Arts and Entertainment
3
1
Management of Companies
1
2
1
1
Accommodation
1
1
1
1
2
Wholesale
1
1
1
3
1
2
1
1
Real Estate
3
2
1
1
1
2
1
1
Public Administration
3
1
4
2
1
1
1
Information
3
1
6
1
2
1
Remediation Services
3
2
1
1
2
1
1
2
1
Education
5
1
7
2
Transportation
1
2
1
6
1
3
1
1
1
Finance and Insurance
1
3
4
1
1
1
3
1
2
Other Services
3
1
2
2
9
2
2
1
2
2
1
Healthcare
2
8
3
2
1
1
8
2
1
1
1
Construction
7
5
3
6
1
2
2
3
1
1
1
1
Retail Trade
3
1
2
4
1
1
11
3
2
1
3
1
1
Manufacturing
14
6
11
15
1
3
4
4
9
1
3
4
3
3
Professional Services
26
5
4
16
2
1
2
1
5
5
2
5
3
2
2
- Professional Services activity was heavily concentrated in LockBit 3.0.
- Some actors demonstrated narrow targeting patterns.
06Six Month Trend Context
07Key Takeaways
- 418 ransomware disclosures were observed in September 2023.
- Other led activity with 85 victims.
- USA accounted for 22.7% of disclosures.
- Professional Services remained the most targeted industry.
08Data Methodology and Sources
- Victim counts are based on publicly disclosed ransomware leak site postings tracked during the reporting period.
- Each victim is attributed to a single threat actor based on disclosure source.
- Industry classification is assigned using standardized sector mapping.
- Country attribution is based on headquarters location where identifiable.