Black Kite is a finalist in the 2026 SC Awards for continued innovation and leadership in third-party cyber risk intelligence.Learn more

Ransomware Report September 2024

An In-Depth Analysis of the Latest Ransomware Trends and Threat Landscape

Dive into the constantly shifting world of ransomware, as we uncover the latest tactics, dissect the most prolific actors, and offer insights to keep your organization one step ahead.

Welcome to the September 2024 ransomware update, highlighting the latest trends, threat actors, and significant developments shaping the ransomware landscape. The Black Kite Research & Intelligence Team (BRITE) tracked 368 ransomware incidents this month, maintaining a high level of activity across multiple threat groups.

RansomHub once again led the charts with 74 victims, while Play surged to 43 attacks, a notable jump from its usual numbers. Other active groups included Medusa, Qilin, Meow, and LockBit 3.0, all contributing to the ongoing ransomware threat.

The United States remained the most targeted country with 190 incidents, followed by Canada, the United Kingdom, and Brazil.

Meanwhile, Operation Cronos V2 was announced, signaling continued law enforcement pressure on LockBit’s infrastructure. Authorities reported that LockBit’s systems were being monitored and disrupted, and two suspects were arrested in the UK. While the group is still operational, these disruptions raise further questions about its long-term stability.

At least one IP address that was part of a botnet, malware propagation, or spam propagation
4
At least one record found in stealer logs
72
Open RDP or SMB ports publicly visible
153
At least one possible phishing domain
161
At least one credential leaked in the last 90 days
178
Use of out-of-date services/products with possible vulnerabilities of high exploitability
189
MX and DNS misconfiguration that may allow spoofing and phishing attacks
263

01Threat Actor Distribution

  • RansomHub accounted for 74 victims, representing 23.1% of total activity.
  • Play followed with 43 disclosures.
  • Medusa and Qilin remained consistently active.

02Geographic Distribution

  • USA represented 53.8% of all tracked victims.
  • Others was among the next most impacted countries.
  • Canada and UK also saw notable activity.

03Industry Distribution

  • Public Administration remained the most targeted sector.
  • Other followed as a heavily impacted sector.
  • Accommodation Services and Entertainment continued to be operationally critical targets.

04Threat Actor × Country Matrix

The matrix below shows how leading ransomware groups distributed their activity geographically.

Others
El Dorado
BianLian
INC Ransom
Akira
Hunters
Kill Security
Cactus
LockBit 3.0
Meow
Qilin
Medusa
Play
RansomHub
USA
37
7
10
8
6
7
9
7
8
16
10
34
31
Canada
2
1
1
1
1
1
2
1
1
1
3
3
UK
4
1
3
3
1
1
3
Brazil
5
1
1
1
2
1
2
Belgium
1
6
1
1
Spain
5
1
3
Italy
2
1
1
1
3
Germany
1
1
1
1
1
India
1
3
1
1
Japan
1
1
4
Australia
2
1
2
France
1
1
2
Mexico
1
1
1
1
Norway
4
Turkey
1
1
2
Others
18
1
1
3
2
4
1
5
4
3
2
5
17
  • USA activity was heavily concentrated in Others.
  • Some actors demonstrated narrow targeting patterns.

05Threat Actor × Industry Matrix

This view highlights sector specialization across leading ransomware groups.

Others
El Dorado
BianLian
INC Ransom
Akira
Hunters
Kill Security
Cactus
LockBit 3.0
Meow
Qilin
Medusa
Play
RansomHub
Professional, Scientific, and Technical Services
15
3
6
2
2
1
2
4
4
4
7
8
Manufacturing
21
1
1
1
3
5
5
3
1
3
13
16
Health Care and Social Assistance
11
1
1
1
4
1
1
7
Wholesale Trade
8
1
3
1
3
2
1
3
6
6
Construction
6
1
1
4
2
5
1
4
7
Retail Trade
2
1
1
1
2
1
2
Administrative and Support and Waste Management and Remediation Services
1
2
1
1
1
1
2
2
4
2
Educational Services
5
1
1
1
1
1
4
Information
3
1
1
2
4
2
5
Transportation and Warehousing
3
1
1
1
3
1
Finance and Insurance
2
1
1
3
7
1
1
1
1
1
3
Other Services
3
1
2
2
2
2
5
Public Administration
1
1
3
1
1
2
2
7
Accommodation and Food Services
1
1
1
1
1
2
1
2
2
Management of Companies and Enterprises
1
1
Mining
1
1
1
1
Real Estate Rental and Leasing
1
2
1
1
Arts, Entertainment, and Recreation
1
1
1
1
1
Utilities
1
1
1
1
Agriculture, Forestry, Fishing and Hunting
1
1
1
  • Manufacturing activity was heavily concentrated in Others.
  • Some actors demonstrated narrow targeting patterns.

06Six Month Trend Context

07Key Takeaways

  • 321 ransomware disclosures were observed in September 2024.
  • RansomHub led activity with 74 victims.
  • USA accounted for 53.8% of disclosures.
  • Public Administration remained the most targeted industry.

08Data Methodology and Sources

  • Victim counts are based on publicly disclosed ransomware leak site postings tracked during the reporting period.
  • Each victim is attributed to a single threat actor based on disclosure source.
  • Industry classification is assigned using standardized sector mapping.
  • Country attribution is based on headquarters location where identifiable.

Accelerate Risk Decisions, Cut the Noise.

Join leading teams using Black Kite to slash assessment timelines, eliminate manual reviews, and onboard vendors with confidence.