Myth vs. Reality: What AI, Project Glasswing, and 48,000 CVEs Actually Mean for TPCRMJoin the Webinar

State of Ransomware 2024: A Year of Surges and Shuffling

Ransomware Victims Nearly Doubled to 4,893. In the US, 88% of Targets Were Critical Infrastructure.

Ransomware attacks nearly doubled year over year in 2024. The Black Kite Research Group™ tracked 4,893 confirmed victims between April 2023 and March 2024, up from 2,708 the year before. That's not incremental growth. It's an acceleration, and the data behind it tells a more unsettling story than the headline number alone.

The groups driving that surge don't operate like opportunists. They operate like businesses. They have recruitment strategies and preferred victim profiles. They offer affiliates revenue-sharing models competitive enough to trigger bidding wars. When law enforcement took down AlphV in December 2023 and disrupted LockBit in February 2024, the result wasn't a slowdown. It was a scramble for talent and market share that pushed attack volume higher. The history of how ransomware groups evolved into this model makes the current acceleration easier to understand.

The 2024 report documents what happened next: how affiliates migrated between groups, which new operators climbed the rankings, and why 104 companies were targeted by two separate ransomware groups in rapid succession. It also maps the financial logic behind targeting, with 31% of confirmed victims generating less than $20 million in annual revenue, which upends the conventional assumption that ransomware groups chase only the biggest paydays.

Understanding that logic is how you get ahead of it. The Ransomware Susceptibility Index® (RSI™) turns those targeting patterns into a predictive score. Companies with an RSI™ above 0.8 are 27 times more likely to experience a ransomware attack than companies below 0.2. This report is your blueprint for understanding where your organization and your vendor ecosystem sit on that scale before an attacker decides for you.

[ READ THE REPORT

Key Findings From the State of Ransomware 2024

4,893 Victims in 12 Months — Attacks Doubled for the Second Consecutive Year

Victim counts have roughly doubled each year since 2022, reaching 4,893 in the April 2023 to March 2024 study window. The pace of monthly announcements consistently exceeded 300 per month across Q3 and Q4 2023, with peaks above 470. The trajectory reflects not just more groups, but more disciplined targeting. Up to 40 active ransomware gangs announced victims in a single month during this period. The Black Kite Research Group™ broke down what's driving this alarming rise in ransomware activity in a companion analysis published alongside this report.

27x: Companies With RSI™ Above 0.8 Face a 27-Times Greater Attack Probability

Among the 120,000+ companies analyzed for the RSI™ validation study, 46% of those scoring between 0.8 and 1.0 experienced a ransomware attack. The ratio drops to 10% for scores between 0.6 and 0.8, and 6% for 0.4 to 0.6. The Ransomware Susceptibility Index® doesn't just correlate with past attacks. It identifies the technical signals (leaked credentials, open remote access points, email misconfigurations, exploitable vulnerabilities) that attackers use to select targets before an attack begins.

104 Companies Hit by Two Groups in Rapid Succession — 3 Hit by Three Groups

Repeat victimization is accelerating. The time gap between first and second attacks has been shrinking quarter over quarter. Groups monitor each other's announcements and target organizations while they're still in recovery mode. This pattern reflects deliberate coordination (or deliberate opportunism) among affiliates who move freely across operators. It also explains why a single successful breach can trigger cascading vendor risk monitoring failures across an entire supply chain.

47% of All Victims Located in the US — 88% of US Targets Were Critical Infrastructure

The United States absorbs nearly half of all global ransomware victim announcements. Of those US-based targets, 88% fall within CISA-defined critical infrastructure sectors. Healthcare and public health account for 13.3% of US victims. Critical manufacturing accounts for 11.6%. Financial services, education, and transportation round out the top five. This isn't random. It reflects deliberate sector selection driven by the leverage that operational disruption creates.

Manufacturing Leads With 1,016 Victims — Professional Services Second With 885

Manufacturing has led the ransomware victim charts for multiple consecutive years. Industrial machinery manufacturing tops the sub-sector breakdown with 76 victims, followed by motor vehicle parts at 58 and pharmaceutical and medicine manufacturing at 50. Professional, scientific, and technical services rank second overall, with legal services alone accounting for 23% of incidents in that sector. Finance and insurance climbed three spots to fourth place, reflecting ransomware groups' sharpened targeting of data-dense, highly regulated industries. For a deeper look at why manufacturing remains so exposed, the Black Kite Research Group™ examined why securing the manufacturing supply chain has become critical.

STATS

  • 4,893 ransomware victims tracked (April 2023 to March 2024)
  • 81% increase year over year from 2,708 victims
  • 47% of all victims located in the United States
  • 31% of victims had annual revenues under $20 million
  • 104 companies targeted by two separate ransomware groups
  • 27x: RSI™ above 0.8 predicts 27x higher attack probability
  • 88% of US victims were in CISA-defined critical infrastructure

How the Ransomware Group Landscape Shifted in 2024

AlphV's FBI Takedown in December 2023 Triggered an Affiliate Migration That Reshaped the Rankings

AlphV, previously ranked second in victim count, was shut down by the FBI in December 2023. Rather than a clean end, the takedown triggered an exit scam: the group vanished with ransom payments owed to its affiliates. Those affiliates scattered into the broader ecosystem, accelerating the rise of Play, Akira, and RansomHub. RansomHub distinguished itself by offering affiliates a 90% revenue cut, paid before the operator receives anything, a structural inversion of the traditional RaaS model. The Black Kite Research Group™ published a detailed breakdown of whether AlphV staged its own death for a rich exit as events unfolded.

LockBit's February 2024 Disruption Exposed How Affiliate Anonymity Holds Groups Together

LockBit fell from its dominant position after law enforcement infiltrated its infrastructure in February 2024 and published affiliate nicknames publicly. That loss of anonymity was more damaging than the technical takedown. Affiliates defected immediately. LockBit attempted a rebranding with a new dark web presence and a list of alleged victims, but many of those claims were recycled from prior attacks or unverifiable. The reputational damage was irreversible. The full story of the global sting that toppled LockBit is documented separately by the Black Kite Research Group™.

Play, 8Base, and Akira Rose Into the Top 10 as Established Groups Declined

Groups that were outside the top ten in mid-2023 climbed rapidly following the AlphV and LockBit disruptions. Play reached rank three and led March 2024's victim count. 8Base surged from outside the top ten to rank five. Akira debuted in March 2023 and reached rank six within the study period by recruiting aggressively. This reshuffling happened faster than traditional threat actor monitoring approaches could capture, reinforcing the case for real-time ransomware intelligence over periodic threat reports.

Cl0p's GoAnywhere and MOVEit Campaigns Set the Attack Volume Ceiling in Mid-2023

Cl0p drove the May 2023 victim surge through mass exploitation of MOVEit MFT servers, the same technique it applied to GoAnywhere earlier in the year. These weren't targeted attacks against specific organizations. They were automated sweeps of exposed file transfer infrastructure across thousands of companies simultaneously. The cascading exposure hit supply chains hard: organizations that didn't use MOVEit directly were still exposed through vendors who did, surfacing a systemic nth-party visibility gap that most TPRM programs couldn't close in time.

What Ransomware Groups Know About Their Targets That You Might Not

75% of Victims Had Email Misconfigurations — 3,064 Had Leaked Credentials in the 90 Days Before Attack

The data on pre-attack indicators is specific and actionable. More than 75% of victims analyzed had missing SPF or DMARC records before the attack. 3,064 had at least one credential exposed in the 90 days prior. 907 had credentials visible in stealer logs. 2,299 had open RDP or SMB ports. Nearly half had a critical software vulnerability discoverable through open-source intelligence. None of these indicators required privileged access to find. Attackers found them the same way a cyber risk intelligence platform would. The scale of stolen credentials circulating across the dark web makes credential-based targeting faster and cheaper than most organizations assume.

Ransomware Groups Treat Revenue Brackets as a Targeting Filter, Not Just a Bonus

The financial analysis across 3,870 revenue-identified victims reveals that small and mid-market organizations absorb disproportionate attack volume. The $15M to $20M annual revenue band is the single most targeted bracket in the study. Companies over $1 billion account for only 8.5% of victims. This reflects a deliberate calculation: mid-market firms have enough liquidity to pay ransoms but rarely generate the law enforcement attention that enterprise victims do. The financial impact of an attack scales with the victim's size, but the probability of being targeted does not. The Black Kite Research Group™ explored why ransomware groups are increasingly zeroing in on SMBs in a separate analysis.

The Change Healthcare Incident Illustrated How a Single Vendor Breach Cascades Across an Ecosystem

The AlphV affiliate attack on Change Healthcare in early 2024 disrupted claims processing, billing, and clinical data exchange for thousands of healthcare providers simultaneously. The incident wasn't just a breach of one company. It was a demonstration of what technical concentration risk looks like when a single vendor holds a critical position across an interconnected supply chain. Black Kite® deployed Change Healthcare Client FocusTags® immediately to alert clients with vendor relationships to the affected entity, identifying exposure before most organizations had assessed their own risk.

Four Shifts That Move Ransomware Defense From Reactive to Predictive

Replace Periodic Vendor Reviews With Continuous RSI™ Scoring Across Your Full Portfolio

One-time assessments and annual questionnaires tell you what a vendor's posture was at a point in time. They don't tell you about the credentials leaked last week or the port that opened after a network reconfiguration last month. The RSI™ tracks those signals continuously, scored from 0.0 to 1.0 across both technical indicators and contextual factors including industry, company size, and geography. Use it to maintain a live risk rank across your vendor risk monitoring program, not just at onboarding.

Map Your Critical Vendors Against the Industry and Revenue Targeting Patterns in This Report

The data shows that manufacturing vendors, professional services firms, and healthcare suppliers carry concentrated ransomware exposure regardless of their own security investments. Cross-referencing your vendor list against the sector and revenue brackets in this report gives you a triage framework for prioritizing where to focus remediation conversations. Start with vendors in the top three targeted sectors who also have RSI™ scores above 0.6. For healthcare specifically, the Black Kite Research Group™ has detailed analysis on why healthcare is now in the bullseye for ransomware groups.

Enforce Email Authentication Standards Across Your Vendor Ecosystem Before the Next Mass Campaign

More than 75% of attack victims had missing SPF or DMARC configurations at the time of the attack. That's not an obscure hardening requirement. It's a baseline that your vendors either meet or don't. A vendor evaluation process that includes automated email security checks closes one of the most common pre-attack indicators before attackers find it for you.

Build a Response Plan That Accounts for Rapid Succession Attacks, Not Just Single Incidents

The 104 companies hit by two groups in rapid succession weren't unlucky twice. They were targeted a second time because their recovery created a window. Response plans that focus exclusively on restoring operations miss the second-attack risk. Build in a 90-day monitoring escalation period post-incident, using continuous monitoring to watch for new exposure signals while systems are being rebuilt.

How Black Kite Built the State of Ransomware 2024

130+ Ransomware Groups Tracked in Real Time — 67 With at Least One Confirmed Victim

The Black Kite Research Group™ monitored more than 130 active and emerging ransomware groups continuously throughout the April 2023 to March 2024 study window. Of those, 67 published at least one confirmed victim. Real-time tracking means the team captured groups as they emerged, not after they had already scaled.

4,893 Victims Analyzed With Country and Industry Classification Applied to Each

For every victim, the Black Kite Research Group™ conducted individual country and industry classification using NAICS codes, cross-referenced against CISA's Essential Critical Infrastructure Workforce Guidance for the US-focused analysis. Revenue data was sourced through open-source intelligence across 3,870 of the identified victims, enabling the financial footprint analysis that distinguishes this report from aggregate victim counts alone.

Dark Web Blogs, Hacker Forums, and Telegram Channels Monitored Alongside Public Announcements

The Black Kite Research Group™'s source coverage extends beyond ransomware group leak sites into dark web forums, hacker communities, and Telegram channels where affiliate recruitment, group announcements, and tactical coordination happen before public-facing victim claims appear. This signals intelligence layer is what allowed the affiliate crossover analysis to map which operators were sharing talent in real time.

RSI™ Validated Against 120,000+ Non-Victim Companies to Confirm Predictive Accuracy

The RSI™ analysis in this report is not correlation after the fact. It compares RSI™ scores calculated before attacks against a control group of 120,000+ organizations that were not victimized during the same period. That comparison is what produces the 27x multiplier for high-RSI organizations. It's also what validates the index as a forward-looking signal rather than a retrospective label.

New Editions

Previous Editions

Related Resources

Got 25 Minutes?

See every supplier, every risk with a quick demo.