Black Kite

Manufacturing remains ransomware's number one target. It has held the number one position for the fourth year in a row.

Among companies with less than $20 million, manufacturing is the second targeted industry at 17%.

75% of manufacturing companies have critical vulnerabilities with a CVSS score of 8 or higher.

There has been a 9% increase in ransomware attacks on manufacturing companies compared to the previous year.

For companies earning between $100 million and $300 million, manufacturing accounts for 30% of ransomware victims.

Among companies earning over $1 billion, manufacturing makes up a staggering 38.9% of ransomware victims.

65% of manufacturing companies have at least one vulnerability listed in the CISA Known Exploited Vulnerabilities (KEV) Catalog.

90 third-party vendors are flagged with high-risk threat categories. Among these, 35 vendors are marked with Known Exploited Vulnerabilities (KEV) tags.

65% of third-party vendors are not maintaining current patch levels, which exposes financial institutions to inherited risk from known vulnerabilities (CVEs) and potentially unpatched zero-day vulnerabilities in legacy technologies.

There were 191 disclosed ransomware victims in the financial sector in 2023.

Cl0p claimed responsibility for targeting companies using unpatched versions of Cleo's MFT products in December 2024.

Nearly one-third (26.6%) of finance threat actors are attributed to "Other", which includes emerging or short-lived groups, highlighting a more fragmented and unpredictable ransomware landscape.

As of mid-2025, only 55 ransomware victims have been disclosed in the financial sector.

There were 156 disclosed ransomware victims in the financial sector in 2024.

Black Kite researchers found that 31 out of 140 third-party vendors have at least one critical vulnerability with a CVSS at or above 8. 15 vendors show an extremely high risk with CVSS scores above 9.

Ransom payment values declined by 35%.

Publicly disclosed ransomware victims climbed to 6,046. This represents a 24% increase year over year for publicly disclosed victims. The victim count has also more than doubled since 2023.

Small and mid-sized businesses (SMBs) in the $4M-$8M range were the most frequently targeted.

Ransomware was responsible for 67% of known third-party breaches.

There has been a 123% increase in ransomware attacks over two years.

The number of publicly disclosed victims saw a 25% increase from the previous year (between April 2024 and March 2025)2. This follows an 81% surge in the period before that.

52 entirely new ransomware groups emerged in the last year.

There are now 96 active ransomware groups.

Over 4,400 of the disclosed CVEs in 2024 were classified as critical (CVSS 9.0+).

Over 20,000 of the disclosed CVEs in 2024 had a CVSS score of 7.0 or higher.

There was a 38% year-over-year increase in published CVEs.

Over 40,000 CVEs were disclosed in 2024.

A significant portion of vulnerabilities were weaponized within days of disclosure.

Many of 2024's most exploited vulnerabilities were found in widely used third-party software rather than internally developed applications

There was a 32.16% increase in healthcare ransomware attacks from 2023 to 2024.

There was a total of 374 tracked healthcare ransomware attacks in 2024.

There were 66 ransomware healthcare victims in Q1 2024, 87 healthcare victims in Q2 2024, 99 healthcare victims in Q3 2024, and 121 healthcare victims in Q4 2024.

Healthcare is the third-most-targeted industry by ransomware groups, behind manufacturing and professional services.

The most active ransomware groups targeting healthcare in 2024 were: Everest: 25% of attacks focused on healthcare organisations, INC Ransom: 21.7% of attacks focused on healthcare organisations, Monti: 20.8% of attacks focused on healthcare organisations, Rhysida: 18.5% of attacks focused on healthcare organisations, BianLian: 15% of attacks focused on healthcare organisations, Qilin: 14% of attacks focused on healthcare organisations, and Black Suit: 14% of attacks focused on healthcare organisations.

There was 211 US healthcare ransomware victims in 2023 and 268 in 2024, a 27% increase.

High-volume groups INC Ransom (21.7%) and BianLian (15%)show a strong healthcare focus.

61.6% of healthcare ransomware victims reported attacks to the HHS in 2024.

Ransomware groups Everest and Monti has 25% and 20.8%, respectively, of their victims in healthcare.

There were 66 ransomware healthcare victims in Q1 2024, 87 healthcare victims in Q2 2024, 99 healthcare victims in Q3 2024, and 121 healthcare victims in Q4 2024.

There was 211 US healthcare ransomware victims in 2023 and 268 in 2024, a 27% increase.

Only 37.4% of healthcare ransomware victims reported attacks to the HHS in 2023.

Physicians' offices comprise 25% of ransomware victims.

General medical and surgical hospitals are the second-most-targeted industry group by ransomware, making up 22% of healthcare victims, followed by other health professionals offices, such as dentists and outpatient centres.

Overall attacks on healthcare organisations surged by 32% year-over-year.

Only 37.4% of healthcare ransomware victims reported attacks to the HHS in 2023.

The healthcare sector is the third-most targeted sector for ransomware attacks, following manufacturing and professional services.

There was a significant rise in healthcare ransomware attacks in 2024. From Q1 2023 to Q3 2023, healthcare was the 6th or 7th most targeted sector, but it jumped to third position in Q4 2023 and has remained there.

Types of healthcare providers targeted in 2024 were: Physicians' offices accounted for 25% of attacks, general medical and surgical hospitals accounted for 22% of attacks, other health professionals' offices (outpatient centres, family services etc) accounted for 9% of attacks, and dentists' offices accounted for 6% of attacks.