The CYFIRMA Industries Report provides cutting-edge cybersecurity insights and telemetry-driven statistics on global industries. Spanning the last 365 days and highlighting year-over-year changes between 2023 and 2024, this report covers 13 key industries and presents critical trends and data in a compelling infographic format. This is Part 1 of the report covering only combined industries. If you would like to view the complete report with each industry’s detailed breakdown, it is available exclusively on our website.
Welcome to the CYFIRMA Infographic Industry Report, where we examine the external threat landscape across 13 industries over the past year. Through clear, data-driven visuals and expert insights, we present concise analyses of attack campaigns, phishing telemetry, and ransomware incidents affecting organizations worldwide.
Leveraging our cutting-edge platform telemetry and the deep expertise of our analysts, this report highlights both cross-industry trends and year-over-year changes, along with detailed, industry-specific breakdowns coming in Parts 2 and 3 soon.
Our goal is to equip you with actionable intelligence that helps you stay ahead in the ever-evolving cybersecurity landscape.
CYFIRMA provides cyber threat intelligence and external threat landscape management platforms, DeCYFIR and DeTCT, which utilize artificial intelligence and machine learning to ingest and process relevant data, complemented by hands-on CTI research.
For the purpose of these reports, we leverage the following data from our platform. These are data processed by AI and ML automation based on both human research input and automated ingestions.
Leveraging our Early Warning platform data set, we present known attack campaigns conducted by known advanced persistent threat actors. Both nation-state and financially motivated.
Each attack campaign may target multiple organizations across various countries.
Campaign durations can vary from weeks to months or even years. They are sorted by the “last seen” date of activity to include the most relevant ones. Note that this may result in campaigns stacking up on later dates, affecting time-based trends.
Attribution to specific threat actors can be murky due to increasingly overlapping TTPs and commodity tools used. While suspected threat actors in this report are attributed with high confidence, we acknowledge the potential for inaccuracy.
Our data focuses on phishing campaigns rather than individual phishing or spear-phishing emails, which may limit visibility into more advanced single-target attacks.
Our primary focus is on detecting brand impersonation over intended targets. Due to our collection methodology and automation, we may not present comprehensive victimology for phishing campaigns across all industries as some are simply not good phishing lures.
Our data on victims in this report is directly collected from respective ransomware blogs, though some blogs may lack detailed victim information beyond names or domains, impacting victimology accuracy during bulk data processing.
In some cases, there are multiple companies that share the same name but are located in different countries, which may lead to discrepancies in geography and industry. Similar discrepancies occur with multinational organizations where we are not able to identify which branch in which country was actually compromised. In such a case, we count the country of the company’s HQ.
During the training of our processing algorithms, we manually verified results for industry and geography statistics at an accuracy rate of 85% with a deviation of ±5%. We continuously fine-tune and update the process.
Data related to counts of victims per ransomware group and respective dates are 100% accurate at the time of ingestion, as per their publishing on the respective group’s blog sites.
Finally, we acknowledge that many victims are never listed as they are able to make a deal with the attackers to avoid being published on their blogs.While this report contains statistics and graphs generated primarily by automation, it undergoes thorough review and enhancement for additional context by CYFIRMA CTI analysts to ensure the highest quality and provide valuable insights.
Year-to-Year Elevation: Moderate
In 2023, our DeCYFIR platform recorded a total of 27 campaigns. During 2024, it recorded 31, representing a 14.8% increase year-over-year.
The threat landscape shifted in 2024, with IT, Finance, and Manufacturing becoming the most targeted industries likely due to increasing global tensions and armed conflicts.
In total, 9 out of the 13 industries recorded fewer APT campaigns.
20 countries saw an increase in recorded APT campaigns, while 13 countries saw a decrease.
Year-to-Year Elevation: High
In 2023, CYFIRMA recorded 4,679 verified ransomware victims, while in 2024, the number increased to 5,219, representing an 11.5% year-over-year growth across all industries.
The Finance industry experienced the most notable decline, while Government & Civic saw a dramatic increase, indicating a sharp rise in targeting, correlated with heating geopolitical tension across the globe. Healthcare and Real Estate & Construction also witnessed increases. On the other hand, Logistics, and Telecommunications & Media saw significant decreases.
In total, half, 7 out of the 14, industries recorded more ransomware victims.
125 countries recorded ransomware victims in 2024. Below are the top 35 and their respective elevations.
In 2023, the DeCYFIR platform recorded a total of 27 campaigns. Meanwhile, in 2024, it recorded 31, representing a 14.8% increase year-over-year.
The monthly chart shows a distribution of observed campaigns. We can see periods of relative calm as well as periods with significant spikes in activity.
The spikes are mostly linked to the discovery of new TTPs for specific threat actors or new exploitable vulnerabilities.
For example, the spike in September 2024 is linked to the activity below:
Lazarus Group (North Korea) intensified its VMConnect campaign against software developers, posing as Capital One employees, conducting fake interviews, and delivering malicious GitHub links via LinkedIn.
FIN7 (Russia), often collaborating with APT29 (Cozy Bear), hijacked .NET applications (Hijack Execution Flow: AppDomainManager) to inject malicious payloads. Cozy Bear also targeted Microsoft 365 accounts in NATO countries, disabling security features like Purview Audit.
Fancy Bear (APT28, Russia) continued with disinformation and large-scale phishing attacks against government, NGO, education, and transportation targets in Ukraine, Western Europe, and North America.
TA505 (Russia) continued large-scale phishing operations, focusing on financial data theft.
Stone Panda (APT10, China) conducted supply chain attacks by infiltrating software providers and embedding malware into legitimate updates.
Transparent Tribe (Pakistan) carried out espionage in South Asia, using custom malware to steal sensitive documents and monitor communications.
Alongside the moderate increase in observed campaigns, we also noticed a disproportionately large increase in observed threat actors. In 2023, the detected APT campaigns were linked to 15 threat actors. However, in 2024, this number surged to 25 groups (+40%).
Furthermore, we can also observe changes in the activity of threat actors. While Lazarus Groups maintained four campaigns annually, the 2023 leader, MISSION2025 (APT 41 Nexus of activity), has experienced a significant decline from eight to three campaigns. We attribute this to the fragmentation of Chinese nation-state activity and a substantial shift in the Chinese government’s focus.
Notably, there are also many threat actors from various countries. The traditional players like Russia and China are now joined by substantial activity from Vietnam, India, Thailand, Pakistan, and more.
The chart above shows industries sorted by the number of recorded attacks in 2023, from the most frequently targeted to the least. Each bar for the respective industry indicates how many campaigns included victims from that sector in a specific year. The trendline shows percentage changes compared to the previous year.
In 2023, the most targeted industries were Consumer Goods & Services, Finance, and Telecommunications & Media. By 2024, the threat landscape shifted significantly. Information Technology, Finance, and Manufacturing became the top three most targeted industries.
In 2024, the largest increases in attacks appeared in Information Technology (+108%), Government & Civic (+44.4%), and Finance (+28.6%). The Education sector increased from zero to one victim, which is effectively an infinite percentage rise.
At the same time, several industries saw significant decreases in attacks. Materials (-66.7%), Automotive (-60%), as well as Logistics and Real Estate & Construction (both -57.1%) were the most reduced.
In total, 9 out of the 13 industry categories experienced fewer observed APT attacks, even though the overall number of attacks rose by almost 15%. This suggests that the threat landscape is shifting. Major threat groups, mostly supported by nation-states, have realigned their focus, most likely in response to increasing global tensions and growing armed conflicts.
Data on geographical distribution reveals evolving global patterns, with the number of affected countries slightly decreasing from 32 to 31 in 2024. Despite this minimal change, the distribution and intensity of incidents shifted significantly, marked by notable turnover. Seven countries not targeted in 2023 experienced attacks in 2024, while eight previously affected countries saw no new campaigns in our telemetry.
Regions like East and Southeast Asia—including Taiwan, Thailand, Indonesia, Malaysia, Singapore, and Vietnam—experienced heightened activity, reflecting a growing regional focus potentially linked to expanding digital infrastructure and geopolitical factors. At the same time, traditionally high-profile targets such as Canada and New Zealand saw sharp declines in incidents, likely due to changes in adversary priorities or improved defensive measures.
The United Kingdom, Ukraine, Saudi Arabia, and Israel recorded significant increases in attack campaigns, in line with the evolving geopolitical landscape in the respective regions.
In both 2023 and 2024, the top observed malware strongly correlates with the activities of suspected threat actors. For example, Winnti and PlugX were predominantly linked to MISSION2025, while NukeSped RAT and Tofsee were associated with the Lazarus Group. Meanwhile, Emotet and various ransomware strains continued to be leveraged by Russian cybercrime syndicates. Notably, Cobalt Strike remained a ubiquitous tool across actor types, valued for its effectiveness and the plausible deniability it affords.
Focusing on 2024, there was a clear growth in the use of both custom TTPs and commodity malware. This trend aligns with the diversification of the threat landscape, characterized by increasing sophistication and widespread adoption of commodity tools. The shift reflects the dual emphasis on innovation and accessibility within adversary operations.
A comparison of 2023 and 2024 highlights a notable reduction in the variety of unique malware families, accompanied by a sharp increase in the volume of both custom TTPs and custom malware. The respective share of these categories grew significantly, rising from 7% in 2023 to 35% in 2024. This underscores a strategic pivot by threat actors toward more tailored and impactful attack methodologies.
In 2024, the increased reliance on commodity tools and malware was accompanied by a noticeable trend toward more unified attack techniques targeting specific technologies.
Web applications remain the most frequently targeted technology, primarily due to their inherently internet-facing nature, which exposes them to a wider array of threats.
Additionally, remote access tools continued to serve as a common attack vector. However, attackers typically use stolen credentials to gain direct access, rather than exploiting vulnerabilities within the tools themselves.
Year-to-Year Elevation: Moderate
The year-to-year elevation in APT campaign activity from 2023 to 2024 was moderate but marked by significant shifts in focus and methodology. The total number of campaigns rose from 27 to 31, reflecting a 14.8% increase. This modest growth was accompanied by a 40% surge in the number of observed threat actors, rising from 15 to 25, signaling a broader diversification of adversarial players.
Geopolitical factors strongly influenced the external threat landscape. East and Southeast Asia—particularly Taiwan, Thailand, Indonesia, Malaysia, Singapore, and Vietnam—emerged as hotspots of heightened activity. Meanwhile, traditionally high-profile targets such as Canada and New Zealand experienced sharp declines, likely due to shifts in adversary priorities or strengthened defenses. Politically significant regions, including the United Kingdom, Ukraine, Saudi Arabia, and Israel, faced notable increases, underscoring their strategic importance amid rising global tensions.
Industrially, the threat landscape shifted. In 2024, Information Technology, Finance, and Manufacturing became the most targeted sectors, replacing Consumer Goods & Services and Telecommunications. Information Technology attacks saw a dramatic 108% rise, while Finance increased by 28.6%. Conversely, Materials, Automotive, Logistics, and Real Estate experienced significant declines in attack frequency, with nine out of 13 industry categories recording fewer campaigns overall. This suggests that threat actors are realigning their focus toward higher-value and geopolitically strategic targets.
In terms of methodologies, 2024 saw a surge in the use of custom TTPs and commodity malware, reflecting a dual emphasis on innovation and accessibility. Custom/unique and commodity malware’s share rose from 7% in 2023 to 35%, highlighting a pivot toward more tailored and impactful attack strategies. Cobalt Strike remained a tool of choice across multiple actor types, valued for its efficiency and plausible deniability. Furthermore, attackers increasingly relied on stolen credentials for direct access to remote systems, bypassing traditional vulnerability exploitation.
Despite the moderate rise in overall campaigns, the external threat landscape became more diverse and sophisticated. These developments underscore the importance of adaptive ETLM strategies to address evolving threats, focusing on region-specific vulnerabilities, sector-based targeting trends, and the increasing use of advanced adversarial techniques.
Over the past year, CYFIRMA’s telemetry recorded 1,046,569 phishing campaigns. This is just a sample of all phishing in the world; however, it provides insight into trends such as phishing themes, impersonated brands, and the largest sources of phishing.
Phishing themes in the captured sample reveal significant focus areas for attackers. Generic and spear phishing dominate, accounting for the largest share, highlighting the vast number of small and unique scams and phishing spams.
Online and cloud services, along with social networking, represent key targets due to their central role in digital interactions.
Financial and cryptocurrency themes remain prominent, reflecting attackers’ interest in direct monetary exploitation.
Critical sectors like energy and telecommunications also face notable targeting but do not offer the same direct monetization.
Meanwhile, lower-volume themes such as logistics, gaming, and government indicate region-specific but still impactful focus areas within the threat landscape.
Analyzing phishing themes quarterly reveals evolving trends throughout 2024.
For instance, the year began with a significant surge in energy-themed phishing, driven by a large-scale Gazprom impersonation campaign. However, this theme almost entirely disappeared by the third and fourth quarters, reflecting the conclusion of the campaign and a shift in adversary focus.
Despite being active only during the first two quarters of the year, Gazprom emerged as the third most impersonated brand, reflecting the scale and impact of the early-year phishing campaign leveraging its identity. This aligns with the significant energy-themed phishing observed in Q1 and Q2.
Office 365 secured the top spot with more than double the count of the second most impersonated theme, showcasing its continued popularity among attackers. Its widespread use across industries makes it a prime target for delivering social engineering lures, including highly tailored spear-phishing campaigns aimed at accessing corporate environments.
Cryptocurrency and wallet-related brands, in second place, saw extensive exploitation, likely driven by the early-year surge in cryptocurrency valuations to all-time highs. These campaigns provide attackers with straightforward opportunities for financial gain through phishing targeting users of digital wallets and exchanges.
Regional banks such as Credit Agricole, Societe Generale, Bancolombia, and DBS Bank also feature prominently in the list, highlighting attackers’ interest in localized financial institutions. This trend suggests that phishing campaigns are increasingly tailored to regional markets, aiming to exploit users’ trust in familiar, geographically relevant brands.
Gaming platforms like Steam, Garena, and Tencent are gaining traction as phishing targets, underscoring the growing appeal of digital gaming communities. The high volume of user engagement and financial transactions within these platforms makes them attractive for credential theft and fraud.
Other notable impersonation targets include Facebook, Telegram, and Netflix, which highlight the persistent focus on platforms with massive global user bases. Additionally, brands like Amazon, AT&T, and DHL point to phishing campaigns leveraging trusted names to deceive victims.
The data demonstrates how attackers strategically select brands based on global trends, regional relevance, and user trust to maximize the success of their campaigns, revealing a diverse and evolving phishing landscape.
A quarterly breakdown further highlights shifting trends, as for example seen with Gazprom and cryptocurrency-related themes.
As the Gazprom campaign faded after the second quarter and cryptocurrency values surged, phishing campaigns targeting crypto wallets and exchanges surged, propelling cryptocurrency-related themes to the top spot in the third and fourth quarters.
The global heatmap highlights the widespread reach of cybercrime and the diverse sources of phishing activity worldwide. Notably, Russia is excluded from the data due to widespread blacklisting by filters, effectively deleting its visibility as a source of phishing in our captured samples.
The United States ranks first in both phishing targeting and as a source of phishing activity. Historically, it has hosted the largest number of compromised devices, which are frequently incorporated into extensive botnet networks. These networks serve as proxies for distributing large-scale phishing campaigns, further solidifying the U.S.’s prominent role in the phishing landscape.
In Europe, the Netherlands and Germany hold similar positions, serving as significant hubs for phishing activity. Hong Kong and Singapore are often exploited as proxy locations by Chinese threat actors, reflecting their strategic importance in regional cyber operations.
Throughout the year Elevation: Low
CYFIRMA’s telemetry recorded over 1 million phishing campaigns in the past year, offering valuable insights into attacker trends, including key themes, impersonated brands, and the largest sources of phishing activity.
Generic and spear phishing continued to dominate, emphasizing the vast number of smaller and unique phishing spams. Online and cloud services, along with social networking platforms, remained primary targets due to their central role in digital interactions. Financial and cryptocurrency themes also featured prominently, reflecting attackers’ focus on direct monetary exploitation, while sectors like energy and telecommunications faced moderate targeting, offering less immediate monetization opportunities.
Quarterly trends revealed significant shifts. Early 2024 saw a surge in energy-themed phishing, largely driven by a Gazprom impersonation campaign. However, this theme faded by mid-year, giving way to cryptocurrency-related campaigns as cryptocurrency values surged, propelling these themes to the forefront in Q3 and Q4.
Office 365 ranked as the most impersonated brand, highlighting its widespread use and value for delivering social engineering lures. Cryptocurrency wallets and exchanges claimed the second spot, reflecting their attractiveness as lucrative phishing targets during periods of high market activity. Gazprom emerged as the third most impersonated brand despite its activity being limited to the first half of the year, demonstrating the significant impact of its associated campaign.
Regional banks such as Credit Agricole, Societe Generale, Bancolombia, and DBS Bank were frequently targeted, suggesting an increasing focus on localized campaigns exploiting geographic familiarity and trust. Gaming platforms like Steam, Garena, and Tencent also saw growing targeting, reflecting attackers’ interest in gaming communities with high engagement and financial transactions.
The United States leads as both the largest source and target of phishing, driven by its large population of compromised devices that feed global botnet operations. In Europe, the Netherlands and Germany serve as significant hubs for phishing activity, while in Asia, Hong Kong and Singapore are frequently exploited as proxy locations for Chinese threat actors, emphasizing their strategic regional roles.
In 2023, CYFIRMA recorded 4,679 verified ransomware victims, while in 2024, the number increased to 5,219, representing an 11.5% year-over-year growth across all industries.
In early 2023, the takedown of Hive caused a temporary slowdown in ransomware activity. However, this was followed by a surge driven by Cl0p, leveraging the MOVEit vulnerability.
Similarly, the early 2024 slowdown caused by the LockBit3 takedown was short-lived, as affiliates switched to other Ransomware-as-a-Service (RaaS), and RansomHub quickly emerged to fill the void in the RaaS ecosystem.
These charts illustrate the monthly activity of the top 30 ransomware gangs for each year, organized by overall activity from left to right on the X-axis. LockBit3 consistently had the highest number of victims in both years but showed a decline in activity later in 2024.
The Toufan gang recorded a spike in activity during December 2023 before disappearing entirely for the remainder of the following year.
In 2023, 67 ransomware groups were active, growing to 97 in 2024. This increase was partly driven by rebranding and splintering of existing groups from 2023, as well as a global surge in ransomware activity, particularly in regions like South Asia and Southeast Asia.
The chart above displays the top 10 ransomware groups with the highest victim counts across 2023 and 2024. Notably, Cl0p recorded significant activity exclusively in 2023. ALPHV’s infrastructure was dismantled by law enforcement in early 2024, while RansomHub emerged to fill the void left by the LockBit3 takedown later that year.
The chart above highlights ransomware groups ranked 11th to 40th, sorted by total victim count across 2023 and 2024. Most high-count groups are emerging players from 2024, with exceptions like Noescape and Royal, which were active in 2023.
Additionally, Blackbasta demonstrated resilience, remaining active and maintaining strong operations throughout both years, particularly in 2024.
The chart above features ransomware groups ranked 41st to 70th. This segment includes some of the most active groups from 2023, indirectly reflecting the surge in activity during 2024. The emergence and intensified operations of 2024 groups, as shown in the previous chart, pushed many of their 2023 counterparts further down the rankings.
The charts above and below represent ransomware groups ranked 71st to 100th and 101st to 122nd, respectively. A notable observation is the high number of groups in 2024 that recorded only a small number of victims, reflecting the emerging or less prolific groups.
Over the past two years, Professional Goods & Services remained the most frequently targeted industry, consistently maintaining its top position with nearly 16% of all attacks. Consumer Goods & Services and Manufacturing followed closely, reflecting many smaller businesses attacked. Meanwhile, Real Estate & Construction saw notable growth, climbing from 7.03% in 2023 to 8.72% in 2024, advancing two spots in the rankings.
In contrast, Finance experienced a significant decline, dropping from 8.45% in 2023 to 5.61% in 2024, possibly due to improved defenses or shifts in attacker priorities. Other sectors, such as Education and Government & Civic, gained traction in 2024, accounting for 4.85% and 4.39% of attacks, respectively.
The data highlights evolving trends, with attackers diversifying their targets. While sectors like Healthcare, Manufacturing, and Professional Goods & Services remain consistently attractive, other industries such as Logistics, Telecommunications, and Materials are quickly shifting.
Throughout 2024, Professional Goods & Services led as the most targeted sector, with steady quarterly growth and a peak of 260 incidents in Q4. Similarly, Manufacturing and Consumer Goods & Services remained prominent, showing a rebound in Q4 following a mid-year dip.
Real Estate & Construction recorded significant growth, increasing from 97 incidents in Q1 to 157 in Q4. Likewise, Information Technology more than doubled its Q1 count, reaching 143 incidents in Q4.
Both the Education and Government & Civic sectors saw sharp increases, particularly in Q4, where incidents nearly doubled.
Energy & Utilities, Materials, and Telecommunications & Media experienced relatively stable activity with modest increases in Q3 and Q4. Automotive also showed gradual growth, culminating in 31 incidents in Q4, reflecting steady interest from attackers.
The United States is the most frequent victim of ransomware by a significant margin, accounting for 46.3% and 50.6% of all victims in 2023 and 2024, respectively. Its dominance completely overshadows other countries in any visualization. The chart above displays the top five and all other countries combined for ransomware victims in 2023 and 2024.
The charts above and below display the top 60 countries, sorted by the number of victims in 2023, along with their respective 2023-to-2024 change data. Some countries, such as Canada, Israel, and India, recorded significant increases in ransomware activity during 2024, while others, like Italy and Thailand, experienced declines.
Continuation of 2023-to-2024 change data for every recorded country.
Finally, the last chart with new countries recording victims only in 2024.
The heatmap of geographic distribution highlights the truly global reach of ransomware while visually illustrating the changes between 2023 and 2024.
To gain a deeper understanding of the current affiliate-based structure of ransomware operations, the chart above illustrates the impact of the LockBit3 takedown. It demonstrates how affiliates swiftly transitioned to other Ransomware-as-a-Service (RaaS) platforms, resulting in only a slight decrease in the overall number of attacks. This adaptability underscores the resilience of the RaaS model, as affiliates ensured the continuity of operations even amidst significant disruptions.
The evolution of dominant ransomware threats reflects the adaptability of this model. In 2023, Cl0p capitalized on high-profile vulnerabilities like MOVEit to dominate the ransomware landscape. By early 2024, Lockbit3 emerged as the most active threat, but within weeks, Ransomhub rose to prominence, filling the void and asserting dominance over the ransomware threat landscape.
This trend highlights that while the specific “flavors” of ransomware—individual strains and RaaS platforms—change over time, the affiliates responsible for the attacks remain consistent and continue to expand. Their international and regional presence not only enhances operational resilience but also contributes to the global spread of ransomware, making it a persistent and evolving threat in the cyber landscape.
The rise of both international and local affiliates has played a pivotal role in the global proliferation of ransomware. In regions such as Latin America, South Asia, Southeast Asia, and even parts of Africa, local affiliates have leveraged their regional knowledge and networks to contribute to the expansion of ransomware activity. This localized growth is complemented by the scalability of international affiliates, creating a powerful force that drives ransomware’s increasing reach and impact.
Year-over-Year Elevation: High
CYFIRMA identified 4,679 ransomware victims in 2023 and 5,219 in 2024, representing an 11.5% increase year-over-year. This growth reflects a dynamic and evolving threat landscape, with significant shifts in attacker tactics, targets, and regional focus.
Ransomware activity in 2023 was marked by the takedown of Hive, causing a temporary slowdown, followed by a surge from Cl0p exploiting the MOVEit vulnerability. Similarly, the early 2024 slowdown from the Lockbit3 takedown was brief, as affiliates shifted to other RaaS platforms, and RansomHub quickly filled the void.
In 2023, 67 ransomware groups were active, rising to 97 in 2024. This increase was fuelled by the splintering and rebranding of existing groups, and a global surge in activity, particularly in South and Southeast Asia and Latin America. The largest gangs like LockBit3 dominated both years, though its activity declined after the law enforcement takedown in early 2024. Meanwhile, RansomHub emerged strongly in 2024 after ALPHV and Lockbit3 faced setbacks.
Professional Goods & Services consistently led as the most targeted industry, maintaining nearly 16% share of all attacks. Consumer Goods & Services and Manufacturing followed closely, with Real Estate & Construction climbing from 7.03% in 2023 to 8.72% in 2024, advancing two positions. Conversely, Finance dropped from 8.45% to 5.23%, likely due to improved defences or reduced attacker focus.
In 2024, the Education, Government & Civic sectors saw notable increases, particularly in Q4. Other sectors, such as Logistics, Telecommunications & Media, and Materials, showed steady growth, while Energy & Utilities and Automotive saw modest but consistent activity.
The United States remained the most targeted country by a significant margin, accounting for 46.3% and 50.6% of all victims in 2023 and 2024, respectively. Its dominance overshadowed other countries. Other regions like Canada, Israel, and India saw significant increases in 2024, while Italy and Thailand experienced declines.
The ransomware landscape in 2024 demonstrated high year-over-year elevation, with increased diversification among attackers and shifts in industry and regional targeting.