Ransomware.live: Your comprehensive guide to monitoring and tracking ransomware attacks globally

Ransomware.live is a free platform to track and monitor ransomware attacks

Quick summary

Location Ransomware.live is a free platform for tracking and monitoring ransomware attacks globally. It automatically monitors ransomware data leak sites and provides you with:

• An up-to-date list of victims and targeted companies/organizations.
• Interactive statistics and maps by country, sector and group.
• Technical information about each ransomware group (ransom messages, YARA rules, IoC penetration indicators, TTPs matrix).
• Records of negotiation conversations with ransom groups.
• Real-time alerts via the ntfy app, and an API to integrate the data into your systems.

The site is intended for cybersecurity professionals, researchers, journalists, and incident response teams, and does not host any leaked data, only what is publicly published on ransomware sites and open sources.【turn1fetch0】

What is Ransomware.live in short?

• Platform Threat Intelligence Free and independent, it tracks ransomware groups and their victims globally. 【turn1fetch0】
• Depends on Automatic monitoring Data Leak Sites for Ransomware, Open Source and Journalism 【turn1fetch0】
• There is no paywall, no ads, and no affiliation with any company; it is a personal project of Julien MousquetonA security researcher working as Field CISO EMEA at Cohesity.【turn1fetch0】
• It does not distribute any leaked data, nor does it encourage cybercrime; its goal Transparency and awareness Only. 【turn1fetch0】

Overview of the site's components

mindmap
  root((Ransomware.live))
    Monitoring victims
      List of Victims
      Worldmap
      Statistics
    Groups Information
      Groups page
      Ransom Notes
      YARA rules
      IoC intrusion indicators
      TTPs Matrix (MITRE ATT&CK)
    Negotiations conversations
      Negotiations logs
    Services for users
      Notifications
      API interface
      Press page
      RSS and JSON data

Website sections and services explained in detail

1. Monitoring victims and attacks

a) List of Victims

• On the home page, it displays 100 most recent victims They were advertised on ransomware sites. 【turn1fetch1】
• For every victim you find:
  • Organization name/official website.
  • Date of discovery and approximate date of attack.
  • The name of the responsible ransomware group.
  • Icons illustrate:
    • Screenshot available.
    • Company website.
    • Having InfoStealer data linked.
    • Victim has denied the attack.
    • Ransom amount known.
    • Leak size known.
    • Duplicate claim detected.
    • Press coverage of the incident. 【turn1fetch1】
• also displays Sector (Manufacturing, Healthcare, Education, ...) and country.

b) Worldmap

• page Ransomware Victims by Country An interactive map shows the number of victims by country. 【turn2click1】
• You can choose a year (2023-2026) or view the full map.
• Countries are colored by the number of victims:
  • Low (1-99)
  • Medium (100-199)
  • High (200+)【turn2click1】

c) Statistics

• page Ransomware Statistics Exposure:
  • Total victims per year.
  • Number of active groups.
  • Top 10 ransomware groups by number of victims.
  • Number of victims per month from 2023 through 2026.
  • Top 10 target sectors.
  • Top 10 target countries.
  • Monthly sector breakdown as a percentage.【turn2click0】

2. Technical information about ransomware

a) Groups Page

• Displays a large list of ransomware groups (Akira, LockBit, BlackCat/ALPHV, ...) with:
  • Date of addition.
  • Date of the last victim.
  • A brief description of the collection.
  • Number of victims.
  • Collection Status (Online/Offline).【turn2click2】
• Each group has markers that show:
  • Does it have ransom notes.
  • Does it have Tools used.
  • Does it have Vulnerabilities exploited.
  • Have a Negotiation chat.
  • Does it have YARA rules.
  • Does it have TTPs by MITRE ATT&CK.【turn2click2】

b) Ransom Notes

• page Ransom Notes by Group Displays text samples of readme files and ransom messages left by groups on victims' systems. 【turn2click4】
• For each group:
  • Several templates (e.g. Akira has several text files explaining how to pay and communicate).
  • It can be downloaded or read directly to understand the group's threat and pressure tactics.

c) YARA rules

• page YARA Rules by Group YARA rules provide several ransomware kits (Akira, LockBit, BlackCat, ...) to detect ransomware in systems. 【turn3click0】
• These rules are useful for:
  • SOC/DFIR teams to make signatures in detection systems.
  • researchers to analyze new samples.

d) IoC Penetration Indicators

• page Indicators of Compromise (IoC) by Group Exposure:
  • MD5 and SHA256 keys for executables or encrypted files.
  • Bitcoin (BTC) addresses used to collect the ransom.
  • Other types of indicators by group. 【turn3click2】
• Can be used for:
  • SIEM/EDR to make detection rules.
    -.blocklist in systems or at the network level.

e) Matrix TTPs (MITRE ATT&CK)

• page ATT&CK Techniques Matrix Each group is presented with attack techniques based on the MITRE ATT&CK framework:
  • Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Impact.【turn3click1】
• Help you to:
  • Understand how the group works.
  • Design an appropriate Detection & Response plan.

3. Negotiations

• page Negotiation Chats Records of real (or partially fabricated for sensitization purposes) conversations between victims and ransom groups, provided by the researcher Valéry Marchive and Julien Mousqueton.【turn2click3】
• For each conversation:
  • Group name.
  • Date of conversation.
  • Number of letters.
  • Initial ransom amount.
  • Final ransom, if any. 【turn2click3】
• These records are useful for:
  • Understand negotiation and lobbying techniques.
  • Know how to handle ransomware negotiations if you have to.

4. Alerts and API services

a) Notifications

• page Real-Time Ransomware Alerts Explains how to sign up for free alerts via the ntfy:
  1. Install the ntfy app on iOS, Android, or F-Droid.
  2. tuning Base URL To: https://push.ransomware.live
  3. Subscribe to different topics:
     • victims → Alert for each new victim.
     • country_ → Alerts by country (e.g. country_us of the United States).
     • sector_ → Alerts by sector (e.g. sector_healthcare).【turn4click0】.
• privacy:
  • You don't need an account or personal data.
  • The connection is encrypted over HTTPS.
  • You can unsubscribe at any time. 【turn4click0】

b) API (Application Programming Interface)

• page API Comparison It offers three types of API:
  1. API v1
     • Deprecated, used for legacy compatibility only.
  2. API v2
     • Free, no authentication (no API key).
     • Rate limited.
     • For personal use only.
  3. API PRO
     • Free forever, but requires API key.
     • 3000 orders/day are allowed, with burst allowed.
     • It offers a dashboard and more features.
     • Suitable for professional and corporate use after reading the terms.
  4. API PRO+
     • In development, it will provide additional features and analytics. 【turn4click1】
• The API can be used for:
  • Pull victim or group data into your SIEM or Threat Intelligence platform.
  • Build customized dashboards.

c) RSS and JSON data

• From the About page:
  • RSS feed for real-time victim updates.
  • JSON data Via data.ransomware.live.
  • Public API 【turn1fetch0】 to integrate data into your tools.

5. Press page

• page Press Coverage Press coverage of real-life ransomware attacks, provided by Valéry Marchive From Le Mag IT/TechTarget.【turn5click0】
• Contains:
  • French/English summaries of important incidents (schools, hospitals, companies, public sector).
  • "Read more" links for full articles.
  • Sometimes additional data such as the number of employees affected or InfoStealer data from Hudson Rock.【turn5click0】
• Useful for:
  • journalists to follow the latest attacks.
  • researchers to study attack patterns and their impact.

6. Legal & Disclaimer

• The site clearly emphasizes on the Legal page:
  • It does not host or distribute any leaked data.
  • depends only on:
    • Ransomware groups openly advertise on data leak sites.
    • Open source and security research.
    • Press reports and officially announced incidents. 【turn1fetch0】
  • Does not encourage cybercrime; its goal Transparency and awareness.
  • They can be contacted via [email protected] If there is an error or privacy issue. 【turn1fetch0】

Who is this site for?

• Cybersecurity teams (SOC/IR/Threat Intel):
  • Monitor ransomware activity.
  • Extract IoCs, YARA, and TTPs to enhance detection and response.
• Researchers and academics:
  • Study the evolution of ransomware attacks, the most targeted sectors, the most affected countries.
• Journalists and regulators:
  • Obtaining reliable data on attacks and their impact.
• Companies and organizations:
  • Find out if there are new attacks in the same industry or geographic area.
  • Build defense plans based on active group patterns.

A quick summary for practical use

• If you:
  • Penetration tester/security researcher: Use Groups + IoC + YARA + TTPs to understand ransomware groups and build detection tools.
  • SOC/DFIR Officer: Use Victims + Statistics + Worldmap for directions, and IoC/YARA for signatures.
  • Journalist or researcher: Use Press + Statistics + Negotiations to understand the dimensions of the attacks and provide objective reporting.
  • A regular user with an interest in security: You can just read the homepage and stats to get a sense of the scale of the issue, and maybe sign up for general alerts via ntfy.