{"id":2417,"date":"2026-04-07T12:15:33","date_gmt":"2026-04-07T09:15:33","guid":{"rendered":"https:\/\/havari.me\/?p=2417"},"modified":"2026-04-07T12:30:01","modified_gmt":"2026-04-07T09:30:01","slug":"%d9%85%d9%88%d9%82%d8%b9-ransomware-live-%d9%87%d9%88-%d9%85%d9%86%d8%b5%d8%a9-%d9%85%d8%ac%d8%a7%d9%86%d9%8a%d8%a9-%d9%84%d9%85%d8%aa%d8%a7%d8%a8%d8%b9%d8%a9-%d9%88%d8%b1%d8%b5%d8%af-%d9%87%d8%ac","status":"publish","type":"post","link":"https:\/\/havari.me\/en\/ransomware\/%d9%85%d9%88%d9%82%d8%b9-ransomware-live-%d9%87%d9%88-%d9%85%d9%86%d8%b5%d8%a9-%d9%85%d8%ac%d8%a7%d9%86%d9%8a%d8%a9-%d9%84%d9%85%d8%aa%d8%a7%d8%a8%d8%b9%d8%a9-%d9%88%d8%b1%d8%b5%d8%af-%d9%87%d8%ac\/","title":{"rendered":"Ransomware.live: Your comprehensive guide to monitoring and tracking ransomware attacks globally"},"content":{"rendered":"<h2 class=\"wp-block-heading\"><strong>Ransomware.live is a free platform to track and monitor ransomware attacks<\/strong><\/h2>\n\n\n<h2>Quick summary<\/h2>\n<p>Location <strong>Ransomware.live<\/strong> is a free platform for tracking and monitoring ransomware attacks globally. It automatically monitors ransomware data leak sites and provides you with:<\/p>\n<ul>\n<li>An up-to-date list of victims and targeted companies\/organizations.<\/li>\n<li>Interactive statistics and maps by country, sector and group.<\/li>\n<li>Technical information about each ransomware group (ransom messages, YARA rules, IoC penetration indicators, TTPs matrix).<\/li>\n<li>Records of negotiation conversations with ransom groups.<\/li>\n<li>Real-time alerts via the ntfy app, and an API to integrate the data into your systems.<\/li>\n<\/ul>\n<p>The site is intended for cybersecurity professionals, researchers, journalists, and incident response teams, and does not host any leaked data, only what is publicly published on ransomware sites and open sources.\u3010turn1fetch0\u3011<\/p>\n<hr \/>\n<h2>What is Ransomware.live in short?<\/h2>\n<ul>\n<li>Platform <strong>Threat Intelligence<\/strong> Free and independent, it tracks ransomware groups and their victims globally. \u3010turn1fetch0\u3011<\/li>\n<li>Depends on <strong>Automatic monitoring<\/strong> Data Leak Sites for Ransomware, Open Source and Journalism \u3010turn1fetch0\u3011<\/li>\n<li>There is no paywall, no ads, and no affiliation with any company; it is a personal project of <strong>Julien Mousqueton<\/strong>A security researcher working as Field CISO EMEA at Cohesity.\u3010turn1fetch0\u3011<\/li>\n<li>It does not distribute any leaked data, nor does it encourage cybercrime; its goal <strong>Transparency and awareness<\/strong> Only. \u3010turn1fetch0\u3011<\/li>\n<\/ul>\n<hr \/>\n<h2>Overview of the site's components<\/h2>\n<pre><code class=\"language-mermaid\">mindmap\n  root((Ransomware.live))\n    Monitoring victims\n      List of Victims\n      Worldmap\n      Statistics\n    Groups Information\n      Groups page\n      Ransom Notes\n      YARA rules\n      IoC intrusion indicators\n      TTPs Matrix (MITRE ATT&amp;CK)\n    Negotiations conversations\n      Negotiations logs\n    Services for users\n      Notifications\n      API interface\n      Press page\n      RSS and JSON data<\/code><\/pre>\n<hr \/>\n<h2>Website sections and services explained in detail<\/h2>\n<h3>1. Monitoring victims and attacks<\/h3>\n<h4>a) List of Victims<\/h4>\n<ul>\n<li>On the home page, it displays <strong>100 most recent victims<\/strong> They were advertised on ransomware sites. \u3010turn1fetch1\u3011<\/li>\n<li>For every victim you find:\n<ul>\n<li>Organization name\/official website.<\/li>\n<li>Date of discovery and approximate date of attack.<\/li>\n<li>The name of the responsible ransomware group.<\/li>\n<li>Icons illustrate:\n<ul>\n<li>Screenshot available.<\/li>\n<li>Company website.<\/li>\n<li>Having InfoStealer data linked.<\/li>\n<li>Victim has denied the attack.<\/li>\n<li>Ransom amount known.<\/li>\n<li>Leak size known.<\/li>\n<li>Duplicate claim detected.<\/li>\n<li>Press coverage of the incident. \u3010turn1fetch1\u3011<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>also displays <strong>Sector<\/strong> (Manufacturing, Healthcare, Education, ...) and country.<\/li>\n<\/ul>\n<h4>b) Worldmap<\/h4>\n<ul>\n<li>page <strong>Ransomware Victims by Country<\/strong> An interactive map shows the number of victims by country. \u3010turn2click1\u3011<\/li>\n<li>You can choose a year (2023-2026) or view the full map.<\/li>\n<li>Countries are colored by the number of victims:\n<ul>\n<li>Low (1-99)<\/li>\n<li>Medium (100-199)<\/li>\n<li>High (200+)\u3010turn2click1\u3011<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h4>c) Statistics<\/h4>\n<ul>\n<li>page <strong>Ransomware Statistics<\/strong> Exposure:\n<ul>\n<li>Total victims per year.<\/li>\n<li>Number of active groups.<\/li>\n<li>Top 10 ransomware groups by number of victims.<\/li>\n<li>Number of victims per month from 2023 through 2026.<\/li>\n<li>Top 10 target sectors.<\/li>\n<li>Top 10 target countries.<\/li>\n<li>Monthly sector breakdown as a percentage.\u3010turn2click0\u3011<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr \/>\n<h3>2. Technical information about ransomware<\/h3>\n<h4>a) Groups Page<\/h4>\n<ul>\n<li>Displays a large list of ransomware groups (Akira, LockBit, BlackCat\/ALPHV, ...) with:\n<ul>\n<li>Date of addition.<\/li>\n<li>Date of the last victim.<\/li>\n<li>A brief description of the collection.<\/li>\n<li>Number of victims.<\/li>\n<li>Collection Status (Online\/Offline).\u3010turn2click2\u3011<\/li>\n<\/ul>\n<\/li>\n<li>Each group has markers that show:\n<ul>\n<li>Does it have ransom notes.<\/li>\n<li>Does it have Tools used.<\/li>\n<li>Does it have Vulnerabilities exploited.<\/li>\n<li>Have a Negotiation chat.<\/li>\n<li>Does it have YARA rules.<\/li>\n<li>Does it have TTPs by MITRE ATT&amp;CK.\u3010turn2click2\u3011<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h4>b) Ransom Notes<\/h4>\n<ul>\n<li>page <strong>Ransom Notes by Group<\/strong> Displays text samples of readme files and ransom messages left by groups on victims' systems. \u3010turn2click4\u3011<\/li>\n<li>For each group:\n<ul>\n<li>Several templates (e.g. Akira has several text files explaining how to pay and communicate).<\/li>\n<li>It can be downloaded or read directly to understand the group's threat and pressure tactics.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h4>c) YARA rules<\/h4>\n<ul>\n<li>page <strong>YARA Rules by Group<\/strong> YARA rules provide several ransomware kits (Akira, LockBit, BlackCat, ...) to detect ransomware in systems. \u3010turn3click0\u3011<\/li>\n<li>These rules are useful for:\n<ul>\n<li>SOC\/DFIR teams to make signatures in detection systems.<\/li>\n<li>researchers to analyze new samples.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h4>d) IoC Penetration Indicators<\/h4>\n<ul>\n<li>page <strong>Indicators of Compromise (IoC) by Group<\/strong> Exposure:\n<ul>\n<li>MD5 and SHA256 keys for executables or encrypted files.<\/li>\n<li>Bitcoin (BTC) addresses used to collect the ransom.<\/li>\n<li>Other types of indicators by group. \u3010turn3click2\u3011<\/li>\n<\/ul>\n<\/li>\n<li>Can be used for:\n<ul>\n<li>SIEM\/EDR to make detection rules.<br \/>-.blocklist in systems or at the network level.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h4>e) Matrix TTPs (MITRE ATT&amp;CK)<\/h4>\n<ul>\n<li>page <strong>ATT&amp;CK Techniques Matrix<\/strong> Each group is presented with attack techniques based on the MITRE ATT&amp;CK framework:\n<ul>\n<li>Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Impact.\u3010turn3click1\u3011<\/li>\n<\/ul>\n<\/li>\n<li>Help you to:\n<ul>\n<li>Understand how the group works.<\/li>\n<li>Design an appropriate Detection &amp; Response plan.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr \/>\n<h3>3. Negotiations<\/h3>\n<ul>\n<li>page <strong>Negotiation Chats<\/strong> Records of real (or partially fabricated for sensitization purposes) conversations between victims and ransom groups, provided by the researcher <strong>Val\u00e9ry Marchive<\/strong> and Julien Mousqueton.\u3010turn2click3\u3011<\/li>\n<li>For each conversation:\n<ul>\n<li>Group name.<\/li>\n<li>Date of conversation.<\/li>\n<li>Number of letters.<\/li>\n<li>Initial ransom amount.<\/li>\n<li>Final ransom, if any. \u3010turn2click3\u3011<\/li>\n<\/ul>\n<\/li>\n<li>These records are useful for:\n<ul>\n<li>Understand negotiation and lobbying techniques.<\/li>\n<li>Know how to handle ransomware negotiations if you have to.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr \/>\n<h3>4. Alerts and API services<\/h3>\n<h4>a) Notifications<\/h4>\n<ul>\n<li>page <strong>Real-Time Ransomware Alerts<\/strong> Explains how to sign up for free alerts via the <strong>ntfy<\/strong>:\n<ol>\n<li>Install the ntfy app on iOS, Android, or F-Droid.<\/li>\n<li>tuning <strong>Base URL<\/strong> To: <code>https:\/\/push.ransomware.live<\/code><\/li>\n<li>Subscribe to different topics:\n<ul>\n<li><code>victims<\/code> \u2192 Alert for each new victim.<\/li>\n<li><code>country_<\/code> \u2192 Alerts by country (e.g. <code>country_us<\/code> of the United States).<\/li>\n<li><code>sector_<\/code> \u2192 Alerts by sector (e.g. <code>sector_healthcare<\/code>).\u3010turn4click0\u3011.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<\/li>\n<li>privacy:\n<ul>\n<li>You don't need an account or personal data.<\/li>\n<li>The connection is encrypted over HTTPS.<\/li>\n<li>You can unsubscribe at any time. \u3010turn4click0\u3011<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h4>b) API (Application Programming Interface)<\/h4>\n<ul>\n<li>page <strong>API Comparison<\/strong> It offers three types of API:\n<ol>\n<li><strong>API v1<\/strong>\n<ul>\n<li>Deprecated, used for legacy compatibility only.<\/li>\n<\/ul>\n<\/li>\n<li><strong>API v2<\/strong>\n<ul>\n<li>Free, no authentication (no API key).<\/li>\n<li>Rate limited.<\/li>\n<li>For personal use only.<\/li>\n<\/ul>\n<\/li>\n<li><strong>API PRO<\/strong>\n<ul>\n<li>Free forever, but requires <strong>API key<\/strong>.<\/li>\n<li>3000 orders\/day are allowed, with burst allowed.<\/li>\n<li>It offers a dashboard and more features.<\/li>\n<li>Suitable for professional and corporate use after reading the terms.<\/li>\n<\/ul>\n<\/li>\n<li><strong>API PRO+<\/strong>\n<ul>\n<li>In development, it will provide additional features and analytics. \u3010turn4click1\u3011<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<\/li>\n<li>The API can be used for:\n<ul>\n<li>Pull victim or group data into your SIEM or Threat Intelligence platform.<\/li>\n<li>Build customized dashboards.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h4>c) RSS and JSON data<\/h4>\n<ul>\n<li>From the About page:\n<ul>\n<li><strong>RSS feed<\/strong> for real-time victim updates.<\/li>\n<li><strong>JSON data<\/strong> Via <code>data.ransomware.live<\/code>.<\/li>\n<li><strong>Public API<\/strong> \u3010turn1fetch0\u3011 to integrate data into your tools.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr \/>\n<h3>5. Press page<\/h3>\n<ul>\n<li>page <strong>Press Coverage<\/strong> Press coverage of real-life ransomware attacks, provided by <strong>Val\u00e9ry Marchive<\/strong> From Le Mag IT\/TechTarget.\u3010turn5click0\u3011<\/li>\n<li>Contains:\n<ul>\n<li>French\/English summaries of important incidents (schools, hospitals, companies, public sector).<\/li>\n<li>\"Read more\" links for full articles.<\/li>\n<li>Sometimes additional data such as the number of employees affected or InfoStealer data from Hudson Rock.\u3010turn5click0\u3011<\/li>\n<\/ul>\n<\/li>\n<li>Useful for:\n<ul>\n<li>journalists to follow the latest attacks.<\/li>\n<li>researchers to study attack patterns and their impact.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr \/>\n<h3>6. Legal &amp; Disclaimer<\/h3>\n<ul>\n<li>The site clearly emphasizes on the Legal page:\n<ul>\n<li>It does not host or distribute any leaked data.<\/li>\n<li>depends only on:\n<ul>\n<li>Ransomware groups openly advertise on data leak sites.<\/li>\n<li>Open source and security research.<\/li>\n<li>Press reports and officially announced incidents. \u3010turn1fetch0\u3011<\/li>\n<\/ul>\n<\/li>\n<li>Does not encourage cybercrime; its goal <strong>Transparency and awareness<\/strong>.<\/li>\n<li>They can be contacted via <code>support@ransomware.live<\/code> If there is an error or privacy issue. \u3010turn1fetch0\u3011<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr \/>\n<h2>Who is this site for?<\/h2>\n<ul>\n<li><strong>Cybersecurity teams (SOC\/IR\/Threat Intel)<\/strong>:\n<ul>\n<li>Monitor ransomware activity.<\/li>\n<li>Extract IoCs, YARA, and TTPs to enhance detection and response.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Researchers and academics<\/strong>:\n<ul>\n<li>Study the evolution of ransomware attacks, the most targeted sectors, the most affected countries.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Journalists and regulators<\/strong>:\n<ul>\n<li>Obtaining reliable data on attacks and their impact.<\/li>\n<\/ul>\n<\/li>\n<li><strong>Companies and organizations<\/strong>:\n<ul>\n<li>Find out if there are new attacks in the same industry or geographic area.<\/li>\n<li>Build defense plans based on active group patterns.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr \/>\n<h2>A quick summary for practical use<\/h2>\n<ul>\n<li>If you:\n<ul>\n<li><strong>Penetration tester\/security researcher<\/strong>: Use Groups + IoC + YARA + TTPs to understand ransomware groups and build detection tools.<\/li>\n<li><strong>SOC\/DFIR Officer<\/strong>: Use Victims + Statistics + Worldmap for directions, and IoC\/YARA for signatures.<\/li>\n<li><strong>Journalist or researcher<\/strong>: Use Press + Statistics + Negotiations to understand the dimensions of the attacks and provide objective reporting.<\/li>\n<li><strong>A regular user with an interest in security<\/strong>: You can just read the homepage and stats to get a sense of the scale of the issue, and maybe sign up for general alerts via ntfy.<\/li>\n<\/ul>\n<\/li>\n<\/ul>","protected":false},"excerpt":{"rendered":"<p>\u0645\u0648\u0642\u0639 Ransomware.live \u0647\u0648 \u0645\u0646\u0635\u0629 \u0645\u062c\u0627\u0646\u064a\u0629 \u0644\u0645\u062a\u0627\u0628\u0639\u0629 \u0648\u0631\u0635\u062f \u0647\u062c\u0645\u0627\u062a \u0628\u0631\u0627\u0645\u062c \u0627\u0644\u0641\u062f\u064a\u0629 \u0627\u0644\u062e\u0644\u0627\u0635\u0629 \u0627\u0644\u0633\u0631\u064a\u0639\u0629 \u0645\u0648\u0642\u0639 Ransomware.live \u0647\u0648 \u0645\u0646\u0635\u0629 \u0645\u062c\u0627\u0646\u064a\u0629 \u0644\u0645\u062a\u0627\u0628\u0639\u0629 \u0648\u0631\u0635\u062f \u0647\u062c\u0645\u0627\u062a \u0628\u0631\u0627\u0645\u062c \u0627\u0644\u0641\u062f\u064a\u0629 (Ransomware) \u0639\u0644\u0649 \u0645\u0633\u062a\u0648\u0649 \u0627\u0644\u0639\u0627\u0644\u0645. \u064a\u0631\u0627\u0642\u0628 \u062a\u0644\u0642\u0627\u0626\u064a\u064b\u0627 \u0645\u0648\u0627\u0642\u0639 \u062a\u0633\u0631\u064a\u0628 \u0627\u0644\u0628\u064a\u0627\u0646\u0627\u062a \u0627\u0644\u062e\u0627\u0635\u0629 \u0628\u0645\u062c\u0645\u0648\u0639\u0627\u062a \u0627\u0644\u0641\u062f\u064a\u0629\u060c \u0648\u064a\u0642\u062f\u0651\u0645 \u0644\u0643: \u0642\u0627\u0626\u0645\u0629 \u0645\u062d\u062f\u0651\u062b\u0629 \u0628\u0627\u0644\u0636\u062d\u0627\u064a\u0627 \u0648\u0627\u0644\u0634\u0631\u0643\u0627\u062a\/\u0627\u0644\u0645\u0624\u0633\u0633\u0627\u062a \u0627\u0644\u0645\u0633\u062a\u0647\u062f\u0641\u0629. \u0625\u062d\u0635\u0627\u0626\u064a\u0627\u062a \u0648\u062e\u0631\u0627\u0626\u0637 \u062a\u0641\u0627\u0639\u0644\u064a\u0629 \u062d\u0633\u0628 \u0627\u0644\u062f\u0648\u0644\u0629 \u0648\u0627\u0644\u0642\u0637\u0627\u0639 \u0648\u0627\u0644\u0645\u062c\u0645\u0648\u0639\u0629. \u0645\u0639\u0644\u0648\u0645\u0627\u062a \u062a\u0642\u0646\u064a\u0629 \u0639\u0646 \u0643\u0644 \u0645\u062c\u0645\u0648\u0639\u0629 \u0641\u062f\u064a\u0629 (\u0631\u0633\u0627\u0626\u0644 [&hellip;]<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"jetpack_post_was_ever_published":false,"footnotes":""},"categories":[68,67,94],"tags":[95,102,105,97,99,98,104,103,100,106,101],"class_list":["post-2417","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-hacking","category-ransomware","tag-ransomware","tag-ransomware-live","tag-105","tag-97","tag-99","tag-98","tag-104","tag-103","tag-100","tag-106","tag-101"],"acf":[],"aioseo_notices":[],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/havari.me\/en\/wp-json\/wp\/v2\/posts\/2417","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/havari.me\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/havari.me\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/havari.me\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/havari.me\/en\/wp-json\/wp\/v2\/comments?post=2417"}],"version-history":[{"count":4,"href":"https:\/\/havari.me\/en\/wp-json\/wp\/v2\/posts\/2417\/revisions"}],"predecessor-version":[{"id":2421,"href":"https:\/\/havari.me\/en\/wp-json\/wp\/v2\/posts\/2417\/revisions\/2421"}],"wp:attachment":[{"href":"https:\/\/havari.me\/en\/wp-json\/wp\/v2\/media?parent=2417"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/havari.me\/en\/wp-json\/wp\/v2\/categories?post=2417"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/havari.me\/en\/wp-json\/wp\/v2\/tags?post=2417"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}