// THE TRACKER
Ransomtracker
A continuously updated index of active ransomware operations and their published victims. Built to make the leak-site economy visible, searchable, and citable.
Loading live counts…
// CONFIRMED ATTACKS
The verified layer
Everything below the counters is what the operators claim. This section is what has been independently confirmed: a human-verified dataset of 9,291 ransomware attacks since 2018, geocoded and classified by industry across 149 countries. Curated continuously; updated weekly.
| Date | Organisation | Location | Sector | Strain | Records | Src |
|---|---|---|---|---|---|---|
| Loading confirmed attacks… | ||||||
About this data
The confirmed layer is a proprietary Ransomnews dataset of ransomware attacks that have been independently verified — through breach disclosures, regulatory filings, official statements, or credible press reporting — rather than taken from leak-site claims alone. Coverage runs from 2018 to the present, is refreshed weekly, and spans 149 countries.
Each record carries the attack month, victim organisation, city and country (geocoded), industry and sub-industry classification, the ransomware strain where attributed, and — where known — records affected, whether a ransom was paid, and the amount demanded or paid. Financial details are published only where they are on the record: most confirmed incidents never disclose them.
A confirmed incident here is not the same as a leak-site listing above. Many confirmed attacks never appear on a leak site; many leak-site claims are never independently confirmed. The two layers together are the point: claims show operator behaviour, confirmations show real-world impact.
Researchers and journalists are welcome to cite this dataset as Ransomnews Confirmed Ransomware Attacks Dataset, with a link to this page. For bulk access, corrections, or questions about individual records: [email protected].
// SEARCH
Find a gang or victim
Searches active threat groups and victims listed across the trailing two years.
// LATEST ACTIVITY
Recent victim listings
The ten most recently published victims across all tracked operations. Pulled live from the tracker; refreshes every page load.
// OPERATORS
Active operations
The most active operators by recent victim listings, with status. Green = leak site live, amber = dormant, red = seized or known dark.
// TRENDS
Track trends
Monthly and yearly aggregate views show how the leak-site economy is shifting, which groups are rising, which are dying, and how takedowns reshape the field.
Activity over time
Top operators by claimed victims
Victims by domain TLD
Posting rhythm by day of week
// BROWSE
Browse the index
Filter by year, by operator, or both. Default view shows the latest victims across every tracked operator. Click any operator name to open the per-actor profile.
// METHODOLOGY
What the tracker tracks, and what it doesn’t
Ransomtracker is a continuously updated index of active ransomware operations. The collector watches the public leak sites of every active operator it can reach, most are Tor hidden services, parses every new victim listing the operators publish, normalises the data, and keeps a structured record. The page you are reading reflects the current state of that index, refreshed on each page load.
The index is built specifically for journalism, threat intelligence, and breach-response work. It is not a credential-leak service and it does not host the stolen data, only the metadata of who appeared on whose leak site, when.
What we track
- Operators with publicly visible leak sites, typically 50 to 90 active at any given time.
- Each victim listing the operator publishes: organisation name, listing date, ransom deadline (where stated), and a short description if the operator provides one.
- Operator status, leak site live, dormant (no new posts for 30+ days), or dark (seized, exit-scammed, voluntarily retired).
- Aggregate counts: per-group, per-month, per-year, per-sector where it can be inferred.
What we do not track
- The leaked data itself. The tracker indexes that a victim was listed and by whom, never the stolen data. Hosting that data is illegal in most jurisdictions and unethical in all of them.
- Private negotiations, ransom amounts, or confidential incident details. The tracker only sees what operators choose to publish.
- Groups operating without a public leak site. Pure-encryption operators, double-extortion holdouts who never publish, and small bespoke campaigns are invisible to leak-site monitoring by design.
Data caveats
- Victim listings are operator claims. Some are inflated, some are duplicated across rebrands, a few are fabricated. The tracker presents them as the operator presents them; verifying any specific listing is the analyst’s responsibility.
- Leak sites change layout frequently and disappear without warning. Brief gaps in coverage for individual operators are expected.
- Attribution between rebranded operations (Conti → Black Basta, Royal → BlackSuit, etc.) is annotated where the lineage is well-established and left ambiguous where it isn’t.
Source data: RansomLook (CC BY 4.0), aggregated and adapted by Ransomnews.
// USING IT
How to use the tracker
Search by victim
Enter an organisation name to see whether it has been listed, by whom, and when. Useful for due-diligence checks, breach-notification work, and tracking how long stolen data sits on leak sites before publication.
Drill into a group
Each operator has a profile page with their full victim history, leak-site URLs (current and historic), and timeline of activity. Useful for threat-intelligence work and historical research.
Track trends
Monthly and yearly aggregate views show how the leak-site economy is shifting, which groups are rising, which are dying, and how takedowns reshape the field.
// COVERAGE
Editorial coverage
The data above is the operational signal. The analysis that contextualises it lives in our editorial coverage. Start with Ransomware for how operations actually run, Threat Groups for profiles of the major operators, Explainers for long-form primers on the underlying mechanics, or News for the chronological feed of everything we publish.
Corrections to operator metadata, story leads, or sensitive tips: email [email protected]. We act on every submission.
// LEGAL & ETHICAL
A note on what this is for
Ransomtracker exists to make the operations of an entrenched criminal economy visible. The information it surfaces, that a particular organisation appeared on a particular operator’s leak site at a particular time, is already public, published by the operators themselves on indexed Tor sites, and widely scraped by other research, threat-intelligence, and journalism projects.
The tracker indexes that public information. It does not host stolen data, does not assist in pressuring victims, and does not operate as a back-channel for any operator. If you are an organisation listed on the tracker and would like to share a public response or correction, write to [email protected].