LIVE · Updated daily from ransomware.live

Ransomware Activity Tracker

Q: What is a ransomware leak site?

A leak site is a public (usually Tor-hosted) page run by a ransomware group, used to name victims that have not paid and to publish stolen data as proof. Monitoring leak sites is the most reliable open-source way to count active ransomware operations, since affiliates publish for their own extortion reasons.

Q: Are these confirmed breaches?

No. Posts on ransomware leak sites are group claims. Most are accurate (groups have little to gain from naming victims they did not actually compromise) but some are recycled, exaggerated, or attached to the wrong corporate entity. Read this page as 'who is being publicly extorted' rather than a roster of court-confirmed incidents.

Q: What about groups that don't run leak sites?

They are tracked in the threat actor catalog at /threat-actors using CISA advisories, vendor reporting, and incident-response writeups, but they are invisible to this tracker by definition. A handful of ransomware operations (some nation-state-aligned wipers, some quiet data-theft-only crews) deliberately avoid public extortion. They show up in the actor catalog with no leak-site activity recorded.

Cross-group leak-site monitor. Live count of who is being publicly extorted, by whom, in what sector, in what country. Updated daily; historical record stored locally and growing.

claimed in last 24 hours

Last 30 days

Victims · 7 days

Victims · 30 days

Active groups · 30d

Countries hit · 30d

Where it's hitting last 30 days

Victims 15102050+

Most active groups last 30 days

Loading…

Sector targeting in window

Live victim feed

Loading…

Data sources: ransomware.live (free public leak-site monitor maintained by Julien Mousqueton). Subscribe via RSS.
Posts on ransomware leak sites are group claims, not always confirmed breaches. Read this page as "who is being publicly extorted" rather than a roster of confirmed incidents. Historical records are stored locally so coverage keeps growing as the source's sliding-window feed rolls past.

What this tracker covers

The tracker watches public leak sites operated by ransomware groups: Tor-hosted pages where affiliates name victims who have not paid and publish stolen data as proof. 333 active leak-site groups are under continuous monitoring, refreshed daily from the open-source ransomware.live feed maintained by Julien Mousqueton. We re-credit that source on every page.

What we add on top is durability and context. The upstream feed is a sliding window, so older posts age out. SecurityAlert keeps a permanent local archive starting 2026-04-25 onward, which means historical sector trends, group lifecycle, and dormant-then-reactivated patterns survive even after the source's window has rolled past. Group profiles are enriched with MITRE ATT&CK technique mapping where attribution is established, and CISA #StopRansomware advisories are cross-referenced for high-impact campaigns so a leak-site posting links out to the formal advisory when one exists.

Coverage is honest about its boundaries. Ransomware groups that deliberately avoid public extortion (some nation-state-aligned wipers, some quiet data-theft-only operations) do not show up here. They are tracked in the broader threat actor catalog using CISA advisories and incident-response reporting, but are invisible to leak-site monitoring by definition.

How to read the data

Each group card surfaces what an analyst usually wants first:

30-day victim count. The headline number on each card. Reset every page load against the current window selector.
Top sectors and geographic concentration. Where the group has been most active in the selected window. Useful for sector-level threat models.
Sparkline momentum. Recent acceleration vs steady-state. A flat sparkline with a recent vertical spike signals an active campaign; a steady decline often precedes a rebrand or shutdown.
Heatmap legend. The world map uses intentional bucketing: 1, 5, 10, 20, 50+ victims. This is a visual-clarity choice, not a precision artefact. Hover any country for the exact count.
Filters apply jointly. Sector and country filters AND together. Selecting "Healthcare" + "Germany" returns groups that hit healthcare targets in Germany in the selected window, not the union.
Inactive groups stay listed. A group with no leak posts in 90 days is dimmed but kept in the catalog. Ransomware operations frequently go quiet for a quarter, then resurface under the same name (or rebrand and resurface under a new one). Removing them on first quiet week loses signal.

The tracker is read-only and indexable. Anyone can land on it from a search, filter, and read the data without a login. Authenticated users get the brand monitor, which alerts when a leak-site post matches your company name, domains, or supplier list.

Frequently asked questions

What is a ransomware leak site?

A public (usually Tor-hosted) page run by a ransomware group, used to name victims that have not paid and to publish stolen data as proof. Monitoring leak sites is the most reliable open-source way to count active ransomware operations, since affiliates publish for their own extortion reasons.

Are these confirmed breaches?

No. Posts on ransomware leak sites are group claims. Most are accurate (groups have little to gain from naming victims they did not actually compromise) but some are recycled, exaggerated, or attached to the wrong corporate entity. Read this page as "who is being publicly extorted" rather than a roster of court-confirmed incidents.

How is this different from ransomware.live?

ransomware.live is the upstream open-source feed and we credit Julien Mousqueton as the source. We add a permanent local archive (their feed is sliding-window, ours grows indefinitely from 2026-04-25 onward), MITRE ATT&CK technique mapping where attribution is established, sector and country breakdowns, and brand-monitor alerts so a posting referencing your domain pages you instead of you discovering it on Twitter.

Do you alert me when my company appears?

Yes, via the brand monitor. Add your company name, domains, and key brand strings; any new leak-site post that matches will trigger an alert through your configured channels (email, Slack, Teams, PagerDuty, SMS depending on plan). The free plan covers 1 brand monitor with email alerts.

Can I get a feed of new victim posts?

Yes. The full victim feed is available as RSS at /ransomware.rss, and Enterprise plans get the same data via TAXII 2.1 at /taxii2/ and a MISP-compatible export at /api/misp/events for SIEM and TIP ingest.

What about groups that don't run leak sites?

They are tracked in the threat actor catalog using CISA advisories, vendor reporting, and incident-response writeups, but they are invisible to this tracker by definition. A handful of ransomware operations (some nation-state-aligned wipers, some quiet data-theft-only crews) deliberately avoid public extortion. They show up in the actor catalog with no leak-site activity recorded.