Ransomware victim search

Q: Are these breaches confirmed?

No. A result means a ransomware group posted a public claim naming a victim on its leak site. Posts are claims, not always confirmed breaches. Some victims dispute the claim, some pay before the data is published, and some posts turn out to misidentify the target. Treat a hit as a strong lead, not a verdict.

Q: What if my company is listed but I haven't been notified?

Confirm the post on the group's actual leak site (we link to it directly), check whether the post mentions data samples, payment deadlines, or contact details, and notify your incident response team and legal counsel before doing anything else. Do not engage with the group through the leak site. Report the incident to CISA at https://www.cisa.gov/forms/report and to the FBI's IC3 at https://www.ic3.gov/. Consider engaging a recovery specialist if you don't already have one on retainer.

Q: How current is this data?

We ingest from ransomware.live daily and store every post locally in perpetuity from 2026-04-25 onward. ransomware.live keeps a sliding live window; our copy does not roll off. New posts typically appear within 24 hours of being published on the source leak site. We track over 333 ransomware groups and 100+ recent victims at any time.

Q: Can I be alerted if my company gets listed?

Yes. Configure a brand monitor on SecurityAlert.ai with your company name and any aliases. New ransomware leak-site posts matching your terms trigger an alert by email, Slack, Teams, or webhook depending on your plan. The free plan covers 1 brand monitor; paid plans cover more.

Q: Why search by fragment instead of exact match?

Ransomware groups are inconsistent in how they label victims. Sometimes it's the legal name, sometimes a brand, sometimes a domain, sometimes a subsidiary. Fragment search catches all of those. The downside is false positives on common words; for noisy names, search by domain fragment instead.

Has a ransomware group ever listed your company on a leak site? Search our historical record. We've been capturing every public claim since 2026-04-25, beyond what ransomware.live's sliding window keeps live.

Tip: search for fragments. acme matches acme corp, acme.com, and Acme Industries.

What this tool does

This is a historical search across our locally-stored archive of ransomware leak-site posts. Every public claim posted to a known ransomware group's leak site since 2026-04-25 is captured and kept indefinitely. Where ransomware.live runs a sliding window and lets older posts roll off the live feed, our copy is permanent. Search by company name, brand, or domain fragment and you'll see every post we have on record, even if the original group's site has since gone down or rotated to new infrastructure.

The tool is free and requires no signup. We track over 333 ransomware groups, with 100+ recent victims at any given moment plus a long tail of older posts. Search supports fragments: acme matches Acme Corp, acme.com, and Acme Industries Ltd. For common words, switch to a domain fragment to cut noise.

How to read a result

A result means a ransomware group POSTED a victim claim mentioning the name you searched. That is the precise scope, and the distinction matters. Leak-site posts are the group's marketing surface. They are claims, not always confirmed breaches. Some victims publicly deny the claim. Some dispute the data sample. Some pay the ransom before the data is published and the post is quietly removed. Treat any hit as a strong lead worth investigating, not as a verdict.

Each result links to two follow-on pages. The per-victim page shows the group's claim, the sector and country we have on record, the posting date, and any data samples the group made public. The per-group profile shows the active leak-site URL where reachable, the full victim history we've captured, sector and country concentration, and posting cadence.

What to do if your company is listed

If you find your organization in the results, move carefully and follow your incident response process. The list below is general guidance, not legal or contractual advice.

Confirm the post on the group's actual leak site. We link directly. The post may have additional context, data samples, or claimed deadlines that didn't surface in our structured capture.
Check whether the post mentions data samples, payment deadlines, or contact details. Those details inform how much time you have and what data is allegedly affected.
Notify your incident response team and legal counsel before any other action. Many incidents trigger regulatory clocks (GDPR, state breach laws, sector regulators) and counsel needs to be in the loop early.
Don't engage with the group directly through the leak site. If you have cyber insurance, your policy almost certainly requires carrier notification before any negotiation.
Report the incident. In the U.S., file with CISA at cisa.gov/forms/report and the FBI's Internet Crime Complaint Center at ic3.gov. Outside the U.S., contact your national CERT.
Consider engaging a ransomware recovery specialist if you don't already have one on retainer. A specialist firm coordinates forensics, negotiation (where permissible), and recovery. Your insurance carrier may have preferred panel firms.

Frequently asked questions

Are these breaches confirmed?

No. A result means a group posted a public claim naming a victim on its leak site. Posts are claims, not always confirmed breaches. Some victims dispute, some pay before publication, and some posts misidentify the target. Treat a hit as a strong lead, not a verdict.

What if my company is listed but I haven't been notified?

Confirm on the group's leak site (we link directly), check the post for samples, deadlines, or contact details, and notify your incident response team and legal counsel before anything else. Don't engage through the leak site. Report to CISA and the FBI's IC3. Consider engaging a recovery specialist.

How current is this data?

Ingested daily from ransomware.live and stored locally in perpetuity from 2026-04-25 onward. New posts typically land within 24 hours of being published on the source leak site. We track over 333 groups and 100+ recent victims at any time.

How is this different from search engines like Google?

Google indexes the public web. Ransomware leak sites are typically on Tor hidden services, go up and down, and are deliberately not indexable. We capture each post at ingestion and keep the structured record (group, victim, sector, country, posting date) even after the original page disappears.

Can I be alerted if my company gets listed?

Yes. Configure a brand monitor with your company name and aliases. New leak-site posts matching your terms trigger alerts by email, Slack, Teams, or webhook depending on your plan. The free plan covers 1 brand monitor; paid plans cover more. Pricing.

Why search by fragment instead of exact match?

Groups are inconsistent in how they label victims: legal name, brand, domain, subsidiary. Fragment search catches all of those. The trade-off is false positives on common words; for noisy names, search by domain fragment instead.