Ransomware Tracker — Active Groups & Victims

Ransomware Tracker — Active Groups, Victims & TTPs

Live ransomware threat tracker monitoring active ransomware groups, recent victim disclosures from leak sites, ransomware-as-a-service affiliate programmes, and group-level tactics, techniques and procedures (TTPs).

• Active ransomware groups — live status of known RaaS operators, affiliates, and emerging threat actors
• Victim disclosures — recent victims published to ransomware leak sites, updated within hours of publication
• Group TTPs — MITRE ATT&CK-mapped techniques used by each ransomware group for detection engineering
• Affiliate programmes — tracked RaaS platforms, recruitment activity, and affiliate tooling changes
• Industry targeting — ransomware targeting patterns by sector, geography, and company revenue tier

The Ransomware-as-a-Service Ecosystem: Groups, Affiliates, and Infrastructure

Modern ransomware operates as an industrialised criminal service business. Core ransomware groups — often referred to as RaaS operators — develop and maintain the ransomware payload, the encryption mechanism, the victim negotiation infrastructure, and the leak site. Affiliates are independent cybercriminal actors who pay a percentage of ransom proceeds to the operator in exchange for access to the tooling and infrastructure needed to conduct attacks. This separation means that law enforcement takedowns of operators often temporarily displace affiliates to competing platforms rather than ending the criminal activity. Understanding the RaaS ecosystem is essential context for interpreting ransomware threat intelligence and tracking which groups pose the highest risk to specific sectors.

• RaaS operator profiles — core group technical capabilities, infrastructure, and operational history
• Affiliate ecosystem mapping — which affiliate groups operate under which RaaS platforms at any given time
• Operator takedown impact — how law enforcement actions against operators affect affiliate redistribution patterns
• Revenue sharing models — typical affiliate percentage splits and how they influence affiliate group quality
• Successor group tracking — monitoring when a disrupted group reconstitutes under a new name or brand

Victim Disclosure Monitoring: Leak Sites and Dark Web Tracking

Most major ransomware groups operate leak sites on the dark web where they publish the names of non-paying victims and progressively release stolen data. Monitoring these leak sites provides early warning of ransomware attacks against organisations — often before the victim's own public disclosure — and provides intelligence on which sectors and geographies are actively being targeted. The Threatstealth ransomware tracker monitors all known active leak sites and surface new victim postings within hours of publication, providing security teams with near-real-time awareness of ransomware attack activity across the global threat landscape.

• Active leak site monitoring — all known ransomware group dark web leak sites monitored continuously
• New victim alerts — notifications when new victims are posted to any monitored leak site
• Sector targeting patterns — victim industry analysis enabling sector-specific ransomware risk assessment
• Geographic targeting trends — victim country distribution by ransomware group showing geographic targeting preferences
• Data disclosure escalation tracking — monitoring progressive data release for victims who have not paid ransom

MITRE ATT&CK-Mapped Ransomware Group TTPs for Detection Engineering

Each ransomware group profile in the Threatstealth tracker includes a MITRE ATT&CK technique mapping documenting the tactics, techniques, and procedures observed across historical campaign analysis. These TTP mappings are directly usable for detection engineering — identifying which ATT&CK techniques used by a specific group are not currently covered by existing SIEM detection rules enables targeted rule development that specifically reduces the group's detection evasion advantage. For organisations in sectors heavily targeted by a specific group, reviewing that group's TTP profile and cross-referencing against current detection rule coverage is one of the highest-value proactive security activities available.

• ATT&CK technique coverage per group — all observed techniques mapped to MITRE ATT&CK tactic categories
• Initial access methods — phishing, vulnerability exploitation, credential abuse, and supply chain compromise patterns
• Defence evasion techniques — process injection, LOLBins usage, AV bypass, and log clearing observed per group
• Lateral movement patterns — credential harvesting, RDP abuse, and network share enumeration techniques by group
• Detection gap analysis — cross-referencing group TTPs against current SIEM rule coverage to identify monitoring gaps

Using Ransomware Threat Intelligence for Proactive Defence

Ransomware threat intelligence is most valuable when it drives proactive defensive actions before an attack occurs — not as a retrospective report after a victim is named on a leak site. Security teams serving sectors with elevated ransomware targeting should review the tracker's industry filter weekly, identify the top active groups targeting their sector, review those groups' initial access methods, and validate that current controls address the most common entry points. For example, if a group predominantly gains initial access through unpatched VPN vulnerabilities, cross-referencing their CVE targeting history against the organisation's VPN asset inventory and patch status is an immediate actionable intelligence use case.

• Sector-specific group identification — filtering the tracker by industry to identify groups most active in your sector
• Initial access cross-reference — mapping group's known initial access CVEs against your own unpatched asset inventory
• Phishing template awareness — identifying group-specific phishing lure themes for targeted security awareness training
• Tabletop scenario development — using group-specific TTPs to design realistic incident response tabletop exercises
• Threat model updates — incorporating active group intelligence into the organisation's formal threat model quarterly