R
Ransomwhere.org
Live MapLatest VictimsGroupsPaymentsTTPsIdentifyNewsData
API
LIVE
Ransomwhere.org

Real-time ransomware intelligence platform. Tracking threat actors, victims, and payments to raise awareness and help defend against ransomware attacks worldwide.

Platform

  • Live Map
  • Latest Victims
  • Groups
  • Payments
  • Identify
  • News

Resources

  • Data & Methodology
  • API Docs
  • NoMoreRansom
  • Ransomware.live
  • CISA Advisories

Data sourced from Ransomware.live API. For informational purposes only.

© 2026 Ransomwhere.org

Data & Methodology

Ransomwhere.org aggregates data from multiple open-source intelligence feeds to provide a comprehensive view of the ransomware threat landscape. Here's how we do it.

How It Works

1

Collect

Server-side jobs fetch data from 7 open-source feeds on a scheduled basis. API responses are cached to reduce load and improve performance.

2

Normalize

Raw data is normalized into consistent formats — country codes mapped to names, timestamps unified, duplicates merged, and data gaps filled.

3

Present

Data is served via Next.js ISR (Incremental Static Regeneration) with client-side SWR for live updates. Charts and maps render in real-time.

Data Sources

Ransomware.live

Primary

Open-source aggregator tracking 300+ ransomware groups' leak sites on Tor. Provides real-time victim data, group profiles, and historical records.

Endpoints: REST API v2 — /recentvictims, /groups, /groupvictims, /infoRefresh: Every 2 minutes
Visit Source →

Ransomwhere (Jack Cable)

Payments

Open crowdsourced platform tracking Bitcoin payments to known ransomware wallets. Maintained by Jack Cable (CISA). Requires API key.

Endpoints: Payments by family, transaction trackingRefresh: Static snapshot (API key required)
Visit Source →

ID Ransomware

Identification

MalwareHunterTeam's service for identifying ransomware strains from ransom notes or encrypted file samples. Powers our identification tool concept.

Endpoints: Web upload interfaceRefresh: N/A — reference data
Visit Source →

NoMoreRansom.org

Decryptors

Europol-led initiative providing free decryption tools for 180+ ransomware families. We maintain a curated list of available decryptors.

Endpoints: Decryptor catalogRefresh: Curated manually
Visit Source →

abuse.ch (ThreatFox / MalwareBazaar)

IoC Feeds

Community-driven threat intelligence sharing platform. ThreatFox provides Indicators of Compromise (IoCs), MalwareBazaar hosts malware samples.

Endpoints: ThreatFox API, MalwareBazaar API (require free key)Refresh: Reference — requires free auth
Visit Source →

BleepingComputer + The Hacker News

News

RSS feeds from leading cybersecurity news outlets, filtered for ransomware-related content using keyword matching.

Endpoints: RSS/Atom feedsRefresh: Every 10 minutes
Visit Source →

Chainabuse

Blockchain

Platform for reporting and searching cryptocurrency addresses associated with fraud, ransomware, and scams.

Endpoints: Web search interfaceRefresh: Reference link
Visit Source →

Limitations & Caveats

  • *Victim counts reflect only publicly leaked data on Tor-based leak sites. Actual ransomware impact is significantly higher.
  • *Payment data uses a static snapshot. Real-time Bitcoin tracking requires authenticated API access to Ransomwhere.
  • *Country attribution is based on victim organization location, not attacker origin. Attacker attribution is inherently uncertain.
  • *IoC data from abuse.ch requires a free API key. We link to the source for direct access.

Want to build on this data? Check out our API documentation.

View API Docs →