Data & Methodology

Ransomwhere.org aggregates data from multiple open-source intelligence feeds to provide a comprehensive view of the ransomware threat landscape. Here's how we do it.

How It Works

Collect

Server-side jobs fetch data from 7 open-source feeds on a scheduled basis. API responses are cached to reduce load and improve performance.

Normalize

Raw data is normalized into consistent formats — country codes mapped to names, timestamps unified, duplicates merged, and data gaps filled.

Present

Data is served via Next.js ISR (Incremental Static Regeneration) with client-side SWR for live updates. Charts and maps render in real-time.

Data Sources

Ransomware.live

Primary

Open-source aggregator tracking 300+ ransomware groups' leak sites on Tor. Provides real-time victim data, group profiles, and historical records.

Endpoints: REST API v2 — /recentvictims, /groups, /groupvictims, /infoRefresh: Every 2 minutes

Visit Source →

Ransomwhere (Jack Cable)

Payments

Open crowdsourced platform tracking Bitcoin payments to known ransomware wallets. Maintained by Jack Cable (CISA). Requires API key.

Endpoints: Payments by family, transaction trackingRefresh: Static snapshot (API key required)

Visit Source →

ID Ransomware

Identification

MalwareHunterTeam's service for identifying ransomware strains from ransom notes or encrypted file samples. Powers our identification tool concept.

Endpoints: Web upload interfaceRefresh: N/A — reference data

Visit Source →

NoMoreRansom.org

Decryptors

Europol-led initiative providing free decryption tools for 180+ ransomware families. We maintain a curated list of available decryptors.

Endpoints: Decryptor catalogRefresh: Curated manually

Visit Source →

abuse.ch (ThreatFox / MalwareBazaar)

IoC Feeds

Community-driven threat intelligence sharing platform. ThreatFox provides Indicators of Compromise (IoCs), MalwareBazaar hosts malware samples.

Endpoints: ThreatFox API, MalwareBazaar API (require free key)Refresh: Reference — requires free auth

Visit Source →

BleepingComputer + The Hacker News

News

RSS feeds from leading cybersecurity news outlets, filtered for ransomware-related content using keyword matching.

Endpoints: RSS/Atom feedsRefresh: Every 10 minutes

Visit Source →

Chainabuse

Blockchain

Platform for reporting and searching cryptocurrency addresses associated with fraud, ransomware, and scams.

Endpoints: Web search interfaceRefresh: Reference link

Visit Source →

Limitations & Caveats

*Victim counts reflect only publicly leaked data on Tor-based leak sites. Actual ransomware impact is significantly higher.
*Payment data uses a static snapshot. Real-time Bitcoin tracking requires authenticated API access to Ransomwhere.
*Country attribution is based on victim organization location, not attacker origin. Attacker attribution is inherently uncertain.
*IoC data from abuse.ch requires a free API key. We link to the source for direct access.

Want to build on this data? Check out our API documentation.

View API Docs →

How It Works

Collect

Server-side jobs fetch data from 7 open-source feeds on a scheduled basis. API responses are cached to reduce load and improve performance.

Normalize

Raw data is normalized into consistent formats — country codes mapped to names, timestamps unified, duplicates merged, and data gaps filled.

Present

Data is served via Next.js ISR (Incremental Static Regeneration) with client-side SWR for live updates. Charts and maps render in real-time.

Data Sources

Ransomware.live

Primary

Open-source aggregator tracking 300+ ransomware groups' leak sites on Tor. Provides real-time victim data, group profiles, and historical records.

Endpoints: REST API v2 — /recentvictims, /groups, /groupvictims, /infoRefresh: Every 2 minutes

Visit Source →

Ransomwhere (Jack Cable)

Payments

Open crowdsourced platform tracking Bitcoin payments to known ransomware wallets. Maintained by Jack Cable (CISA). Requires API key.

Endpoints: Payments by family, transaction trackingRefresh: Static snapshot (API key required)

Visit Source →

ID Ransomware

Identification

MalwareHunterTeam's service for identifying ransomware strains from ransom notes or encrypted file samples. Powers our identification tool concept.

Endpoints: Web upload interfaceRefresh: N/A — reference data

Visit Source →

NoMoreRansom.org

Decryptors

Europol-led initiative providing free decryption tools for 180+ ransomware families. We maintain a curated list of available decryptors.

Endpoints: Decryptor catalogRefresh: Curated manually

Visit Source →

abuse.ch (ThreatFox / MalwareBazaar)

IoC Feeds

Community-driven threat intelligence sharing platform. ThreatFox provides Indicators of Compromise (IoCs), MalwareBazaar hosts malware samples.

Endpoints: ThreatFox API, MalwareBazaar API (require free key)Refresh: Reference — requires free auth

Visit Source →

BleepingComputer + The Hacker News

News

RSS feeds from leading cybersecurity news outlets, filtered for ransomware-related content using keyword matching.

Endpoints: RSS/Atom feedsRefresh: Every 10 minutes

Visit Source →

Chainabuse

Blockchain

Platform for reporting and searching cryptocurrency addresses associated with fraud, ransomware, and scams.

Endpoints: Web search interfaceRefresh: Reference link

Visit Source →

Limitations & Caveats

*Victim counts reflect only publicly leaked data on Tor-based leak sites. Actual ransomware impact is significantly higher.
*Payment data uses a static snapshot. Real-time Bitcoin tracking requires authenticated API access to Ransomwhere.
*Country attribution is based on victim organization location, not attacker origin. Attacker attribution is inherently uncertain.
*IoC data from abuse.ch requires a free API key. We link to the source for direct access.

Want to build on this data? Check out our API documentation.

View API Docs →