API & Open Data

All data on Ransomwhere.org is sourced from open intelligence feeds. Use our proxy API for convenience or go directly to the upstream sources below.

Ransomwhere.org API

Base URL: https://ransomwhere.org — All endpoints return JSON. No authentication required. Data is cached server-side.

GET

/api/stats

Global statistics — total victims, groups, attacks, last update timestamp.

{ "Victims": { "Numbers": 25835 }, "Groups": { "Numbers": 319 }, "Cyberattacks": { "Number": 3213 } }

Cache: 60s

GET

/api/victims

Recent victim entries (last 100). Each includes victim name, group, country, sector, and discovery date.

[{ "victim": "...", "group": "lockbit3", "country": "US", "discovered": "2024-..." }]

Cache: 120s

GET

/api/groups

All tracked ransomware groups with profiles, leak site locations, and status.

[{ "name": "lockbit3", "locations": [...], "profile": [...] }]

Cache: 30min

GET

/api/groups/:slug

Detail for a specific group including all victims attributed to that group.

{ "group": {...}, "victims": [...] }

Cache: 10min

GET

/api/news

Latest ransomware news from BleepingComputer and The Hacker News RSS feeds, filtered by ransomware keywords.

[{ "title": "...", "link": "...", "pubDate": "...", "source": "BleepingComputer" }]

Cache: 10min

Upstream Data Sources

These are the original APIs and feeds that power Ransomwhere.org. Some require free API keys — registration details linked below.

Ransomware.live API v2

Primary data source for all victim and group data.

Base: https://api.ransomware.live/v2Auth: None (free, open)

Docs →

Ransomwhere API

Bitcoin payment tracking. Contact for API access.

Base: https://api.ransomwhe.re/v1Auth: API key required (free)

Docs →

ThreatFox (abuse.ch)

IoC feed for ransomware-associated indicators.

Base: https://threatfox-api.abuse.ch/api/v1Auth: API key required (free at auth.abuse.ch)

Docs →

MalwareBazaar (abuse.ch)

Malware sample repository for ransomware binaries.

Base: https://mb-api.abuse.ch/api/v1Auth: API key required (free at auth.abuse.ch)

Docs →

Usage & Attribution

All data is provided for research and educational purposes. When using data from Ransomwhere.org, please attribute the original data sources listed above.

Rate limits: Our API is cached at the intervals shown above. For higher-frequency access, use the upstream APIs directly with your own API keys.

Ransomwhere.org API

Base URL: https://ransomwhere.org — All endpoints return JSON. No authentication required. Data is cached server-side.

GET

/api/stats

Global statistics — total victims, groups, attacks, last update timestamp.

{ "Victims": { "Numbers": 25835 }, "Groups": { "Numbers": 319 }, "Cyberattacks": { "Number": 3213 } }

Cache: 60s

GET

/api/victims

Recent victim entries (last 100). Each includes victim name, group, country, sector, and discovery date.

[{ "victim": "...", "group": "lockbit3", "country": "US", "discovered": "2024-..." }]

Cache: 120s

GET

/api/groups

All tracked ransomware groups with profiles, leak site locations, and status.

[{ "name": "lockbit3", "locations": [...], "profile": [...] }]

Cache: 30min

GET

/api/groups/:slug

Detail for a specific group including all victims attributed to that group.

{ "group": {...}, "victims": [...] }

Cache: 10min

GET

/api/news

Latest ransomware news from BleepingComputer and The Hacker News RSS feeds, filtered by ransomware keywords.

[{ "title": "...", "link": "...", "pubDate": "...", "source": "BleepingComputer" }]

Cache: 10min

Upstream Data Sources

These are the original APIs and feeds that power Ransomwhere.org. Some require free API keys — registration details linked below.

Ransomware.live API v2

Primary data source for all victim and group data.

Base: https://api.ransomware.live/v2Auth: None (free, open)

Docs →

Ransomwhere API

Bitcoin payment tracking. Contact for API access.

Base: https://api.ransomwhe.re/v1Auth: API key required (free)

Docs →

ThreatFox (abuse.ch)

IoC feed for ransomware-associated indicators.

Base: https://threatfox-api.abuse.ch/api/v1Auth: API key required (free at auth.abuse.ch)

Docs →

MalwareBazaar (abuse.ch)

Malware sample repository for ransomware binaries.

Base: https://mb-api.abuse.ch/api/v1Auth: API key required (free at auth.abuse.ch)

Docs →

Usage & Attribution

All data is provided for research and educational purposes. When using data from Ransomwhere.org, please attribute the original data sources listed above.

Rate limits: Our API is cached at the intervals shown above. For higher-frequency access, use the upstream APIs directly with your own API keys.