Ransomware Tracker
Live coverage of active ransomware operations — their leak sites, affiliate movements, victim disclosures, decryptor releases and law-enforcement takedowns. Built from leak-site monitoring, customer-reference interviews and original incident-response reporting.
Latest ransomware coverage
All ransomware news →No ransomware posts yet. Add posts in the "Ransomware" category — they will appear here automatically.
Active groups tracker
| Group | Status | Origin | Primary targets | Victims | First seen |
|---|---|---|---|---|---|
| LockBit | Active | Russia | Manufacturing, Healthcare, Finance | 2,400+ | 2019 |
| BlackCat / ALPHV | Dormant | Russia | Retail, Healthcare, Critical Infra | 900+ | 2021 |
| Cl0p | Active | Russia | MFT software supply chains | 700+ | 2019 |
| Royal | Active | Unknown | Healthcare, Education, Government | 430+ | 2022 |
| Play | Active | Unknown | Mid-market, MSPs | 380+ | 2022 |
| Akira | Active | Unknown | VMware ESXi, mid-market | 350+ | 2023 |
| Medusa | Active | Unknown | Healthcare, Education, Public sector | 300+ | 2022 |
| Black Basta | Active | Russia | Construction, Manufacturing | 550+ | 2022 |
| 8Base | Active | Unknown | SMB, professional services | 250+ | 2022 |
| Hunters Int. | Active | Unknown | Healthcare, Retail | 180+ | 2023 |
What to do in the first 60 minutes
If you suspect ransomware in your environment, the next hour decides recovery time. Follow this 8-step playbook — distilled from incident-response engagements at TCN-tracked breaches.
Read in-depth IR analysis →- Isolate — disconnect affected hosts from network (not power-off).
- Capture — preserve volatile memory, take disk images.
- Notify — engage your IR retainer or designated DFIR firm.
- Communicate — legal counsel, exec team, insurance carrier.
- Investigate — identify initial access vector and dwell time.
- Eradicate — remove persistence; rotate all credentials.
- Recover — restore from offline, verified-clean backups only.
- Report — to authorities (CISA, FBI, ENISA, local CERT).
Get an MDR + IR shortlist in 24h
Active incident or want to retain a responder before you need one? Tell us your environment — we’ll send 3 vetted MDR / DFIR firms that match within 24 hours. Free.
🔐 Inside knowledge of a ransomware op?
Affiliate, victim, IR responder, or law-enforcement source — share securely via Signal, PGP or SecureDrop. Sources are protected absolutely.