BUYER'S GUIDE | SECURITY RESOURCES
Buyer's GuideUpdated 10 min read

Guide to Finding the Best Ransomware News and Tracking Resources

4,000+
Ransomware victims publicly named on leak sites in 2024
67
Active ransomware-as-a-service groups tracked in Q1 2025
$1.1B
Ransomware payments made in 2023 (on-chain analysis)
22 days
Average ransomware dwell time before encryption event

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Ransomware intelligence is not the same as ransomware news. News covers individual incidents after they become public. Intelligence tracks the groups, their TTPs, their affiliate models, their preferred initial access vectors, and the indicators that appear in environments days or weeks before the encryption event. For security teams that want to prevent ransomware rather than just respond to it, intelligence is what matters.

This guide covers the best sources for ransomware operational intelligence: group tracking, TTP analysis, victim pattern analysis, and the specific IOCs and detection opportunities that allow security teams to identify pre-ransomware intrusion activity before the encryption event.

Decryption Digest, Best for Daily Ransomware Operational Intelligence

Decryption Digest covers active ransomware campaigns as a core editorial focus, with daily coverage of new victim disclosures, group TTP updates, affiliate technique evolution, and the initial access vectors being actively exploited by ransomware operators.

For security teams defending against ransomware, the most valuable intelligence is pre-encryption: the initial access techniques (phishing, VPN exploitation, RDP brute force), persistence mechanisms, and lateral movement TTPs that appear in the network in the days before ransomware deployment. Decryption Digest covers these technique developments with ATT&CK mappings and defensive recommendations, not just post-encryption victim announcements.

Decryption Digest also tracks ransomware group ecosystem developments, affiliate defections, group rebranding, law enforcement disruptions, and negotiation methodology changes, that affect how security teams should model the threat. Free daily delivery at decryptiondigest.com/newsletter.

Ransomware.live and Dark Web Leak Site Monitoring

Ransomware.live is an open-source project that monitors active ransomware group leak sites and aggregates victim disclosures in real time. For threat intelligence analysts who need current visibility into which organizations have been listed by ransomware groups, it provides the most comprehensive free coverage available.

The site tracks active groups, victim counts, and disclosure timelines. Combined with sector filtering, it enables analysts to identify ransomware targeting patterns in specific industries and geographic regions. For organizations in sectors with elevated ransomware targeting (healthcare, education, manufacturing, critical infrastructure), monitoring ransomware.live victim patterns provides early warning of group targeting shifts before your sector becomes the primary focus.

Direct dark web leak site monitoring provides earlier intelligence, ransomware groups list victims on their sites before most news publications report the incident. The challenge is operational complexity: accessing and monitoring .onion sites requires Tor infrastructure and consistent monitoring cadence. For organizations without dedicated threat intelligence teams, aggregators like ransomware.live provide equivalent coverage with lower operational overhead.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

CISA StopRansomware Advisories, Best for TTP and IOC Reference

CISA's StopRansomware advisories, published jointly with the FBI and NSA on significant ransomware groups, represent the highest-confidence public intelligence on specific groups available from any source. These advisories include confirmed TTPs documented from incident response investigations, comprehensive IOC lists, and detection guidance developed from real victim environments.

When CISA publishes a StopRansomware advisory on a group, it reflects intelligence from law enforcement investigation of actual intrusions, not vendor telemetry or dark web monitoring. The coverage is less frequent than commercial sources but higher confidence on attribution and TTP accuracy.

Every security team should subscribe to CISA advisory alerts and have a process for ingesting StopRansomware IOCs into their SIEM and EDR within hours of publication. This is free, authoritative intelligence that most organizations underutilize.

Sophos X-Ops, Secureworks CTU, and Commercial Ransomware Research

Commercial threat intelligence vendors with active incident response practices, Sophos X-Ops, Secureworks Counter Threat Unit, Palo Alto Unit 42, publish ransomware research built from real incident data at a level of TTP detail that government advisories and news sources cannot replicate.

Sophos X-Ops in particular publishes detailed technical analysis of ransomware group TTPs, including specific tools used in each intrusion phase, network infrastructure patterns, and affiliate differentiation data. Their annual ransomware state-of-the-threat report provides the most comprehensive analysis of active-group ecosystem changes available in a free publication.

For security architects and detection engineers who need to build detection coverage against specific ransomware group TTPs, these vendor research blogs are essential reading. The content is free and regularly updated as groups evolve their techniques.

Decryption Digest (daily)

Best for: daily ransomware campaign coverage with IOCs, TTPs, and defensive guidance. Free newsletter.

Ransomware.live (real-time)

Best for: victim disclosure monitoring and ransomware group activity tracking.

CISA StopRansomware (as published)

Best for: authoritative TTP and IOC reference built from law enforcement incident data.

Sophos X-Ops and Secureworks CTU blogs (weekly)

Best for: deep technical TTP analysis and ransomware ecosystem research.

FBI and CISA #StopRansomware alerts (as published)

Best for: immediate operational guidance on active ransomware campaigns targeting critical infrastructure.

The bottom line

Effective ransomware intelligence requires sources across three categories: daily operational intelligence that tracks active campaigns and TTP evolution (Decryption Digest), real-time victim monitoring for sector pattern analysis (ransomware.live), and authoritative TTP reference built from incident response data (CISA StopRansomware advisories, Sophos X-Ops). Subscribe to Decryption Digest for daily ransomware campaign coverage at decryptiondigest.com/newsletter and supplement with CISA advisory alerts for compliance-critical guidance.

Frequently asked questions

How do I track which ransomware groups are active in my sector?

Monitor ransomware.live with sector filtering for victim disclosure patterns, subscribe to CISA StopRansomware advisories filtered for your industry category, and read Decryption Digest daily for coverage of active campaigns including targeting patterns. Sector-specific ISACs (FS-ISAC, H-ISAC, MS-ISAC) also share ransomware intelligence under traffic light protocol that is not available in public sources.

What are the most important pre-ransomware indicators to detect?

The highest-value pre-ransomware detection opportunities are: initial access via phishing or VPN credential abuse (unusual authentication patterns, new device enrollments), discovery and enumeration activity (BloodHound execution, network scanning from workstations), credential harvesting (LSASS access, Kerberoasting), lateral movement (PsExec, RDP to previously uncommunicating hosts), and staging behavior (bulk file copying to unusual destinations, cloud sync of unusual data volumes). Detection coverage for these techniques interrupts the kill chain before the encryption event.

Should I pay ransomware victims to monitor their data exposure?

No. Dark web ransomware leak site monitoring (to determine whether your data has been posted) is a defensive intelligence activity, not a payment. Paying a ransomware demand is a separate decision with legal, financial, and ethical dimensions that should involve legal counsel, law enforcement notification, and cyber insurance coordination. OFAC regulations prohibit payments to sanctioned ransomware groups, verify sanctions status before any payment consideration.

What are the most reliable public sources for ransomware victim disclosures?

Ransomware.live aggregates ransomware gang leak site victim disclosures across 100+ active groups with searchable sector and geography filters. ID Ransomware identifies ransomware families from encrypted file samples and ransom notes. CISA's StopRansomware.gov advisories confirm specific group attribution and TTPs with IOCs. Krebs on Security covers major breach events with attribution context. Mandiant, Secureworks, and Sophos X-Ops publish public incident reports on significant campaigns. Together these free sources cover the large majority of confirmed incidents.

How do ransomware groups choose their targets?

Ransomware groups use a combination of automated scanning and manual selection. Initial access brokers scan the internet for exploitable vulnerabilities (unpatched VPN appliances, exposed RDP, known CVEs) and sell access to ransomware affiliates, who evaluate targets based on revenue (determining ransom demand), cyber insurance coverage (often discovered from internal documents post-compromise), sector (healthcare and critical infrastructure face pressure to pay quickly), and backup posture (organizations without offline backups have less negotiating leverage). Mid-market organizations are frequent targets because they have enough revenue to justify a significant ransom but less mature security programs than large enterprises.

What is the difference between ransomware groups and ransomware affiliates?

Ransomware-as-a-service (RaaS) divides labor between the developer group (which maintains the malware, leak site, and negotiation infrastructure) and affiliates (which conduct intrusions, lateral movement, and deployment). The developer group typically collects 20 to 30 percent of each ransom. This division means that attribution to a name like LockBit or BlackCat describes the malware and infrastructure used, not a single organization. Law enforcement disruption of a RaaS developer disrupts infrastructure but not the individual affiliate operators, who often migrate to competing platforms.

Sources & references

  1. Decryption Digest Ransomware Coverage
  2. Ransomware.live Tracker
  3. CISA Ransomware Advisories

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Related Questions: Answer Hub

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.