The Intelligence Hidden in Ransomware Data

The first half of this year has seen new heights in terms of ransomware victims, with 3,374 victims listed by ransomware leak sites – a 67 percent increase on H1 2024. As well as an increase in the number of victims, the Threat Intelligence team at Searchlight Cyber has also seen a rise in the number of active ransomware groups (a 16 percent increase on H2 2024.)

So what does this mean for organizations and how can insights from the dark web help security teams outpace ransomware groups, and aid remediation after an attack has happened?

This blog ties into the release of our ransomware in H1 report “An Escalation in Attacks.” Download our report to learn more about the development of the ransomware landscape this year.

Gathering intelligence from ransomware groups

One of the quirks of the ransomware model is that while other cybercriminals seek to avoid the limelight, ransomware actors require it. Sometimes they have to post on the dark web, for example to recruit affiliates or to buy initial access that they can exploit. Other times, groups actively court publicity – either for their own egos or to apply pressure on their victims. 

Ransomware groups employ a variety of Tactics, Techniques, and Procedures (TTPs) to maximise their leverage over victims. A particularly effective and very common tactic is the establishment and operation of public-facing extortion or leak sites. These dedicated platforms serve as a pivotal component of their multi-pronged pressure campaigns, primarily designed for public shaming. By publishing sensitive data stolen from compromised organizations, these sites aim to amplify the psychological and reputational pressure on victims, thereby increasing the likelihood of a ransom payment. 

Because of the “public” information that ransomware groups share on the dark web to extort payment, it allows cybersecurity professionals to use dark web monitoring tools such as Searchlight Cyber to delve under the surface of their operations and use the intelligence to form part of their cybersecurity resilience plans. 

The strategic importance of monitoring these extortion and leak sites cannot be overstated. For cybersecurity professionals, incident response teams, and intelligence analysts, consistent surveillance of these platforms offer invaluable insights.

Using the intelligence ransomware groups provide

What information can organizations glean from the activity of ransomware groups?

Gauging activity levels of ransomware groups

The volume and frequency of new victim postings on these sites serve as a barometer of a ransomware group’s operational tempo and success. Spikes in activity can indicate new campaigns, successful breaches, or shifts in targeting strategies. Conversely, a lull might suggest a group is regrouping, retooling, or facing disruption.

Coupling ransomware intelligence with Attack Surface Management

Dark web intelligence becomes even more powerful when paired with Attack Surface Management (ASM). ASM gives organizations a clear view of their exposed assets and vulnerabilities. When combined, they create a powerful feedback loop that enables defenders to prioritize and act on the threats that matter most.

By overlaying a ransomware group’s TTPs with ASM, security teams can quickly identify whether their external attack surface includes the kind of assets ransomware groups are currently exploiting. This allows for faster detection of misconfigurations, outdated services, or exposed credentials that could serve as initial access points.

For example, if intelligence indicates a ransomware group is exploiting a specific VPN vulnerability, ASM can surface any related assets in an organization’s environment, enabling security professionals to patch, segment, or decommission them before they become an open door for ransomware groups.

Similarly, if a ransomware group is pivoting toward a new industry, organizations can align their exposure management and incident response plans accordingly. 

Instead of responding to ransomware incidents after they occur, defenders can close the gaps that attackers are actively scanning for, reducing the attack surface before it’s exploited.

The benefits of ransomware breach analysis and intelligence

For victims of a ransomware attack

In 2025, Searchlight Cyber opted to automate the downloading and processing of breached ransomware victim information, thereby unlocking extensive opportunities from an intelligence and security standpoint. This information can empower end-users with the capability to conduct queries, facilitating security and intelligence operations, and aiding communication strategies during incident response scenarios.

For the organization directly experiencing a ransomware breach, the immediate aftermath is often chaotic. Robust incident response processes are fundamental for mitigating damage and facilitating recovery. A key aspect of this involves meticulously identifying what files have been extracted by the ransomware and gaining a comprehensive understanding of the threat actor’s movements and presence within the breached system. 

Understanding “what was actually leaked?” goes beyond a simple inventory. It demands an in-depth assessment of the type of data compromised and, critically, the sensitivity of its content. Was it personal identifiable information (PII), intellectual property, financial records, or highly confidential strategic documents?

This detailed knowledge is paramount for effective remediation activities. Knowing precisely what information has been leaked enables targeted efforts to secure remaining systems, revoke compromised credentials, and notify affected individuals or entities.

For third-parties, suppliers, and business partnerships

While the direct victim grapples with the immediate aftermath, the ripple effects of a ransomware attack often extend far beyond their organizational boundaries. 

The real security and intelligence benefit of having access to the breached content emerges for those who are a partner or third party to the victim. In scenarios where a business relation has been breached, it is unfortunately common for the affected third parties not to receive a detailed account as to what precisely the threat actor has managed to compromise. 

This lack of transparency, though sometimes unavoidable for the victim due to ongoing investigations or legal constraints, can leave partners in a precarious position. The compromised data could contain highly sensitive documents and confidential content directly related to the third party’s operations, intellectual property, or even their own customers.

Conducting thorough breach analysis gives organizations, and their third parties, a clearer picture of what data has been exposed and how it could be leveraged by attackers. This level of insight is critical as it enables affected parties to respond quickly, contain potential downstream risks, and strengthen their defenses before ransomware groups can exploit the breach further.

Using intelligence to protect critical assets

As ransomware continues to evolve, organizations can no longer afford to treat these attacks as isolated incidents. By combining dark web intelligence, Attack Surface Management, and continuous monitoring, security teams can gain the visibility needed to understand both the ransomware landscape and their own exposure within it. This intelligence-driven approach empowers defenders to act earlier, protect critical assets, and reduce the ripple effects of ransomware, not just for their own organization, but across their entire supply chain.

Haven’t read our new ransomware in H1 2025 report? DOWNLOAD our report to learn more about the development of the ransomware landscape this year.