Ransomware Leak Sites

Knowledge Base

Ransomware Leak Sites

Ransomware leak sites are publicity sites where ransomware groups share the details of their latest victims. However, they also play an important role in how these groups orchestrate and monetize their attacks. These sites provide the ransomware operators with a platform to accept payments from the victims, a space to shame them and apply pressure, and somewhere to leak their data if they don't pay.

Ransomware Leak Sites

8Base

8Base uses a variant of Phobos ransomware, modified to append a ".8base" extension. Researchers have also noted that 8Base's leak site bears similarities to the data extortion operation RansomHouse.

Active since April 2022

263 victims as of January 2024

Akira

Akira appears to be a novel ransomware, written in C++, with versions targeted both at Windows machines and Linux operating systems. It has quickly become one of the most prolific ransomware groups.

Active since March 2023

182 victims as of January 2024

BlackBasta

BlackBasta is a ransomware operation that is notable for its high volume of attacks, use of custom tools, and suspected links to cybercriminal group FIN7.

April 2022

516 victims as of January 2024

Known forum aliases: BlackBasta

BlackCat

The RaaS group BlackCat (also known as ALPHV or Noberus) is believed to include developers and money launderers from the former DarkSide ransomware group, most infamous for the Colonial Pipeline attack.

Active since November 2021

730 victims as of January 2024

Known forum aliases: alphv, BlackCat46, ransom

Cl0p

Cl0p is notable for its approach of using vulnerabilities in supply chain software to target multiple organizations, announcing them in a batch at a later date.

Active since February 2019

538 victims as of January 2024

Known forum aliases: CL0P

LockBit

LockBit was the most active ransomware group by number of listed victims on its dark web leak site in 2022 and 2023. In February 2024 its leak site was seized in Operation Cronos.

Active since September 2019

2,500 victims as of January 2024

Known forum aliases: LockBitSupp and LockBit

Play

Play keeps a fairly low profile on the dark web aside from its leak site, not advertising via forum accounts and recently had to fend off accusations it had introduced a RaaS model.

Active since June 2022

328 victims as of January 2024

Rhysida

Rhysida is noteworthy for its focus on organizations in the education industry, followed by those in health care equipment & services, and the public sector.

Active since May 2023

73 victims as of January 2024

Royal

Royal initially used third-party ransomware including BlackCat and Zeon before developing its own malware, written in C++, which infects Windows systems.

Active since September 2022

Inactive since July 2023

179 victims as of January 2024

Vice Society

Vice Society stopped posting victims to its dark web leak site in June 2023 and went offline in December. Some security analysts note similarities in the TTPs of Vice Society and those used by Rhysida.

Active since May 2021

Inactive since June 2023

181 victims as of January 2024