We Track 20,000+ Ransomware Victims Across 262 Groups -- Automatically

12 for 12

TJ is a sharp threat intel analyst. Every morning he scrapes the latest ransomware victim postings from dark web leak sites and drops them into our Signal group. Names, groups, timestamps. It's solid work. Manual, but solid.

Last week he posted his daily list. Twelve new victims across several ransomware groups. I checked our database. Every single one was already there. All twelve. We'd ingested them hours before TJ woke up.

That's not a knock on TJ. It's a statement about what happens when you automate collection at scale. A human analyst doing daily scrapes is doing excellent work -- but a daemon that polls every 40 minutes, 24 hours a day, across every known ransomware group simultaneously, will always get there first. The question is what you do with that head start.

What We're Actually Tracking

Our threat-intel-researcher daemon runs on cr-vultr01, managed by PM2, polling the ransomware.live API every 40 minutes around the clock. Every collection cycle pulls the latest victim postings across all active ransomware groups, deduplicates against our existing dataset, and inserts new records into PostgreSQL with full metadata: victim name, group attribution, posting date, country, sector, and data status.

This is not a dashboard that shows you someone else's data. This is our database, our collection, our dedup logic, running on our infrastructure. We own the dataset. We control the refresh rate. When a ransomware group posts a new victim at 2 AM on a Saturday, we have it in our database by 2:40 AM. No human required.

The Akira Problem

On March 24, 2026, the Akira ransomware group posted eight new victims in a single day. Eight organizations, across multiple industries, all dumped onto their leak site within hours of each other. That kind of burst posting is increasingly common -- groups stockpile victims and release them in batches to maximize attention and pressure.

We had all eight within our next collection cycle. No scramble. No manual lookup. No waiting for a threat intel vendor to publish a report about it three days later. The data was just there, sitting in our database alongside the other 1,069 Akira victims we've been tracking since the group first appeared.

Akira is currently the most prolific ransomware operation we track. Over a thousand victims. That single number tells you something about the scale of the problem -- and about why manual tracking simply cannot keep pace.

1,069 victims from a single ransomware group. And that's just one of 262 groups we monitor.

How the Collection Works

Ransomware tracking is one component of a broader automated threat intelligence pipeline. The full system pulls from 23 distinct intelligence sources, including:

• Ransomware.live API -- real-time victim postings from all known leak sites
• RSS feeds -- CISA advisories, vendor security bulletins, vulnerability disclosures
• X/Twitter via Grok -- threat actor chatter, researcher disclosures, zero-day announcements
• Dark web monitoring -- targeted watching for client-specific mentions
• CVE databases -- vulnerability tracking with exploit availability status

The daemon doesn't just collect and store. It cross-references every new victim against our customer watchlists. If a ransomware group posts a victim in the same industry as one of our clients, or in their supply chain, or in their geography, that gets flagged immediately. Not in the next weekly report. Immediately.

Why Automated Beats Manual

TJ's daily scrape is good work. He catches what matters, provides context, and flags the notable hits. But here's the structural problem with manual collection:

• It covers one snapshot per day. Our daemon covers 36 snapshots per day.
• It depends on one person being available. Our daemon runs whether anyone is awake or not.
• It covers the groups TJ knows to check. Our daemon covers all 262, including the ones that just spun up last week.
• It produces a list. Our daemon produces a searchable, cross-referenced, historically complete dataset.
• It takes an analyst's time. Our daemon takes zero human effort after initial setup.

The point is not that manual is bad. The point is that manual is expensive. Every hour TJ spends scraping leak sites is an hour he's not spending on actual investigation, threat hunting, or incident response. Automation frees the human to do what humans are uniquely good at: judgment, context, and creative analysis. The machine handles the tedious, repetitive, high-volume collection.

This is what we mean when we say "Don't replace your people. UPGRADE them." The daemon doesn't replace TJ. It gives TJ his mornings back and hands him a richer dataset to work with when he sits down to do the real analysis.

What We Do With the Data

A database of 20,000 ransomware victims is interesting. What makes it operationally useful is what we layer on top.

DarkWatch monitoring. Every customer has a watchlist. Company names, domains, key vendors, supply chain partners. When any of those terms appear in a ransomware posting -- or anywhere else in our threat intel feeds -- the customer's SOC team gets an alert. Not a weekly summary. An alert.

Weekly threat intel reports. Every week, each customer receives a tailored threat intelligence report. It draws from the ransomware dataset, but also from the research daemon's cyber domain -- 762 research papers on TTPs, detection techniques, and threat actor profiles, with over 3,100 structured findings. The report is filtered for each customer's industry, tech stack, and threat profile. A healthcare client gets different intel than a manufacturing client, because their threat landscapes are different.

Trend analysis. With 20,000+ historical records, we can answer questions that no daily scrape can touch. Which groups are accelerating? Which industries are being targeted disproportionately this quarter versus last? Is there a geographic shift in victimology? When Akira posts eight victims in one day, we can tell you whether that's an anomaly or part of a pattern -- because we have 1,069 data points to compare against.

Incident context. When a customer has an incident, the first question is always "who did this and what do they typically do?" Having a comprehensive database of 262 groups and their victim histories means we can profile a threat actor in minutes, not hours. We know their target preferences, their posting patterns, their typical timeline from initial access to leak site posting.

The Bigger Picture

Ransomware tracking is one of 23 intelligence sources feeding our platform. It's important, but it's not the whole story.

The research daemon's cyber threat intelligence domain has produced 762 papers covering ransomware-as-a-service economics, EDR evasion techniques, identity-based attacks, supply chain compromises, and dozens of other TTP categories. Those papers contain over 3,100 structured, searchable findings. When an analyst is investigating a suspected Akira intrusion, they don't just get "Akira posted 1,069 victims." They get synthesized research on Akira's preferred initial access vectors, their encryption methodology, their negotiation patterns, and their known infrastructure -- all cross-referenced and searchable by meaning through vector embeddings.

That combination -- real-time victim tracking plus deep research context -- is what turns raw data into operational intelligence. A list of victims tells you who got hit. The research tells you how, why, and what to look for in your own environment.

The Math Is Simple

A skilled analyst spending 90 minutes per day on manual ransomware tracking covers one collection cycle per day, for the groups they know to check. Over a year, that's 547 hours of analyst time -- roughly $55,000 in fully loaded labor cost for a senior threat intel role.

Our daemon covers 36 collection cycles per day, across all 262 known groups, with zero human effort. The infrastructure cost is negligible -- it runs on a VPS we already operate for other purposes. The ransomware.live API is freely available.

This is not about cutting headcount. We don't want fewer analysts. We want analysts who spend their time on work that actually requires a human brain: correlating across datasets, hunting for novel threats, advising customers on risk posture, building detection logic. The collection grind should be beneath them. Now it is.

When TJ posted his twelve victims last week and every single one was already in our database, the right reaction wasn't "we beat TJ." It was: "TJ should never have to do that again." His time is worth more than scraping leak sites. The daemon handles the scraping. TJ handles the thinking.

The question isn't whether you can track ransomware manually. The question is whether you should.

We track 20,872 victims across 262 groups. Automatically. Every 40 minutes. Every day. And the dataset gets richer with every cycle.

If your threat intel workflow still involves a human manually checking leak sites every morning, you're paying senior analyst rates for a job a daemon can do better, faster, and without coffee breaks. Free your people to do the work that matters.