#ransomware

Ransomware infrastructure (URLs, domains, IPs, hashes) extracted from public security researchers

Subscribe (RSS)


#ransomware

Ransomware infrastructure (URLs, domains, IPs, hashes)

Subscribe (RSS)

IOCs by window

Today

0

IOCs tagged #ransomware

Week

5

IOCs tagged #ransomware

Month

32

IOCs tagged #ransomware

Year

963

IOCs tagged #ransomware

Counts as of 2026-06-29. Regenerated daily.

About #ransomware

  • Definition: malware that encrypts victim data and demands payment for decryption, typically combined with data-theft extortion ("double extortion"). Encryption itself maps to MITRE ATT&CK T1486 (Data Encrypted for Impact).
  • Common operators / families: LockBit, BlackCat (ALPHV), Akira, Play, Royal, Hive, Conti (legacy), Clop, BianLian. The #ransomware tag covers infrastructure linked to any of these (intrusion C2, data-leak sites, ESXi-targeting components).
  • Detection: EDR rules on file-encryption velocity, OS-vendor anti-tamper protections, immutable backups + air-gapped restore, and infrastructure blocklists for the C2/staging URLs and IPs that precede the encryption phase.
  • References: MITRE ATT&CK T1486 · CISA #StopRansomware · No More Ransom (decryptors).

Recent IOCs tagged #ransomware

Latest 10 IOCs from the past 30 days. Live JSON: api.tweetfeed.live/v1/month/ransomware.

Date Type Value Source
Jun 27, 21:36 md5 0c303ae1347c0395a96f3eb38d26d7ed @petikvx
Jun 27, 09:25 domain settra5ldqwgtw5q7z5awbsvlksakyfojuc5slgrz5lvapune4fantqd.oni... @fbgwls245
Jun 27, 09:25 url http://settra5ldqwgtw5q7z5awbsvlksakyfojuc5slgrz5lvapune4fan... @fbgwls245
Jun 23, 11:31 domain 4dwiv37h7hhuhjpvtn72hme4ylcv3qoe65arfc6mbweal7als6ma7pyd.oni... @fbgwls245
Jun 23, 11:31 url http://4dwiv37h7hhuhjpvtn72hme4ylcv3qoe65arfc6mbweal7als6ma7... @fbgwls245
Jun 22, 03:38 domain sevykkkuzbxjpkb7gtfxnltn73bm6vaxglxh5xsd55trqqew3xpowwid.oni... @fbgwls245
Jun 22, 03:38 url http://sevykkkuzbxjpkb7gtfxnltn73bm6vaxglxh5xsd55trqqew3xpow... @fbgwls245
Jun 21, 14:06 domain 7t3zi3e7ki6iseun77ofqtr6wmbpgnpc2ada6gstcxp54lw6q2zb7jad.oni... @fbgwls245
Jun 21, 14:06 url http://7t3zi3e7ki6iseun77ofqtr6wmbpgnpc2ada6gstcxp54lw6q2zb7... @fbgwls245
Jun 21, 14:06 domain eazk7las3xsvsyxgww3jgzammqjevso2ydnmlopdhl3u2muyrmmilrqd.oni... @fbgwls245

Related tags

Tags that frequently co-occur with #ransomware.

See all tags on the Dashboard or browse the full IOC feed.

Frequently asked questions

What is ransomware?

Ransomware is malware that encrypts a victim's data and demands payment - usually in cryptocurrency - for the decryption key. Modern operators add data-theft and public leaks ("double extortion") even if the victim restores from backups. Initial access is typically via phishing, exposed RDP, vulnerable VPN appliances or compromised credentials.

Which ransomware operators produce the most IOCs in this feed?

Volume tracks active researcher coverage rather than pure operator output, so high-profile crews (LockBit while active, BlackCat/ALPHV, Akira, Play) tend to dominate. Affiliate-driven RaaS programmes generate more diverse infrastructure than single-team operations, which produces more URLs/IPs to tag.

How is this list updated?

Every 15 minutes. The TweetFeed pipeline scrapes RSS feeds from public Twitter/X security researcher accounts and lists, extracts IOCs, tags them with the relevant malware family or threat actor, and republishes the result in CSV, JSON and RSS. Ransomware-tagged IOCs are surfaced on this page within the next 15-minute tick. The page itself is regenerated daily by a GitHub Action.

What is the license? Can I use this commercially?

All TweetFeed IOC data, including this Ransomware subset, is released under CC0 1.0 Universal (Public Domain Dedication). No attribution required, no warranty. Commercial use is allowed. The TweetFeed website code and branding are not covered by CC0.

License

Ransomware IOC data: CC0 1.0 Public Domain. No attribution required, no warranty. Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).