#ransomware

Ransomware infrastructure (URLs, domains, IPs, hashes) extracted from public security researchers

Subscribe (RSS)


#ransomware

Ransomware infrastructure (URLs, domains, IPs, hashes)

Subscribe (RSS)

IOCs by window

Today

0

IOCs tagged #ransomware

Week

2

IOCs tagged #ransomware

Month

54

IOCs tagged #ransomware

Year

1,031

IOCs tagged #ransomware

Counts as of 2026-06-09. Regenerated daily.

About #ransomware

  • Definition: malware that encrypts victim data and demands payment for decryption, typically combined with data-theft extortion ("double extortion"). Encryption itself maps to MITRE ATT&CK T1486 (Data Encrypted for Impact).
  • Common operators / families: LockBit, BlackCat (ALPHV), Akira, Play, Royal, Hive, Conti (legacy), Clop, BianLian. The #ransomware tag covers infrastructure linked to any of these (intrusion C2, data-leak sites, ESXi-targeting components).
  • Detection: EDR rules on file-encryption velocity, OS-vendor anti-tamper protections, immutable backups + air-gapped restore, and infrastructure blocklists for the C2/staging URLs and IPs that precede the encryption phase.
  • References: MITRE ATT&CK T1486 · CISA #StopRansomware · No More Ransom (decryptors).

Recent IOCs tagged #ransomware

Latest 10 IOCs from the past 30 days. Live JSON: api.tweetfeed.live/v1/month/ransomware.

Date Type Value Source
Jun 05, 16:50 domain gocebekuslar.store @FABO97662188
Jun 05, 16:50 url http://gocebekuslar.store @FABO97662188
Jun 02, 15:38 domain blackxppq2jvqyg4slyg3sbszv7ib2avaaycvhff5qipgdoepqi57xyd.oni... @fbgwls245
Jun 02, 15:38 url http://blackxppq2jvqyg4slyg3sbszv7ib2avaaycvhff5qipgdoepqi57... @fbgwls245
Jun 02, 11:32 md5 ed55447f474c6ad4b0881c216762dcc4 @suyog41
May 30, 06:50 domain lapsus.by @RakeshKrish12
May 30, 06:50 url http://lapsus.by @RakeshKrish12
May 29, 16:56 sha256 61da5fd1cbfea2f8b18e0fb1722c82d82fa0291985d788edb5c7c9ee2f1f... @akudryk007
May 28, 14:39 domain ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rekvqd.oni... @fbgwls245
May 28, 14:39 url http://ijzn3sicrcy7guixkzjkib4ukbiilwc3xhnmby4mcbccnsd7j2rek... @fbgwls245

Related tags

Tags that frequently co-occur with #ransomware.

See all tags on the Dashboard or browse the full IOC feed.

Frequently asked questions

What is ransomware?

Ransomware is malware that encrypts a victim's data and demands payment - usually in cryptocurrency - for the decryption key. Modern operators add data-theft and public leaks ("double extortion") even if the victim restores from backups. Initial access is typically via phishing, exposed RDP, vulnerable VPN appliances or compromised credentials.

Which ransomware operators produce the most IOCs in this feed?

Volume tracks active researcher coverage rather than pure operator output, so high-profile crews (LockBit while active, BlackCat/ALPHV, Akira, Play) tend to dominate. Affiliate-driven RaaS programmes generate more diverse infrastructure than single-team operations, which produces more URLs/IPs to tag.

How is this list updated?

Every 15 minutes. The TweetFeed pipeline scrapes RSS feeds from public Twitter/X security researcher accounts and lists, extracts IOCs, tags them with the relevant malware family or threat actor, and republishes the result in CSV, JSON and RSS. Ransomware-tagged IOCs are surfaced on this page within the next 15-minute tick. The page itself is regenerated daily by a GitHub Action.

What is the license? Can I use this commercially?

All TweetFeed IOC data, including this Ransomware subset, is released under CC0 1.0 Universal (Public Domain Dedication). No attribution required, no warranty. Commercial use is allowed. The TweetFeed website code and branding are not covered by CC0.

License

Ransomware IOC data: CC0 1.0 Public Domain. No attribution required, no warranty. Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).