#ransomware

Ransomware infrastructure (URLs, domains, IPs, hashes) extracted from public security researchers

Subscribe (RSS)


#ransomware

Ransomware infrastructure (URLs, domains, IPs, hashes)

Subscribe (RSS)

IOCs by window

Today

4

IOCs tagged #ransomware

Week

25

IOCs tagged #ransomware

Month

57

IOCs tagged #ransomware

Year

1,024

IOCs tagged #ransomware

Counts as of 2026-05-20. Regenerated daily.

About #ransomware

  • Definition: malware that encrypts victim data and demands payment for decryption, typically combined with data-theft extortion ("double extortion"). Encryption itself maps to MITRE ATT&CK T1486 (Data Encrypted for Impact).
  • Common operators / families: LockBit, BlackCat (ALPHV), Akira, Play, Royal, Hive, Conti (legacy), Clop, BianLian. The #ransomware tag covers infrastructure linked to any of these (intrusion C2, data-leak sites, ESXi-targeting components).
  • Detection: EDR rules on file-encryption velocity, OS-vendor anti-tamper protections, immutable backups + air-gapped restore, and infrastructure blocklists for the C2/staging URLs and IPs that precede the encryption phase.
  • References: MITRE ATT&CK T1486 · CISA #StopRansomware · No More Ransom (decryptors).

Recent IOCs tagged #ransomware

Latest 10 IOCs from the past 30 days. Live JSON: api.tweetfeed.live/v1/month/ransomware.

Date Type Value Source
May 16, 16:23 domain breach.st @bcs_erictaylor
May 16, 16:23 url http://breach.st @bcs_erictaylor
May 15, 01:03 domain uqcoop.com @CTI_FYI
May 15, 01:03 url http://www.uqcoop.com @CTI_FYI
May 10, 09:41 domain mes4qo4rd6t3biyrm6q4twkquspzd7r4kg7va765nbdfxqgnc2w3pead.oni... @fbgwls245
May 10, 09:41 url https://mes4qo4rd6t3biyrm6q4twkquspzd7r4kg7va765nbdfxqgnc2w3... @fbgwls245
May 10, 04:05 domain sibillacapital.com @RansomwareLive
May 10, 04:05 url https://sibillacapital.com/@incranso @RansomwareLive
May 08, 14:50 sha256 5b5a306e93a17a7edba89301717e304f72134cc5bfd900c4bf8fc2ea617f... @fbgwls245
May 08, 00:56 domain ipi4tiumgzjsym6pyuzrfqrtwskokxokqannmd6sa24shvr7x5kxdvqd.oni... @fbgwls245

Related tags

Tags that frequently co-occur with #ransomware.

See all tags on the Dashboard or browse the full IOC feed.

Frequently asked questions

What is ransomware?

Ransomware is malware that encrypts a victim's data and demands payment - usually in cryptocurrency - for the decryption key. Modern operators add data-theft and public leaks ("double extortion") even if the victim restores from backups. Initial access is typically via phishing, exposed RDP, vulnerable VPN appliances or compromised credentials.

Which ransomware operators produce the most IOCs in this feed?

Volume tracks active researcher coverage rather than pure operator output, so high-profile crews (LockBit while active, BlackCat/ALPHV, Akira, Play) tend to dominate. Affiliate-driven RaaS programmes generate more diverse infrastructure than single-team operations, which produces more URLs/IPs to tag.

How is this list updated?

Every 15 minutes. The TweetFeed pipeline scrapes RSS feeds from public Twitter/X security researcher accounts and lists, extracts IOCs, tags them with the relevant malware family or threat actor, and republishes the result in CSV, JSON and RSS. Ransomware-tagged IOCs are surfaced on this page within the next 15-minute tick. The page itself is regenerated daily by a GitHub Action.

What is the license? Can I use this commercially?

All TweetFeed IOC data, including this Ransomware subset, is released under CC0 1.0 Universal (Public Domain Dedication). No attribution required, no warranty. Commercial use is allowed. The TweetFeed website code and branding are not covered by CC0.

License

Ransomware IOC data: CC0 1.0 Public Domain. No attribution required, no warranty. Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).