#ransomware

Ransomware infrastructure (URLs, domains, IPs, hashes) extracted from public security researchers


#ransomware

Ransomware infrastructure (URLs, domains, IPs, hashes)

IOCs by window

Today

2

IOCs tagged #ransomware

Week

13

IOCs tagged #ransomware

Month

42

IOCs tagged #ransomware

Year

1,031

IOCs tagged #ransomware

Counts as of 2026-04-29. Regenerated daily.

About #ransomware

  • Definition: malware that encrypts victim data and demands payment for decryption, typically combined with data-theft extortion ("double extortion"). Encryption itself maps to MITRE ATT&CK T1486 (Data Encrypted for Impact).
  • Common operators / families: LockBit, BlackCat (ALPHV), Akira, Play, Royal, Hive, Conti (legacy), Clop, BianLian. The #ransomware tag covers infrastructure linked to any of these (intrusion C2, data-leak sites, ESXi-targeting components).
  • Detection: EDR rules on file-encryption velocity, OS-vendor anti-tamper protections, immutable backups + air-gapped restore, and infrastructure blocklists for the C2/staging URLs and IPs that precede the encryption phase.
  • References: MITRE ATT&CK T1486 · CISA #StopRansomware · No More Ransom (decryptors).

Recent IOCs tagged #ransomware

Latest 10 IOCs from the past 30 days. Live JSON: api.tweetfeed.live/v1/month/ransomware.

Date Type Value Source
Apr 29, 00:06 domain ttvbuilv5mf2wggfjgmvin22ndzghpukhsyy6coz3p4wt5nqnxah7tyd.oni... @fbgwls245
Apr 29, 00:06 url http://ttvbuilv5mf2wggfjgmvin22ndzghpukhsyy6coz3p4wt5nqnxah7... @fbgwls245
Apr 28, 15:14 sha256 42a1aded85892a80c83f741a7ac00e7e75015166c3be0bae29d93d3a4714... @anylink20240604
Apr 28, 00:05 domain 723pt5dc2plfexrfvudhdhzvesgesqbcl4yivijjubptnogukxxv3hqd.oni... @PaduckLee
Apr 28, 00:05 url http://723pt5dc2plfexrfvudhdhzvesgesqbcl4yivijjubptnogukxxv3... @PaduckLee
Apr 28, 00:05 md5 44b00a98918e058650aeaacc741d10e5 @PaduckLee
Apr 27, 05:12 md5 5f44fb80dc20da875b4f7470e519e29f @prasad_dhakad
Apr 26, 11:24 domain 4k6plf4h2cm2nco6ae3inrsxnmqgl6lllmwefydhnlcq4tuhwbj4qpad.oni... @fbgwls245
Apr 26, 11:24 url http://4k6plf4h2cm2nco6ae3inrsxnmqgl6lllmwefydhnlcq4tuhwbj4q... @fbgwls245
Apr 24, 08:57 domain u6lieui2dakbctcjea2bz4r4q32r7t36nwljovqbv7mxs6o2smgxixid.oni... @fbgwls245

Related tags

Tags that frequently co-occur with #ransomware.

See all tags on the Dashboard or browse the full IOC feed.

Frequently asked questions

What is ransomware?

Ransomware is malware that encrypts a victim's data and demands payment - usually in cryptocurrency - for the decryption key. Modern operators add data-theft and public leaks ("double extortion") even if the victim restores from backups. Initial access is typically via phishing, exposed RDP, vulnerable VPN appliances or compromised credentials.

Which ransomware operators produce the most IOCs in this feed?

Volume tracks active researcher coverage rather than pure operator output, so high-profile crews (LockBit while active, BlackCat/ALPHV, Akira, Play) tend to dominate. Affiliate-driven RaaS programmes generate more diverse infrastructure than single-team operations, which produces more URLs/IPs to tag.

How is this list updated?

Every 15 minutes. The TweetFeed pipeline scrapes RSS feeds from public Twitter/X security researcher accounts and lists, extracts IOCs, tags them with the relevant malware family or threat actor, and republishes the result in CSV, JSON and RSS. Ransomware-tagged IOCs are surfaced on this page within the next 15-minute tick. The page itself is regenerated daily by a GitHub Action.

What is the license? Can I use this commercially?

All TweetFeed IOC data, including this Ransomware subset, is released under CC0 1.0 Universal (Public Domain Dedication). No attribution required, no warranty. Commercial use is allowed. The TweetFeed website code and branding are not covered by CC0.

License

Ransomware IOC data: CC0 1.0 Public Domain. No attribution required, no warranty. Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).