Skip to main content

ransomware-victims

The ransomware-victims tool retrieves the latest information on ransomware victims, making it a critical resource within automated security workflows. It helps organizations stay informed about emerging threats and recently disclosed ransomware attacks. The "recent victims" data comes from the public ransomware data leak sites that the upstream source continuously monitors.

Ideal Use Cases & Fit

This tool is particularly effective when you need to quickly gather intelligence on recent ransomware incidents — identifying current trends and assessing the impact on particular sectors or regions over the latest disclosures. It excels at monitoring and situational awareness.

It fetches the most recent ransomware victims (a rolling list of the latest disclosures) and is not an historical archive — you cannot use it to pull a complete list of past incidents for a given period. Because of this, the date filters (newer-than, older-than, last-24h) only narrow the recent results that are already available; they will not retrieve older incidents, and setting an older date range will typically return no data. If you need a full historical list of ransomware incidents (e.g. "all victims in Spain since January 2026"), this tool is not the right fit — reach out to the Labs team for the historical dataset they collect.

Value in Workflows

Integrating the ransomware-victims tool into security workflows enhances situational awareness and threat intelligence capabilities. It can be positioned in early reconnaissance phases to augment existing data about current ransomware threats, as well as in post-processing stages to enrich incident response analyses. The structured JSON output facilitates seamless incorporation into broader data processing pipelines.

The node can run stand-alone — it does not require an input node to be connected. Simply enable the ignore-input parameter (or leave the input unconnected) and configure the filters you need.

Input Data

The input is an optional plaintext file (or plain text) used as a search filter applied to victim names and incident descriptions — for example a victim name, a keyword found in the description, etc.

This makes the input filter a powerful monitoring tool: because the node picks up any incident whose name or description contains your search terms, an organization can feed it the names of clients, subsidiaries, partners, or sectors it wants to keep an eye on. It's ideal for monitoring known entities that might surface on ransomware data leak sites.

Key points to avoid common mistakes:

  • The input is not a country filter. Filtering by country (e.g. Spain) with the input text will return nothing — use the country parameter with a country code instead (see below).
  • If you do not need this name/description filter, enable the ignore-input parameter, or simply run the node without an input connected.
  • When an input file is provided and ignore-input is off, its contents take priority over the search parameter.

Configuration

  • ignore-input: Ignores the input file/text, allowing the node to run stand-alone without any contextual search term.
  • group: Filters results by ransomware group name (e.g. lockbit).
  • country: Limits results to victims in a given country. Must be the ISO country code, not the country name — e.g. Spain is ES, United States is US, France is FR. Using the full country name will return no results.
  • sector: Filters victims by industry sector.
  • search: Custom search query that examines victim names and descriptions (same purpose as the input file).
  • newer-than: Restricts results to victims published after the given date. Only narrows the recent results — does not fetch historical data.
  • older-than: Restricts results to victims published before the given date. Only narrows the recent results — does not fetch historical data.
  • last-24h: Restricts the output to victims disclosed in the last 24 hours.

This structured approach ensures that workflow builders can tailor the tool's function to monitor recent ransomware activity efficiently. Updated: 2026-06-17