Skip to content

OSINT resources for researching ransomware

  • by

Last month the US Senate Intelligence Committee proposed the introduction of new legislation to deal with ransomware attacks – basically, to treat them on par with terrorism.

While at this point ransomware is far from being a newly emerging threat, a new trend can be observed in 2024 and probably beyond in terms of ransomware attacks relying on legitimate encryption software sometimes native to the systems they are targeting. There has also been an increase in the abuse of legitimate remote monitoring and management tools (RMM) and remote desktop protocol (RDP) software – examples being Teamviewer, AnyDesk, ScreenConnect, etc.

Throughout 2024 there were also counts of cyber attacks that previously would have resulted in ransomware deployment, but the attackers skipped that component and basically stole the data only to follow up with a financial extortion demand – so no ransom malware was actually deployed.

As trends change and evolve, so do sources and methods of collecting relevant information.

Currently, OSINT collection techniques can be successfully applied to practically all aspects of ransomware research. Depending on your approach and intelligence collection needs, you might want to be focusing on one or more of the following angles:

  • Threat actor infrastructure – websites and in particular servers that are being used in the ransomware infection chain, from phishing domains and websites used for ransomware distribution to servers used for hosting it and deploying it against victims.
  • Ransomware C2 (Command and Control) servers – specifically used for controlling botnets used in ransomware distribution but also for maintaining communication with the infected machines.
  • General modus operandi intelligence – this pertains to the minutiae of ransomware groups operations, from their general online presence, communication style, ransom notes, cryptocurrencies, file hashes, criminal forums where they operate and more.

So let’s take a look at some really useful OSINT sources for ransomware.

Ransomware related intelligence

  • Ransomlook – a huge repository of ransomware related content, from forums and markets to leaks, threat actor profiles and more. A must read by any self respecting ransomware researcher.
  • DeepdarkCTI – a treasure trove of information on ransomware and adjacent topics.
  • ID Ransomware – an independent researcher blog, often focusing on less known and small time commodity ransomware.
  • Ransomwatch – a crawler that focuses on hundreds of sites operated by ransomware groups and brings up posts, profiles and general activity associated with those.
  • Ransomwarehelp on Reddit – a community of users sharing information on ransom attacks and attempted attacks, with some useful prevention and mitigation content surfacing from time to time.
  • No More Ransom – a resource from Europol, mentioned on this blog before. Not only does it offer advice on how to avoid ransomware infections, but it gives you free decryption tools for many strains of ransomware that have been reverse engineered by the Europol experts. It comes in handy when you try to find out which ransomware has been neutralised.
  • Ransomware Map – created by the CERT Orange CyberDefense, it contains a visualisation of major ransomware attacks throughout time. Hopefully they continue to maintain it beyond 2024 and longer.
  • Ransom Chat – a ransomware chat viewer that offers unique insights into how threat actors interact with the victims, how the negotiations happen and even some example advice that the threat actors offer to their victims after they have made the ransom payments.
ransomware osint advice

Shodan queries & filters

Shodan is useful for uncovering some of the currently active, public-facing systems infected by various strains of ransomware. Expect to see mainly login screens, although sometimes you can encounter detailed ransom notes too.

One important caveat regarding Shodan queries for ransomware: they most likely will return multiple false positives, like honeypots or hits on IP addresses associated with FTP instances that have since been secured or removed offline.

So here are some useful queries:

  • ransomware – yes, the most basic query – but it does yield results from the get-go.
  • has been encrypted – a general query returning results that contain keywords of interest.
  • “has been encrypted” –  a more granular and specific variation of one of the queries above. Will return the exact phrase encapsulated within the quotes, so do customise and adapt your keywords as necessary.
  • “encrypted by” – a general search query that is threat actor agnostic – it contains probably the most commonly used phrase that is associated with ransomware infections in general. If searching for infections attributed to a specific ransomware group, make sure to insert the name, for example:
  • “encrypted by BlackBit”
  • files stolen – searches for this commonly used phrase that can often be found in ransom notes.
  • “attention”+”encrypted”+port:27017 – ransomware infections of open MongoDB instances.
  • “attention”+”encrypted”+port:3389 – ransomware infected RDP services. This filter has been around for ages, so at this stage you should expect these results to be honeypots or similar “experimental” targets as opposed to real life vulnerable machines.

NOTE: All of the above queries can be filtered further by using a very useful has_screenshot:true parameter. Adding it to the query will display only those results that contain a captured screenshot of what was happening on the screen, for example:

ransomware osint research

Cryptocurrency deposit addresses

The following resources contain a lot of publicly reported crypto deposit addresses that were confirmed (or sometimes only suspected) to be linked to ransomware funds payments:

  • Ransomwhere – a free crowdsourced platform where anybody can provide intelligence on ransomware infection incidents, provided that you have the required evidence (screenshot, ransom note, link). Ransomwhere first featured on the Osint Me blog 3 years ago – and it’s seen an impressive growth in popularity since.
  • Open Sanctions ransomware – this data set is powered by the Ransomwhere API, but it displays it differently and makes it easier to search.
  • Chainabuse – a crowdreporting platform for cryptocurrency addresses linked to various forms of malicious activity including ransomware, albeit mixed up together with sextortion scams and other forms of online blackmail.
  • BitcoinHeist Ransomware Dataset – collection of ransomware related BTC addresses taken from various older reports and academic studies. Pretty old content and not that useful for present time researchers, but can be used for historical context.
  • Machine learning-based ransomware classification of Bitcoin transactions – research paper that borrows some of the data from the one mentioned above and attempts to focus on identifying ransomware through machine learning and anomaly detection.

Ransomware news & publications

  • CISA Alerts & Advisories – official content from the US Cybersecurity and Infrastructure Security Agency. As one would imagine, there is a lot of content there, so it’s best to use the filters when searching for ransomware news and updates. It’s worth noting that CISA has issued their own Stop Ransomware Guide that covers topics such as ransomware related public safety advice, protection, response, preparation, etc. CISA has also put out some additional and free educational content – check out the last section of the blog post for links.
  • Cyble Blog – general cybersecurity news, with a strong emphasis on ransomware attacks.
  • The Record – decent coverage of cyber crime events, with major ransomware events being regularly reported on.
  • Halcyon Power Rankings – this publication issues quarterly reports of ransomware as a service (RaaS) power rankings. Provides a handy overview of the changing landscape and allows for comparing current and previous ransomware campaigns, threat actors and their modes of operation.
  • Ransom Groups DarkFeed – general quarterly statistics of the most active ransomware groups.

Miscellaneous resources

Purple Academy – contains several free training courses, useful not only for expanding your general cybersecurity knowledge but also for scoring continuing professional education credits (CPEs) if you need those to renew some of your existing certs. At the time of writing, it offers 3 ransomware related, 1-hour courses that you can register for and that are free:

Showing the Receipts – a recently published academic research paper, co-authored by Jack Cable who was behind the Ransomwhere project. The synopsis outline what this paper is about:

“We present novel techniques to identify ransomware payments with low false positives, classifying nearly $700 million in previously-unreported ransomware payments. We publish the largest public dataset of over $900 million in ransomware payments — several times larger than any existing public dataset. We then leverage this expanded dataset to present an analysis focused on understanding the activities of ransomware groups over time. This provides unique insights into ransomware behavior and a corpus for future study of ransomware cybercriminal activity.”

SANS Ransomware Summit – while not a fan of the SANS exorbitantly priced training courses, I do recommend their Summit conferences (I previously spoke at one, here is the link). The Ransomware Summit is a free event and is guaranteed to give you exposure to some very interesting presentations on all aspects of ransomware attacks and investigations. Worth keeping an ear to the ground in anticipation of the 2025 Summit edition.

Countering Ransomware Financing – this is a publication from the Financial Action Task Force (FATF) and it focuses on the financial aspects of laundering ransomware proceeds of crime:

“The report proposes a number of actions that countries can take to more effectively disrupt ransomware-related money laundering. This includes building on and leveraging existing international cooperation mechanisms, given the transnational nature of ransomware attacks and related laundering.”

BONUS: Learning resources from CISA

Here’s some good & free educational content from the US Cybersecurity and Infrastructure Security Agency – some of it might be a little dated but is largely still very relevant:

NOTE: If you have any suggestions on what else should be added here (genuine free educational resources, NO marketing spam or sponsored articles!), please email me on info@osintme.com.

Leave a Reply

Your email address will not be published. Required fields are marked *