Skip to content

Ransomware — Leak Sites

What this is

Modern ransomware groups (LockBit, BlackCat/ALPHV, Akira, Cl0p, RansomHub, and others) operate under a double extortion model:

  1. They encrypt your data.
  2. They exfiltrate a copy before encryption and threaten public release if ransom isn't paid.

For point 2, each group runs its own leak site — a public web resource (usually on Tor, sometimes with a clearnet mirror) where they publish:

  • A list of victims with company names and domains.
  • A countdown to full data publication.
  • "Samples" — screenshots of documents, file trees — as proof that they really had access.
  • After the deadline expires — the full data dump.

Why this matters

If your company appears on a leak site — that's incident in progress. Attackers are already inside, they already have a copy of your data, they're already negotiating with you or preparing to publish. Time window — hours to days before full publication.

Why monitor instead of waiting for the ransom note:

  • Some groups publish a victim before contact as a pressure tactic.
  • The note may land in spam, be sent to the wrong address, or get ignored.
  • A vendor or partner holding your data can also appear on a leak site — that's your third-party risk that nobody else will notify you about.
  • Knowing earlier gives you time to prep PR comms, legal, and regulator notifications (GDPR requires 72 hours).

What we monitor

The platform tracks 30+ of the most active ransomware groups, including:

  • LockBit (3.0 / Black)
  • BlackCat / ALPHV
  • Akira
  • Cl0p
  • 8base
  • Play
  • Medusa
  • RansomHub
  • And others

The list is updated with platform releases based on threat intelligence feeds — new groups appear 1-2 times per month, old ones disappear.

Monitoring covers both Tor versions of sites (through a secured proxy) and clearnet mirrors where they exist.

What we capture on a finding

  • The ransomware group's name.
  • Date the victim appeared on the leak site.
  • Deadline (countdown) to publication.
  • Screenshot of the page at detection time — for archive, because leak sites frequently go down or change.
  • Available samples — if the group published a preview (file tree, document screenshots, ZIP preview), the platform stores them locally for fast investigation of "what exactly do they have."

⚠️ Sample access is restricted by role (incident_responder or above), as they may contain sensitive client data.

Severity

Always Critical. Appearance on a ransomware leak site is an unprecedented situation that always requires immediate response.

What you see in the dashboard

When a finding appears, you immediately receive a critical notification with:

  • The ransomware group's name.
  • Date your company appeared on the site.
  • How much time is left before data publication.
  • Preview of any published samples.
  • Direct links to the leak site page (via Tor onion or mirror).
  • Action checklist: activate IR plan, notify legal, engage outside counsel, prepare regulator notification.

How to connect

The service works out of the box — nothing to set up. All you need is configured DataSources (domain, company name).

What to add to DataSources

For maximum coverage:

  • Your primary domain (yourcompany.com).
  • All subsidiary domains.
  • Full legal company name.
  • Abbreviations and trademarks.
  • Names of recent M&A targets (acquired companies might appear under the old name).

Scan schedule

Recommended — every 6 hours. More frequent — strain on the Tor network without added value, less frequent — you'll miss half a day.

FAQ

How often do new ransomware groups appear? ~1-2 per month. The platform updates the list from threat intelligence feeds — new groups are added automatically with releases.

What if a Tor leak site is offline? Most groups have multiple mirrors. The platform tries them in turn. Temporary downtime of one group doesn't block monitoring of others.

How many false positives? Almost zero — company names are usually unique. To minimize collisions like "Apple" (the company) vs "Apple Bakery" (a victim), in DataSources it's best to add the full legal name rather than a single word.

What to do if we are found? This is an incident-in-progress. Baseline checklist:

  1. Activate your IR plan.
  2. Notify legal and outside counsel.
  3. Inspect logs for signs of active compromise (access often hasn't been lost yet).
  4. Prepare communications for clients and regulators (GDPR — 72 hours!).
  5. Do not pay ransom without consulting legal and law enforcement.