About RansomLook

What is RansomLook?

RansomLook is an open‑source project aimed at assisting users in tracking ransomware‑related posts and activities across various sites and forums.

The main components include:

• Blog monitoring and victim extraction
• Forum monitoring (parsing is not available)
• Overview of Ransomware Notes
• Tracking leaks from public sources
• Leak tracking from RecordedFuture provider (private API required)
• Monitoring of various known Bitcoin wallets

Who uses RansomLook?

RansomLook is built for, and used by:

• SOC / IR teams — spotting victims in real time, correlating outbound traffic with known ransomware mirrors during incident response.
• CTI analysts — tracking group activity, emergence of new actors, infrastructure churn, and producing trend reports.
• CSIRTs / national CERTs — building situational awareness and notifying constituents when they appear in a leak post.
• Security researchers — studying the ransomware ecosystem over time via open data and the API.
• Journalists — verifying claims, confirming victim disclosures, and grounding reporting in public evidence.

Getting started

Start from the page that matches your use case:

• Incident response → /recent  ·  /urls (check if a URL you observed matches a tracked mirror).
• CTI / trend analysis → /stats  ·  /hot (trending groups).
• Directory / lookup → /browse (all groups, markets, actors).
• Automation / integration → API documentation  ·  RSS feed.
• Self-hosting → GitHub repository (Docker compose & Poetry instructions in the README).

Data freshness

RansomLook scrapes tracked DLS / forums on a continuous loop — mirror availability, post lists and screenshots are refreshed multiple times per day. The homepage shows the live last 7 days delta so you can judge activity at a glance; /stats exposes the full aggregation controls.

Sources are open-by-design: we track what is publicly claimed on leak sites. Claims from operators are not independently verified against victim confirmations — always treat a post as a claim until corroborated elsewhere.

Is it free?

Yes, it is free—and more importantly, it is open‑source.

RansomLook is licensed under the GNU Affero General Public License (AGPL) v3.0.

How can I follow new posts?

There are various ways to stay updated with new posts:

• Run your own instance and enable RocketChat and/or email notifications
• Check the public instance: ransomlook.io
• Access the API — Documentation
• Follow us on Mastodon: @Ransomlook@social.circl.lu

There is NO official Telegram Channel!

Want to be part of the RansomLook community?

Join us in making RansomLook even better! Here's how you can contribute:

• Create an issue on our GitHub repository — GitHub
• Submit pull requests with new features or improvements
• Share new sources of DLS (Darknet Leak Sites)
• Report any bugs you come across
• Suggest new functionalities that could enhance RansomLook
• Follow us on LinkedIn and be part of the community Here !

Credits & Thanks

RansomLook is maintained by Alexandre Dulaunoy and Fafner [_KeyZee_].

We thank Tammy Harper for her contributions to adding new groups and her regular feedback to improve the project.

We thank Katya Kandratovich, core team member, for her contributions and dedication to the project.

We warmly thank Ecrime.ch for its feedback and sharing on the group.

We sincerely thank Onyphe.io for providing to us a CTIScan API key to hunt new servers and new groups.

We also thank Ransom-ISAC. Ransom-ISAC takes a left-field, unique approach to threat intelligence by building a community-driven, vendor-neutral ecosystem focused on openness and collaboration. It connects defenders of all sizes to share actionable ransomware insights in a trusted, transparent space, strengthening global resilience through collective knowledge and shared purpose.

Main members of RansomLook have an opportunity to earn a LOCKSTAR. The LOCK STAR Initiative empowers researchers, cybersecurity professionals, and enthusiasts to share their knowledge and intelligence through blogs, conference presentations, and active community contributions. By creating space for open collaboration and knowledge exchange, the initiative encourages diverse voices to contribute insights, tools, and real-world experiences — strengthening collective understanding and resilience against ransomware and other evolving cyber threats.

The original code was based on RansomWatch.

External data sources

• Breadcrumbs for cryptocurrency transaction enrichment
• Ransomwhe.re for cryptocurrency addresses
• ThreatLabz for the RansomNotes
• leak-lookup for public leaks

Usage of the API and License

All content provided by ransomlook.io — including the website, API responses, and datasets — is made available under the Creative Commons Attribution 4.0 International (CC BY 4.0) license.

You are free to share and adapt the material for any purpose, even commercially, provided that appropriate credit is given.